Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup64v7.3.9.exe

Overview

General Information

Sample name:Setup64v7.3.9.exe
Analysis ID:1580842
MD5:adbae5ff217253f04132277916d5af08
SHA1:148a186f26caa8fc6298ea9bf6641add1cfa2160
SHA256:9a10f85e8932ecec7724c573c91f32b086af49d0c6f1fc9e219328473ef31c67
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Adds a directory exclusion to Windows Defender
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Setup64v7.3.9.exe (PID: 2612 cmdline: "C:\Users\user\Desktop\Setup64v7.3.9.exe" MD5: ADBAE5FF217253F04132277916D5AF08)
    • Setup64v7.3.9.tmp (PID: 5708 cmdline: "C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp" /SL5="$20452,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" MD5: 9C495CFE45360DE58A589F398974999F)
      • powershell.exe (PID: 1088 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 5040 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • Setup64v7.3.9.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENT MD5: ADBAE5FF217253F04132277916D5AF08)
        • Setup64v7.3.9.tmp (PID: 2020 cmdline: "C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp" /SL5="$20468,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENT MD5: 9C495CFE45360DE58A589F398974999F)
          • 7zr.exe (PID: 6692 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 6984 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 2892 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 5708 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • Conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4564 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6516 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 320 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6128 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6576 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1372 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6776 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2968 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1088 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6668 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5692 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5012 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1868 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6716 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5044 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5168 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7112 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1084 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7156 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5560 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6576 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6152 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6776 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1272 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5620 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2228 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6332 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1488 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1644 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3868 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 432 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7140 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5168 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1784 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6528 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7156 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5908 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5988 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1372 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6152 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5084 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 432 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5708 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3660 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5620 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5692 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6516 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6576 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1488 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1372 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2820 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1628 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp" /SL5="$20452,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp, ParentProcessId: 5708, ParentProcessName: Setup64v7.3.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 1088, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4564, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6516, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp" /SL5="$20452,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp, ParentProcessId: 5708, ParentProcessName: Setup64v7.3.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 1088, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4564, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6516, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp" /SL5="$20452,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp, ParentProcessId: 5708, ParentProcessName: Setup64v7.3.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 1088, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsv.vbcVirustotal: Detection: 11%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-G7O8S.tmp\bv2p0UUx502h.tmpVirustotal: Detection: 11%Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SK5BH.tmp\bv2p0UUx502h.tmpJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows NT\hrsv.vbcJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\is-G7O8S.tmp\bv2p0UUx502h.tmpJoe Sandbox ML: detected
Source: Setup64v7.3.9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Setup64v7.3.9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2120644091.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2120821222.0000000003150000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00256868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00256868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00257496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00257496
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0A
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0H
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0I
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0X
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/CPS0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Setup64v7.3.9.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Setup64v7.3.9.exe, 00000000.00000003.2020784612.000000007F75B000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.exe, 00000000.00000003.2020173262.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.tmp, 00000001.00000000.2022132100.0000000000631000.00000020.00000001.01000000.00000004.sdmp, Setup64v7.3.9.tmp, 00000007.00000000.2085688208.0000000000F7D000.00000020.00000001.01000000.00000008.sdmp, Setup64v7.3.9.tmp.0.dr, Setup64v7.3.9.tmp.6.drString found in binary or memory: https://www.innosetup.com/
Source: Setup64v7.3.9.exe, 00000000.00000003.2020784612.000000007F75B000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.exe, 00000000.00000003.2020173262.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.tmp, 00000001.00000000.2022132100.0000000000631000.00000020.00000001.01000000.00000004.sdmp, Setup64v7.3.9.tmp, 00000007.00000000.2085688208.0000000000F7D000.00000020.00000001.01000000.00000008.sdmp, Setup64v7.3.9.tmp.0.dr, Setup64v7.3.9.tmp.6.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess information set: 01 00 00 00 Jump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002582FB: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,11_2_002582FB
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6B4D437_2_6C6B4D43
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6E0D507_2_6C6E0D50
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C702D907_2_6C702D90
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6E6E807_2_6C6E6E80
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6BEF117_2_6C6BEF11
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F48C87_2_6C6F48C8
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6D289F7_2_6C6D289F
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6E69F07_2_6C6E69F0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6DCA507_2_6C6DCA50
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6DAAD07_2_6C6DAAD0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6DEAA07_2_6C6DEAA0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C68240A7_2_6C68240A
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6AC5EC7_2_6C6AC5EC
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6EC5C07_2_6C6EC5C0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6FC6407_2_6C6FC640
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6D86507_2_6C6D8650
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6E66E07_2_6C6E66E0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7067007_2_6C706700
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7007C07_2_6C7007C0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6EC0507_2_6C6EC050
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6800927_2_6C680092
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6E41F07_2_6C6E41F0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6EA2807_2_6C6EA280
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6EA3807_2_6C6EA380
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C693CE07_2_6C693CE0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6E3D107_2_6C6E3D10
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C701DE07_2_6C701DE0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6B7EEF7_2_6C6B7EEF
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6EBEF07_2_6C6EBEF0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C67FEC97_2_6C67FEC9
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C665EA17_2_6C665EA1
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7018707_2_6C701870
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F38207_2_6C6F3820
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6DB8107_2_6C6DB810
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F98D07_2_6C6F98D0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6B18967_2_6C6B1896
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6659727_2_6C665972
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F59507_2_6C6F5950
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F79307_2_6C6F7930
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C70791A7_2_6C70791A
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6E39007_2_6C6E3900
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7039997_2_6C703999
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6BDA527_2_6C6BDA52
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C707A007_2_6C707A00
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F1AA07_2_6C6F1AA0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C67DB667_2_6C67DB66
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C66DBCA7_2_6C66DBCA
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6FBBC07_2_6C6FBBC0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6D7B907_2_6C6D7B90
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6EB4D07_2_6C6EB4D0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6C54AC7_2_6C6C54AC
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F14897_2_6C6F1489
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6CF5217_2_6C6CF521
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F55207_2_6C6F5520
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6E15D07_2_6C6E15D0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6DF5807_2_6C6DF580
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6E95807_2_6C6E9580
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6FB6007_2_6C6FB600
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7016C07_2_6C7016C0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6C97F37_2_6C6C97F3
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6697CF7_2_6C6697CF
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7037C07_2_6C7037C0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F37A07_2_6C6F37A0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6DD0207_2_6C6DD020
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6EB0E07_2_6C6EB0E0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F52007_2_6C6F5200
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F92A07_2_6C6F92A0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F07507_2_6C6F0750
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6F3AF07_2_6C6F3AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002981EC11_2_002981EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D81C011_2_002D81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002E824011_2_002E8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002C425011_2_002C4250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002EC3C011_2_002EC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002E04C811_2_002E04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002C865011_2_002C8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002A094311_2_002A0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002CC95011_2_002CC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002C8C2011_2_002C8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002E0E0011_2_002E0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002E4EA011_2_002E4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002B10AC11_2_002B10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002DD08911_2_002DD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002E112011_2_002E1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D518011_2_002D5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002E91C011_2_002E91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002CD1D011_2_002CD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002ED2C011_2_002ED2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002B53F311_2_002B53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002553CF11_2_002553CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002ED47011_2_002ED470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0029D49611_2_0029D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002E54D011_2_002E54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0025157211_2_00251572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002E155011_2_002E1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002A965211_2_002A9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002DD6A011_2_002DD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0026976611_2_00269766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002597CA11_2_002597CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002ED9E011_2_002ED9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00251AA111_2_00251AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D5E8011_2_002D5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D5F8011_2_002D5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0026E00A11_2_0026E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D22E011_2_002D22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002F230011_2_002F2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002BE49F11_2_002BE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D25F011_2_002D25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002CA6A011_2_002CA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002C66D011_2_002C66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002EE99011_2_002EE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D2A8011_2_002D2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002AAB1111_2_002AAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D6CE011_2_002D6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D70D011_2_002D70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002BB12111_2_002BB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002CB18011_2_002CB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002E720011_2_002E7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002DF3A011_2_002DF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0027B3E411_2_0027B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002EF3C011_2_002EF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002DF42011_2_002DF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002C741011_2_002C7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002E353011_2_002E3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002CF50011_2_002CF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002F351A11_2_002F351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002EF59911_2_002EF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002F360111_2_002F3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002C379011_2_002C3790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002E77C011_2_002E77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0027F8E011_2_0027F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002CF91011_2_002CF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002A3AEF11_2_002A3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D7AF011_2_002D7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0026BAC911_2_0026BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D7C5011_2_002D7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0026BC9211_2_0026BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002CFDF011_2_002CFDF0
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\7zr.exe BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsv.vbc 02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 002EFB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 002528E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00251E40 appears 172 times
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: String function: 6C666240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: String function: 6C703F10 appears 728 times
Source: Setup64v7.3.9.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup64v7.3.9.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup64v7.3.9.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: Setup64v7.3.9.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: Setup64v7.3.9.exeStatic PE information: Number of sections : 11 > 10
Source: Setup64v7.3.9.exe, 00000000.00000003.2020173262.00000000037BF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamebv2p0UUx502h.exe vs Setup64v7.3.9.exe
Source: Setup64v7.3.9.exe, 00000000.00000000.2018674779.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNamebv2p0UUx502h.exe vs Setup64v7.3.9.exe
Source: Setup64v7.3.9.exe, 00000000.00000003.2020784612.000000007FA4B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamebv2p0UUx502h.exe vs Setup64v7.3.9.exe
Source: Setup64v7.3.9.exeBinary or memory string: OriginalFileNamebv2p0UUx502h.exe vs Setup64v7.3.9.exe
Source: Setup64v7.3.9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.13.drBinary string: \Device\TfSysMon
Source: tProtect.dll.13.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal80.evad.winEXE@136/31@0/0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00259313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00259313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00263D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00263D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00259252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_00259252
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpFile created: C:\Program Files (x86)\Windows NT\is-L468Q.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1276:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4824:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5988:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5648:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1048:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6176:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7148:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6544:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1488:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmpJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: Setup64v7.3.9.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeFile read: C:\Users\user\Desktop\Setup64v7.3.9.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Setup64v7.3.9.exe "C:\Users\user\Desktop\Setup64v7.3.9.exe"
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp "C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp" /SL5="$20452,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe"
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess created: C:\Users\user\Desktop\Setup64v7.3.9.exe "C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENT
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp "C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp" /SL5="$20468,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp "C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp" /SL5="$20452,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess created: C:\Users\user\Desktop\Setup64v7.3.9.exe "C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp "C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp" /SL5="$20468,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Setup64v7.3.9.exeStatic file information: File size 11954989 > 1048576
Source: Setup64v7.3.9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2120644091.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2120821222.0000000003150000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_002D57D0
Source: bv2p0UUx502h.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x649dd2
Source: Setup64v7.3.9.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x32a8f0
Source: hrsv.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x649dd2
Source: Setup64v7.3.9.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x32a8f0
Source: bv2p0UUx502h.tmp.7.drStatic PE information: real checksum: 0x0 should be: 0x649dd2
Source: tProtect.dll.13.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: Setup64v7.3.9.exeStatic PE information: section name: .didata
Source: Setup64v7.3.9.tmp.0.drStatic PE information: section name: .didata
Source: bv2p0UUx502h.tmp.1.drStatic PE information: section name: .00cfg
Source: bv2p0UUx502h.tmp.1.drStatic PE information: section name: .voltbl
Source: bv2p0UUx502h.tmp.1.drStatic PE information: section name: .XkS
Source: Setup64v7.3.9.tmp.6.drStatic PE information: section name: .didata
Source: 7zr.exe.7.drStatic PE information: section name: .sxdata
Source: bv2p0UUx502h.tmp.7.drStatic PE information: section name: .00cfg
Source: bv2p0UUx502h.tmp.7.drStatic PE information: section name: .voltbl
Source: bv2p0UUx502h.tmp.7.drStatic PE information: section name: .XkS
Source: hrsv.vbc.7.drStatic PE information: section name: .00cfg
Source: hrsv.vbc.7.drStatic PE information: section name: .voltbl
Source: hrsv.vbc.7.drStatic PE information: section name: .XkS
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6689F4 push 004AC35Ch; ret 7_2_6C668A0E
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C704290 push eax; ret 7_2_6C7042BE
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C703F10 push eax; ret 7_2_6C703F2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002545F4 push 002FC35Ch; ret 11_2_0025460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002EFB10 push eax; ret 11_2_002EFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002EFE90 push eax; ret 11_2_002EFEBE
Source: bv2p0UUx502h.tmp.1.drStatic PE information: section name: .text entropy: 6.902892302303514
Source: bv2p0UUx502h.tmp.7.drStatic PE information: section name: .text entropy: 6.902892302303514
Source: hrsv.vbc.7.drStatic PE information: section name: .text entropy: 6.902892302303514
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SK5BH.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SK5BH.tmp\bv2p0UUx502h.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-G7O8S.tmp\bv2p0UUx502h.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpFile created: C:\Program Files (x86)\Windows NT\hrsv.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-G7O8S.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpFile created: C:\Program Files (x86)\Windows NT\hrsv.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5958Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3828Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpWindow / User API: threadDelayed 560Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpWindow / User API: threadDelayed 579Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpWindow / User API: threadDelayed 536Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SK5BH.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SK5BH.tmp\bv2p0UUx502h.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-G7O8S.tmp\bv2p0UUx502h.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsv.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-G7O8S.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5532Thread sleep count: 5958 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5532Thread sleep count: 3828 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4196Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00256868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00256868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00257496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00257496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00259C60 GetSystemInfo,11_2_00259C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: Setup64v7.3.9.tmp, 00000001.00000002.2089645902.0000000000D7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Setup64v7.3.9.tmp, 00000001.00000002.2089645902.0000000000D7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002D57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_002D57D0
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C647676 mov eax, dword ptr fs:[00000030h]7_2_6C647676
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.13.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmpProcess created: C:\Users\user\Desktop\Setup64v7.3.9.exe "C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C704720 cpuid 7_2_6C704720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0025AB2A GetSystemTimeAsFileTime,11_2_0025AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_002F0090 GetVersion,11_2_002F0090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory311
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS231
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580842 Sample: Setup64v7.3.9.exe Startdate: 26/12/2024 Architecture: WINDOWS Score: 80 96 Multi AV Scanner detection for dropped file 2->96 98 Found driver which could be used to inject code into processes 2->98 100 Machine Learning detection for dropped file 2->100 102 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->102 10 Setup64v7.3.9.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 30 other processes 2->17 process3 file4 92 C:\Users\user\AppData\...\Setup64v7.3.9.tmp, PE32 10->92 dropped 19 Setup64v7.3.9.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 26 other processes 17->33 process5 file6 78 C:\Users\user\AppData\...\bv2p0UUx502h.tmp, PE32 19->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->80 dropped 104 Adds a directory exclusion to Windows Defender 19->104 35 Setup64v7.3.9.exe 2 19->35         started        38 powershell.exe 22 19->38         started        41 conhost.exe 19->41         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        51 conhost.exe 31->51         started        53 26 other processes 33->53 signatures7 process8 file9 82 C:\Users\user\AppData\...\Setup64v7.3.9.tmp, PE32 35->82 dropped 55 Setup64v7.3.9.tmp 4 15 35->55         started        106 Loading BitLocker PowerShell Module 38->106 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 84 C:\Users\user\AppData\...\bv2p0UUx502h.tmp, PE32 55->84 dropped 86 C:\Program Files (x86)\Windows NT\hrsv.vbc, PE32 55->86 dropped 88 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->88 dropped 90 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->90 dropped 108 Query firmware table information (likely to detect VMs) 55->108 110 Protects its processes via BreakOnTermination flag 55->110 112 Hides threads from debuggers 55->112 63 7zr.exe 2 55->63         started        66 cmd.exe 55->66         started        68 7zr.exe 7 55->68         started        signatures13 process14 file15 94 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->94 dropped 70 conhost.exe 63->70         started        72 sc.exe 66->72         started        74 Conhost.exe 66->74         started        76 conhost.exe 68->76         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Setup64v7.3.9.exe6%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-SK5BH.tmp\bv2p0UUx502h.tmp100%Joe Sandbox ML
C:\Program Files (x86)\Windows NT\hrsv.vbc100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\is-G7O8S.tmp\bv2p0UUx502h.tmp100%Joe Sandbox ML
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsv.vbc11%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-G7O8S.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-G7O8S.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-G7O8S.tmp\bv2p0UUx502h.tmp11%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-SK5BH.tmp\_isetup\_setup64.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUSetup64v7.3.9.exefalse
    		high
    https://www.remobjects.com/psSetup64v7.3.9.exe, 00000000.00000003.2020784612.000000007F75B000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.exe, 00000000.00000003.2020173262.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.tmp, 00000001.00000000.2022132100.0000000000631000.00000020.00000001.01000000.00000004.sdmp, Setup64v7.3.9.tmp, 00000007.00000000.2085688208.0000000000F7D000.00000020.00000001.01000000.00000008.sdmp, Setup64v7.3.9.tmp.0.dr, Setup64v7.3.9.tmp.6.drfalse
      		high
      https://www.innosetup.com/Setup64v7.3.9.exe, 00000000.00000003.2020784612.000000007F75B000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.exe, 00000000.00000003.2020173262.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.tmp, 00000001.00000000.2022132100.0000000000631000.00000020.00000001.01000000.00000004.sdmp, Setup64v7.3.9.tmp, 00000007.00000000.2085688208.0000000000F7D000.00000020.00000001.01000000.00000008.sdmp, Setup64v7.3.9.tmp.0.dr, Setup64v7.3.9.tmp.6.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580842
        Start date and time:2024-12-26 11:09:11 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 8m 44s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:Setup64v7.3.9.exe
        Detection:MAL
        Classification:mal80.evad.winEXE@136/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 59%
        • Number of executed functions: 95
        • Number of non-executed functions: 180
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        05:10:02API Interceptor14x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exeSetup64v4.1.9.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeGet hashmaliciousUnknownBrowse
              yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                            C:\Program Files (x86)\Windows NT\hrsv.vbcSetup64v4.1.9.exeGet hashmaliciousUnknownBrowse

                              Created / dropped Files

                              C:\Program Files (x86)\Windows NT\7zr.exe

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):831200
                              Entropy (8bit):6.671005303304742
                              Encrypted:false
                              SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                              MD5:84DC4B92D860E8AEA55D12B1E87EA108
                              SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                              SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                              SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              • Antivirus: Virustotal, Detection: 0%, Browse
                              Joe Sandbox View:
                              • Filename: Setup64v4.1.9.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, Detection: malicious, Browse
                              • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                              • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                              C:\Program Files (x86)\Windows NT\file.dat (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):2748481
                              Entropy (8bit):7.9999407756814565
                              Encrypted:true
                              SSDEEP:49152:WClqzJh23Oi0M7LaKlJJfsxzRZks+DSEzCGg0IeRGOERTRE4CNmlL5yPY:WJh7i0MfTbkxos+xzC7Z4GxRes0Y
                              MD5:0D830652BC6E70E8C2D902B458006FD0
                              SHA1:3B00872D407B0C964F7314745360A4AA87C3A8A1
                              SHA-256:014D57B62167CB0D84BE39D1D82F283FB06C6864BB7E9ECF2FA180B859A09B3F
                              SHA-512:CA6B029DAF07790BE41CAC1A48746E065EE075B735677337075ABCEFED568B87FC1466D0BC46A5230E09164ED318C4E03A869C7D07DBDB34C1B49E1CE64BA10E
                              Malicious:false
                              Preview:.@S.....y...................'n.._..t8@Mp./c.i.,.+SF..7DL)_.~[{%.ea....}@....o.#.;......3E..1...,....Q.....{-.....{.6..w.v.R.'-.P.......n./..3..x.G.;.......Q....8...v..u..^.aQ. 0ce....&?S.Q.%~Q..J...7z.3wHU.^".f..4.5P.*...d{z..@..S.^j.>...&..^g...vr..4.J7Cp..&l....%N..3.w...D:HmZ....s.....G.w....K.~.X...7..o_B..~. #.b...u..ncM.rbX.0..}.u.L....+....5.....Wy......X..\...$v.o..'...h.O.Z..A.j.;1.....bI.<....R.+....qK...)..~..!8....9.`i'A.}...,..W.!4.t..k\x...a......p. .*......X.!{ .F....QI)....b..].g.cNu[....k0..H...;.../E.31]......-.S&.>.D].7_.E...pDk.U4....p.}T..........sgA@Rso..(..L.W......(..x...a]9. e...AS.n...(. .:...s.....j.O\..# .s.9.C.......d.0$...w~..whw..Q....3&....g....I...r......^..=@UQ$0=.-..b....~.@cuKm.R).u.6=.......h8....8.j..O.!.)..b..q....4.Cky.L^..e.....1.c........|..`..S.`c.wc.zh...B.o..s...#Y.V.x...... N.W...........s......3...3q..w....j.'.....:!.=(z-.u......;..d..#.aIhS...t..........4..<U......[.0=b..8...#.W..t.~v.

                              C:\Program Files (x86)\Windows NT\hrsv.vbc

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6553088
                              Entropy (8bit):7.647769337217841
                              Encrypted:false
                              SSDEEP:196608:90JmOiIkT/p5gtxNvL/6amzp5+/2nfD3:fjghjCZm2f
                              MD5:7660CD2408FA83CD090E58097DF443EA
                              SHA1:927B4D4213058490E4A5F0E8F917F492A7B9816F
                              SHA-256:02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
                              SHA-512:A93AE155006D47B59D34358B202B04EBB14E9BD62F64E4FB8FFD80102836B2BCA92382A7CA8559105EC4F66587918A498C59F510CF3FB2DE94B96FC83AA8A849
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Virustotal, Detection: 11%, Browse
                              Joe Sandbox View:
                              • Filename: Setup64v4.1.9.exe, Detection: malicious, Browse
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....lg...........!.....:...........u........................................d...........@.........................t.......a...(....0d......................@d..:...................................................................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...`....P.......0..............@....00cfg.......0......................@..@.tls.........@......................@....voltbl.F....P...........................XkS....`.G..`....G................. ..`.rsrc........0d.......c.............@..@.reloc...:...@d..<....c.............@..B................................................................................................................................................................................................................................................................................

                              C:\Program Files (x86)\Windows NT\is-L468Q.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):2748481
                              Entropy (8bit):7.9999407756814565
                              Encrypted:true
                              SSDEEP:49152:WClqzJh23Oi0M7LaKlJJfsxzRZks+DSEzCGg0IeRGOERTRE4CNmlL5yPY:WJh7i0MfTbkxos+xzC7Z4GxRes0Y
                              MD5:0D830652BC6E70E8C2D902B458006FD0
                              SHA1:3B00872D407B0C964F7314745360A4AA87C3A8A1
                              SHA-256:014D57B62167CB0D84BE39D1D82F283FB06C6864BB7E9ECF2FA180B859A09B3F
                              SHA-512:CA6B029DAF07790BE41CAC1A48746E065EE075B735677337075ABCEFED568B87FC1466D0BC46A5230E09164ED318C4E03A869C7D07DBDB34C1B49E1CE64BA10E
                              Malicious:false
                              Preview:.@S.....y...................'n.._..t8@Mp./c.i.,.+SF..7DL)_.~[{%.ea....}@....o.#.;......3E..1...,....Q.....{-.....{.6..w.v.R.'-.P.......n./..3..x.G.;.......Q....8...v..u..^.aQ. 0ce....&?S.Q.%~Q..J...7z.3wHU.^".f..4.5P.*...d{z..@..S.^j.>...&..^g...vr..4.J7Cp..&l....%N..3.w...D:HmZ....s.....G.w....K.~.X...7..o_B..~. #.b...u..ncM.rbX.0..}.u.L....+....5.....Wy......X..\...$v.o..'...h.O.Z..A.j.;1.....bI.<....R.+....qK...)..~..!8....9.`i'A.}...,..W.!4.t..k\x...a......p. .*......X.!{ .F....QI)....b..].g.cNu[....k0..H...;.../E.31]......-.S&.>.D].7_.E...pDk.U4....p.}T..........sgA@Rso..(..L.W......(..x...a]9. e...AS.n...(. .:...s.....j.O\..# .s.9.C.......d.0$...w~..whw..Q....3&....g....I...r......^..=@UQ$0=.-..b....~.@cuKm.R).u.6=.......h8....8.j..O.!.)..b..q....4.Cky.L^..e.....1.c........|..`..S.`c.wc.zh...B.o..s...#Y.V.x...... N.W...........s......3...3q..w....j.'.....:!.=(z-.u......;..d..#.aIhS...t..........4..<U......[.0=b..8...#.W..t.~v.

                              C:\Program Files (x86)\Windows NT\locale.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56530
                              Entropy (8bit):7.996815400902768
                              Encrypted:true
                              SSDEEP:768:0R3QA3V+WC+UzY723gGLMWAtbzPUwZjTebZWztwg0aV2MFlWEnAYyJuMvj1Jv+Wx:0D+KUsiQ/bUCPeWzqY2MndAYcurbGL
                              MD5:C97C44555B7F975D023CC65DCDDF68EB
                              SHA1:43609D490DD922B0CBF63F7CFE505AFF639C5F36
                              SHA-256:F4468B85D282F7C8583F9009E30CE20BA3FC3C377C768A21A22E27D2675EFD5F
                              SHA-512:B72BF2AFB2FD51DF0B283E76DD286130BF36204A7C1A7CCE6C169E2674AC133CC8EE423931F57A69D66BF66B583697469D33534321FEA6663C75DBD45CE434B8
                              Malicious:false
                              Preview:.@S....R.Y.| .................:....<..2..A..o.(.H3\.....}.gYw...l..8 .|..X.8D}.7?....n.....2.E....:?.k..9k.....-.>P.x?.[.........Xl....L.&..-..tN....X)@....<B..Z...5..k....q..gk/...t.%Y.U^..{+.\<#$...;.M...T?4Q..n&3.F.W..&..&zX.........O..8...R...>...0...$.......(z...(t.XI./'.....rv.M..P.......pPbOu.h.>..nw..r.*.2....{....Y.b..V..r...........C....*m.ZC...m}..`.Y/..P.9.c..XY......W,.k...bUw.W.UE..M..$.l..x..j..8.@.._J..,>.g!..?..-UD....o.2.....@.ln...MD t....kV.+....KO.&.v.A....(..%..5[..z..=y$r....k[.<....a...U`.t..0.?]...j....GM.#.:..~n....N.p....g..~L...<..... ......a4AT.i...K..^.....!./{...3.......k...Z.?... qOn.5......9.........|......^..x....q.Y...)..n...N..;.1...e..t.XIFB.L.....2.Xc...T..b.....NpZ...%..&.......U....i.{.[..+.....on...dr.uCg..uc#S...\.|]..Ws._..J.3@.Vb..^.H.n...YIe7....t.._...o_.........mk....C."O..2./..)C.dD.>...A......=..2.i.u..*..Dv(..d ..`.}..bJ.,.....t.^..W.n..y.....{O0.....3..UO.* .(V..\.....v..^y.id.......U1.D

                              C:\Program Files (x86)\Windows NT\locale.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56530
                              Entropy (8bit):7.9968154009027685
                              Encrypted:true
                              SSDEEP:1536:BpyRU4PDAHrmUsCTXnUbW7UbePTQk9ZkPw:BpcxPD8r+CrUbxeB9mPw
                              MD5:7A4C36F3B9161F3AB7F9D2402A7C02E4
                              SHA1:82DB74C6EEE5290FB9FEB5F79A3DAD1CB0D65C2F
                              SHA-256:FF78C6499B160AC490E07EDBFCCE1B7BE01D6E8D714BA1DEFAB62A71C7A0565E
                              SHA-512:EE38F7102E594C1CD8147543F19DB992596E537E4BCCECBDB95CCDED6DC6F56BB5395ED4697E7A0C83463D29BD4D1852F1AF7D41E18D2F9A60C8E69837820DA0
                              Malicious:false
                              Preview:7z..'....[.h........2.......5G[ .ZJ.,.R/n..a..(+. .u...YM.$k.....%OX...t....U.....$..[)2..xR!Y.z....Eo\....V%.@k....C.h....s>.V.Q.....T?......^.B...m.q..&gjZQ...5..z:..M..xmQ.....J...%.O......t.....PR..s.D'Vh....:O...0.....$........E.hZ....b.I.REO...N.[..gk.u_....~.0...N.....=.Y.XO...T..T.9=+.S.....`.Q.k ..>Q.'v.v..ee>.pgg3.t...q{.b.P.{..V"..Y.sn`}.u../D7Sv....'..l`..^.,.A...t&..!...I..kk.....O....7..z.2xC.7..-.#.o.#....1..HW......j..U.&......m..-71.....#.......hD..O._.$.x)Q.lQ......X..Q......Fe."....0....^.0..}.Q.....q....>.:..M....r..h.aD..._I....f......F.%d....!.4.'...C..?...^.v...O.%y.Y Rp.l.=DO.-C.^1q..5I.8.h........HG...n..}K{,.)!..Ni...{<u.$.sFD.~..67.2WY...no;..6......z.+>h.T.^..{'Z\.E2..4......+.n.,7.hj.|...y..Q[4..y....q.37.rq..}N...I...k....-.........z...3.....7s.....{......(Zn.'v..9.&."...%7.E1!.[..-h.S5.W.[.U.;.c~.r..6.7*..Jn'...B..(.-.yc.Sz.......nh.Y.E@..K.A{......)...Yx.d.........O.E...r..4....y6.^..X|..b......KQ.y2.....

                              C:\Program Files (x86)\Windows NT\locale2.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255975
                              Encrypted:true
                              SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                              MD5:CEA69F993E1CE0FB945A98BF37A66546
                              SHA1:7114365265F041DA904574D1F5876544506F89BA
                              SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                              SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                              Malicious:false
                              Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                              C:\Program Files (x86)\Windows NT\locale2.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255979
                              Encrypted:true
                              SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                              MD5:4CB8B7E557C80FC7B014133AB834A042
                              SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                              SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                              SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                              Malicious:false
                              Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                              C:\Program Files (x86)\Windows NT\locale3.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                              MD5:8622FC7228777F64A47BD6C61478ADD9
                              SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                              SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                              SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                              Malicious:false
                              Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                              C:\Program Files (x86)\Windows NT\locale3.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                              MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                              SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                              SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                              SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                              Malicious:false
                              Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                              C:\Program Files (x86)\Windows NT\locale4.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.99759370165655
                              Encrypted:true
                              SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                              MD5:950338D50B95A25F494EE74E97B7B7A9
                              SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                              SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                              SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                              Malicious:false
                              Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                              C:\Program Files (x86)\Windows NT\locale4.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.997593701656546
                              Encrypted:true
                              SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                              MD5:059BA7C31F3E227356CA5F29E4AA2508
                              SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                              SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                              SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                              Malicious:false
                              Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                              C:\Program Files (x86)\Windows NT\locale7.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653607
                              Encrypted:true
                              SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                              MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                              SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                              SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                              SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                              Malicious:false
                              Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                              C:\Program Files (x86)\Windows NT\locale7.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653608
                              Encrypted:true
                              SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                              MD5:A9C8A3E00692F79E1BA9693003F85D18
                              SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                              SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                              SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                              Malicious:false
                              Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                              C:\Program Files (x86)\Windows NT\res.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):2748481
                              Entropy (8bit):7.999940775681453
                              Encrypted:true
                              SSDEEP:49152:X7j1hkabNIqw904zbr6Mql0sJGrZm86Yn/WqylS2wRm8yb/y:X7j1hYqE6Mq0/lZebfb6
                              MD5:1A9F36EF4A0B5D5B6B7FEE775862A75F
                              SHA1:9B72F332F257CA5272DD128735DA108607756D21
                              SHA-256:AEE243D9A5078C921BA08F5CD78963BA57059A3BB2B7D1B7D6A6D33887626F88
                              SHA-512:C6BEEF541A4E29D34CE76BC7B5A326CC05BD9A8D985DB492D0FA0F985F9A62576A3CC5EF9BA2B6A871D148C8DE4AA2682570B3FF9BC8B495BD9B9A95483F7C55
                              Malicious:false
                              Preview:7z..'...9.....).....A.......)..8..k^........%..@..[....a....H..T.4.....KQ.A....v..tw..?.g[.n.H.Gxs...t.....gR.d.,.f.$..X.7.z...BQhb>...-.G...v.....j..&..0...jK]n.},.r8.:..w......ElYW....i..0...E..+a..._....].N. .e.pE_...DN..<.)......N...q.+..)..D....w.w$6z...T.5...+......+g.q..l2.P.x<D..!...2.l^.U.....z.$....u.F.DN...+...Q..A.".F..b.z.`.7....)Ac.Dm.j`H..t..1].#sU...RD.s.J.C......<....{<iob.....".V.=...*...F90.. .##..<:.O.*...s.NM)......._.M6.....*.EZ8!+....d.DPZ....d..Y...J....?l..8@..u....=....w.el....OB..m~)D......Jm[@N..-.......R...{...~...u...._..\-^.. ..upx.A-.......b...m.j.B..3.o.6...CQ...{.>......5....u.:.+.GlAb....:i..;..R.[..d=(@S.f.\..yFD..,3e...n*..8.......S...X0m=.:..X.pLnH..r.........::.^M..a.H.....e....W...W..d.r...w..t....y.\...Fc..y.&)......~}.Y!..d.....DY..|c:.K?.51_...........L...z.|$[.C....q...5[''0.L.J+9p".....r.:.XH8..,z.M1.....=....o<....X...L..G.(f.j.*..{..0....y=o.1_~.2*..f.3..q...Q....$.....9...cO.q.OS.[...

                              C:\Program Files (x86)\Windows NT\tProtect.dll

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):63640
                              Entropy (8bit):6.482810107683822
                              Encrypted:false
                              SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                              MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                              SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                              SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                              SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 9%
                              • Antivirus: Virustotal, Detection: 6%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                              C:\Program Files (x86)\Windows NT\task.xml

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):3.3411690983537548
                              Encrypted:false
                              SSDEEP:48:dXKLzDlniPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y2:dXazDlniP6whldOVQOj6dKbKsz7
                              MD5:9CFD4A767D5DD4176567334333A293A0
                              SHA1:5FE7A85589762073206593FEBA92C3FCE36BDD46
                              SHA-256:CD0C911EF19EDE3A594B89B660FB8D56ECB6EF267E9DEEAFFE7AC5E5F11C0663
                              SHA-512:19E7D1AA5162EA5BD133165B314D92E177A8FBB9ADDA43ABF9C1D79C9DA8DFE08457D0C170122D3E0623724F4C0D68B3C4E696CC8C67DA2D28E5963807529F14
                              Malicious:false
                              Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkA

                              C:\Program Files (x86)\Windows NT\trash

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2498321
                              Entropy (8bit):7.999921132510384
                              Encrypted:true
                              SSDEEP:49152:AQFtsREnrRH+oFmVCvnyxkCmXtxQKq8RHqPVy2p7H2K3:5sRMRHFXvnyOCQtaKq9PVyG7H2o
                              MD5:3EE740D2A8E6336AAAFCD5F4245C7265
                              SHA1:F34C0914D873565F9113B0788D95C094439A0085
                              SHA-256:E7D5FBFD0F86019C6AFCE124458085AA3FBCE254EA7E445FDC524003ACBCB55A
                              SHA-512:C6C05ED0A917821D32A4435CB55B169AD3A5F522F0B511C9B0B058C9FA8B470A7CDA287F7D3626BBDF701D5B3ABB88F6585BEB35CBA2D26CCC081E97FAEBAD7B
                              Malicious:false
                              Preview:u4/.......Z.o2;/....i;.....2.5.~....b..v...r.W...y~..c.[.j...QL.......:.-yV.{.@?y.2..zA]T~......t.q. ....S..4,..a... 1..t..^..U...g.P.o.dL.G....P.(5.@.<.}lz$......9. zI......3...B....&.k..@dG.i..JQ0..?..x.:f..<.q...V.3R.S.Hg..m.`..0.y}.l`..?Q....p4}.....+y.U..M..9H.uP_....`C..Q.$..Rs.j\.NxO..>..Q.v..d...H..E..).k....i...?.d...v.5#.G.B0.M....{.[}.!.LU.....g............@...6x.)vJi.y...H..Ue6...C-.m:...2..4...l.Px.w.1n..s...6...}9..O.1......!...+.hs.....O).......u|.s.[..L.i..........7I9/.P...x..D...r..8..>q.3...4....G.n.1.u>FA.Y..b.c..W.#..G.2.5L.....V+...\..Py.8q9.J.L..i.....T...j&.0....Nj..'6.|.!.Qr.W.oGj._f.%.?..._.9...N]...M.....>....]..I..n-......Zo...N0.#..?.d\.4....y...Vl..m..c..X1k..b.T)R.}...f}...6.&>.. .0,8...h...m.yq.:..T.L\,........g0.!~.R.>R...d.B3.....FDV.T~..A.s.^..+9....$.~......T?.#ze..$.+.l..q..s..V..../.......!.(.......`7LP.0.......!.L..S...=..B......w~OP3.....M.3@.....&.......v|K.^........5..%2...3.+.pP

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1510207563435464
                              Encrypted:false
                              SSDEEP:3:Nlllullkv/tz:NllU+v/
                              MD5:6442F277E58B3984BA5EEE0C15C0C6AD
                              SHA1:5343ADC2E7F102EC8FB6A101508730898CB14F57
                              SHA-256:36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
                              SHA-512:F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
                              Malicious:false
                              Preview:@...e................................................@..........

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1bclrde.1xd.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upl1pxdx.zdh.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wymcbfpr.2lm.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjhdkq5n.fmo.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\is-G7O8S.tmp\_isetup\_setup64.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              • Antivirus: Virustotal, Detection: 0%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-G7O8S.tmp\bv2p0UUx502h.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6553088
                              Entropy (8bit):7.647769337217841
                              Encrypted:false
                              SSDEEP:196608:90JmOiIkT/p5gtxNvL/6amzp5+/2nfD3:fjghjCZm2f
                              MD5:7660CD2408FA83CD090E58097DF443EA
                              SHA1:927B4D4213058490E4A5F0E8F917F492A7B9816F
                              SHA-256:02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
                              SHA-512:A93AE155006D47B59D34358B202B04EBB14E9BD62F64E4FB8FFD80102836B2BCA92382A7CA8559105EC4F66587918A498C59F510CF3FB2DE94B96FC83AA8A849
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Virustotal, Detection: 11%, Browse
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....lg...........!.....:...........u........................................d...........@.........................t.......a...(....0d......................@d..:...................................................................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...`....P.......0..............@....00cfg.......0......................@..@.tls.........@......................@....voltbl.F....P...........................XkS....`.G..`....G................. ..`.rsrc........0d.......c.............@..@.reloc...:...@d..<....c.............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp

                              Download File
                              Process:C:\Users\user\Desktop\Setup64v7.3.9.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3282432
                              Entropy (8bit):6.577783239160003
                              Encrypted:false
                              SSDEEP:49152:NdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQh333Wy:DJYVM+LtVt3P/KuG2ONG9iqLRQh333V
                              MD5:9C495CFE45360DE58A589F398974999F
                              SHA1:DA5D75943481673F424F8845BCA36C2E0B4D3E0A
                              SHA-256:0C824C0E7897345F342E757AF425483E84BCC32885E3C5A29C3CC2D16F5D4CA5
                              SHA-512:A4812E77736860D83082327236EC78B59E1FACAA32AFEADE7BBAA34CB71DA3570B65EAB9B2A68FFF3029A2467D2E4ED433E36B4BE79944EFD5BBEE45FF23D093
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..P........*.......*...@...........................2...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                              C:\Users\user\AppData\Local\Temp\is-SK5BH.tmp\_isetup\_setup64.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-SK5BH.tmp\bv2p0UUx502h.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6553088
                              Entropy (8bit):7.647769337217841
                              Encrypted:false
                              SSDEEP:196608:90JmOiIkT/p5gtxNvL/6amzp5+/2nfD3:fjghjCZm2f
                              MD5:7660CD2408FA83CD090E58097DF443EA
                              SHA1:927B4D4213058490E4A5F0E8F917F492A7B9816F
                              SHA-256:02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
                              SHA-512:A93AE155006D47B59D34358B202B04EBB14E9BD62F64E4FB8FFD80102836B2BCA92382A7CA8559105EC4F66587918A498C59F510CF3FB2DE94B96FC83AA8A849
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....lg...........!.....:...........u........................................d...........@.........................t.......a...(....0d......................@d..:...................................................................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...`....P.......0..............@....00cfg.......0......................@..@.tls.........@......................@....voltbl.F....P...........................XkS....`.G..`....G................. ..`.rsrc........0d.......c.............@..@.reloc...:...@d..<....c.............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp

                              Download File
                              Process:C:\Users\user\Desktop\Setup64v7.3.9.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3282432
                              Entropy (8bit):6.577783239160003
                              Encrypted:false
                              SSDEEP:49152:NdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQh333Wy:DJYVM+LtVt3P/KuG2ONG9iqLRQh333V
                              MD5:9C495CFE45360DE58A589F398974999F
                              SHA1:DA5D75943481673F424F8845BCA36C2E0B4D3E0A
                              SHA-256:0C824C0E7897345F342E757AF425483E84BCC32885E3C5A29C3CC2D16F5D4CA5
                              SHA-512:A4812E77736860D83082327236EC78B59E1FACAA32AFEADE7BBAA34CB71DA3570B65EAB9B2A68FFF3029A2467D2E4ED433E36B4BE79944EFD5BBEE45FF23D093
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..P........*.......*...@...........................2...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                              \Device\ConDrv

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:ASCII text, with CRLF, CR line terminators
                              Category:dropped
                              Size (bytes):406
                              Entropy (8bit):5.117520345541057
                              Encrypted:false
                              SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                              MD5:9200058492BCA8F9D88B4877F842C148
                              SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                              SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                              SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                              Malicious:false
                              Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.981730188325277
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 98.45%
                              • Inno Setup installer (109748/4) 1.08%
                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              File name:Setup64v7.3.9.exe
                              File size:11'954'989 bytes
                              MD5:adbae5ff217253f04132277916d5af08
                              SHA1:148a186f26caa8fc6298ea9bf6641add1cfa2160
                              SHA256:9a10f85e8932ecec7724c573c91f32b086af49d0c6f1fc9e219328473ef31c67
                              SHA512:f1e53c7cf8c246628390325b08c50b31ff89a1e7d3f87df3309dfb562b594ff1693931db18d156c0221b9ef37d4902b1beb8809cfec5ce96fcf3711e6ee4561c
                              SSDEEP:196608:gcb0MHWvN4u2O3Rbzx0bPEGYYiNwd85zcgth546NFOwtkluL0HA3i4qIpK:gcGvNuO3Rbz0cHYmwdWzck4WOwtkEq3V
                              TLSH:C5C62323B3CBE03DF45D0B3B05B2B14494FB66226527AE66D7F484ACCF264611E3E616
                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                              File Icon

                              Icon Hash:4c4d494959190d0c

                              Static PE Info

                              General

                              Entrypoint:0x4a83bc
                              Entrypoint Section:.itext
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:1
                              File Version Major:6
                              File Version Minor:1
                              Subsystem Version Major:6
                              Subsystem Version Minor:1
                              Import Hash:40ab50289f7ef5fae60801f88d4541fc

                              Entrypoint Preview

                              Instruction
                              push ebp
                              mov ebp, esp
                              add esp, FFFFFFA4h
                              push ebx
                              push esi
                              push edi
                              xor eax, eax
                              mov dword ptr [ebp-3Ch], eax
                              mov dword ptr [ebp-40h], eax
                              mov dword ptr [ebp-5Ch], eax
                              mov dword ptr [ebp-30h], eax
                              mov dword ptr [ebp-38h], eax
                              mov dword ptr [ebp-34h], eax
                              mov dword ptr [ebp-2Ch], eax
                              mov dword ptr [ebp-28h], eax
                              mov dword ptr [ebp-14h], eax
                              mov eax, 004A2EBCh
                              call 00007F93B4B39D35h
                              xor eax, eax
                              push ebp
                              push 004A8AC1h
                              push dword ptr fs:[eax]
                              mov dword ptr fs:[eax], esp
                              xor edx, edx
                              push ebp
                              push 004A8A7Bh
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              mov eax, dword ptr [004B0634h]
                              call 00007F93B4BCB6BBh
                              call 00007F93B4BCB20Eh
                              lea edx, dword ptr [ebp-14h]
                              xor eax, eax
                              call 00007F93B4BC5EE8h
                              mov edx, dword ptr [ebp-14h]
                              mov eax, 004B41F4h
                              call 00007F93B4B33DE3h
                              push 00000002h
                              push 00000000h
                              push 00000001h
                              mov ecx, dword ptr [004B41F4h]
                              mov dl, 01h
                              mov eax, dword ptr [0049CD14h]
                              call 00007F93B4BC7213h
                              mov dword ptr [004B41F8h], eax
                              xor edx, edx
                              push ebp
                              push 004A8A27h
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              call 00007F93B4BCB743h
                              mov dword ptr [004B4200h], eax
                              mov eax, dword ptr [004B4200h]
                              cmp dword ptr [eax+0Ch], 01h
                              jne 00007F93B4BD242Ah
                              mov eax, dword ptr [004B4200h]
                              mov edx, 00000028h
                              call 00007F93B4BC7B08h
                              mov edx, dword ptr [004B4200h]

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x3dfc.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              .rsrc0xcb0000x3dfc0x3e00c2cbf0b5467ae1d2c1ce5d1982f3376cFalse0.2745715725806452data3.9801511105858904IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xcb4380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.05054151624548736
                              RT_STRING0xcbce00x3f8data0.3198818897637795
                              RT_STRING0xcc0d80x2dcdata0.36475409836065575
                              RT_STRING0xcc3b40x430data0.40578358208955223
                              RT_STRING0xcc7e40x44cdata0.38636363636363635
                              RT_STRING0xccc300x2d4data0.39226519337016574
                              RT_STRING0xccf040xb8data0.6467391304347826
                              RT_STRING0xccfbc0x9cdata0.6410256410256411
                              RT_STRING0xcd0580x374data0.4230769230769231
                              RT_STRING0xcd3cc0x398data0.3358695652173913
                              RT_STRING0xcd7640x368data0.3795871559633027
                              RT_STRING0xcdacc0x2a4data0.4275147928994083
                              RT_RCDATA0xcdd700x10data1.5
                              RT_RCDATA0xcdd800x310data0.6173469387755102
                              RT_RCDATA0xce0900x2cdata1.1818181818181819
                              RT_GROUP_ICON0xce0bc0x14dataEnglishUnited States1.25
                              RT_VERSION0xce0d00x584dataEnglishUnited States0.273371104815864
                              RT_MANIFEST0xce6540x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                              Imports

                              DLLImport
                              kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                              comctl32.dllInitCommonControls
                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                              advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                              Exports

                              NameOrdinalAddress
                              __dbk_fcall_wrapper20x40fc10
                              dbkFCallWrapperAddr10x4b063c

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              No network behavior found

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:05:09:59
                              Start date:26/12/2024
                              Path:C:\Users\user\Desktop\Setup64v7.3.9.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Setup64v7.3.9.exe"
                              Imagebase:0xd40000
                              File size:11'954'989 bytes
                              MD5 hash:ADBAE5FF217253F04132277916D5AF08
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:05:09:59
                              Start date:26/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-M5QBB.tmp\Setup64v7.3.9.tmp" /SL5="$20452,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe"
                              Imagebase:0x630000
                              File size:3'282'432 bytes
                              MD5 hash:9C495CFE45360DE58A589F398974999F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:3
                              Start time:05:10:00
                              Start date:26/12/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                              Imagebase:0x7ff7be880000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:05:10:00
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:05:10:04
                              Start date:26/12/2024
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff6ef0c0000
                              File size:496'640 bytes
                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:6
                              Start time:05:10:05
                              Start date:26/12/2024
                              Path:C:\Users\user\Desktop\Setup64v7.3.9.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENT
                              Imagebase:0xd40000
                              File size:11'954'989 bytes
                              MD5 hash:ADBAE5FF217253F04132277916D5AF08
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:7
                              Start time:05:10:06
                              Start date:26/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-US724.tmp\Setup64v7.3.9.tmp" /SL5="$20468,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENT
                              Imagebase:0xd00000
                              File size:3'282'432 bytes
                              MD5 hash:9C495CFE45360DE58A589F398974999F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:8
                              Start time:05:10:08
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:05:10:09
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:10
                              Start time:05:10:09
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:11
                              Start time:05:10:09
                              Start date:26/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                              Imagebase:0x250000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              • Detection: 0%, Virustotal, Browse
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:12
                              Start time:05:10:09
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:13
                              Start time:05:10:09
                              Start date:26/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                              Imagebase:0x250000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:14
                              Start time:05:10:09
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:15
                              Start time:05:10:09
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:16
                              Start time:05:10:09
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:17
                              Start time:05:10:09
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:18
                              Start time:05:10:09
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:19
                              Start time:05:10:09
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:20
                              Start time:05:10:09
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:21
                              Start time:05:10:10
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:22
                              Start time:05:10:10
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:23
                              Start time:05:10:10
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:24
                              Start time:05:10:10
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:25
                              Start time:05:10:10
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:26
                              Start time:05:10:10
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:27
                              Start time:05:10:10
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:28
                              Start time:05:10:10
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:29
                              Start time:05:10:10
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:30
                              Start time:05:10:10
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:31
                              Start time:05:10:10
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:32
                              Start time:05:10:10
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:33
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:34
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:35
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:36
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:37
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:38
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:39
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:40
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:41
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:42
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:43
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:44
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:45
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:46
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:47
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:48
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:49
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:50
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:51
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:52
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:53
                              Start time:05:10:11
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:54
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:55
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:56
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:57
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:58
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:59
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:60
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:61
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:62
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:63
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:64
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:65
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:66
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:67
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:68
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:69
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:70
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:71
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:72
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:73
                              Start time:05:10:12
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:74
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:75
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:76
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:77
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:78
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:79
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:80
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:81
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:82
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:83
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:84
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:85
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:86
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:87
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:88
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:89
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:90
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:91
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:92
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:93
                              Start time:05:10:13
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:94
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:95
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:96
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:97
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:98
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:99
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:100
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:101
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:102
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:103
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:104
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:105
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:106
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6addd0000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:107
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:108
                              Start time:05:10:14
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61c2c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:266
                              Start time:05:10:21
                              Start date:26/12/2024
                              Path:C:\Windows\System32\Conhost.exe
                              Wow64 process (32bit):
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:
                              Has administrator privileges:
                              Programmed in:C, C++ or other language
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:0%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:9.3%
                                Total number of Nodes:43
                                Total number of Limit Nodes:1
                                execution_graph 74201 6c63c974 74202 6c63c980 74201->74202 74203 6c63c987 GetLastError ExitThread 74202->74203 74204 6c63c994 74202->74204 74215 6c6422c2 GetLastError 74204->74215 74206 6c63c999 74242 6c647676 74206->74242 74209 6c63c9b0 74248 6c63c8df 11 API calls 74209->74248 74212 6c63c9d2 74249 6c63de29 GetLastError SetLastError TlsGetValue TlsSetValue GetProcAddress 74212->74249 74214 6c63c9e3 74216 6c6422d9 74215->74216 74219 6c6422df 74215->74219 74250 6c644433 TlsGetValue GetProcAddress 74216->74250 74233 6c6422e5 74219->74233 74251 6c644472 TlsSetValue GetProcAddress 74219->74251 74220 6c6422fd 74222 6c642315 74220->74222 74223 6c64232c 74220->74223 74220->74233 74221 6c642364 SetLastError 74224 6c642373 74221->74224 74229 6c642379 74221->74229 74252 6c644472 TlsSetValue GetProcAddress 74222->74252 74253 6c644472 TlsSetValue GetProcAddress 74223->74253 74224->74206 74227 6c642338 74227->74233 74254 6c644472 TlsSetValue GetProcAddress 74227->74254 74228 6c642390 74241 6c642396 74228->74241 74256 6c644472 TlsSetValue GetProcAddress 74228->74256 74229->74228 74255 6c644433 TlsGetValue GetProcAddress 74229->74255 74233->74221 74234 6c6423aa 74235 6c6423d7 74234->74235 74236 6c6423c2 74234->74236 74234->74241 74258 6c644472 TlsSetValue GetProcAddress 74235->74258 74257 6c644472 TlsSetValue GetProcAddress 74236->74257 74239 6c6423e3 74239->74241 74259 6c644472 TlsSetValue GetProcAddress 74239->74259 74241->74206 74243 6c63c9a4 74242->74243 74244 6c647688 GetPEB 74242->74244 74243->74209 74247 6c64467f GetProcAddress 74243->74247 74244->74243 74245 6c64769b 74244->74245 74260 6c644728 GetProcAddress 74245->74260 74247->74209 74248->74212 74249->74214 74250->74219 74251->74220 74252->74233 74253->74227 74254->74233 74255->74228 74256->74234 74257->74241 74258->74239 74259->74241 74260->74243

                                Executed Functions

                                Function 6C63C974 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetLastError.KERNEL32(6C663A20,0000000C), ref: 6C63C987
                                • ExitThread.KERNEL32 ref: 6C63C98E
                                Memory Dump Source
                                • Source File: 00000007.00000002.2246467117.000000006C571000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C570000, based on PE: true
                                • Associated: 00000007.00000002.2246419704.000000006C570000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2247127722.000000006C655000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2251283473.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: ErrorExitLastThread
                                • String ID:
                                • API String ID: 1611280651-0
                                • Opcode ID: 462b94cae087074459c3dbf1a0cb0b0c26de160d50a8d7753c72888950cf768a
                                • Instruction ID: 66416696b456676e8151d3912aa034857a89ca2c0ccb95990296fc0083abc82a
                                • Opcode Fuzzy Hash: 462b94cae087074459c3dbf1a0cb0b0c26de160d50a8d7753c72888950cf768a
                                • Instruction Fuzzy Hash: 0FF0C870A04214AFDB05BF71C449AAE3B75FF06308F105249F40A97B80CF349905DBAD

                                Non-executed Functions

                                Function 6C680092 Relevance: 21.8, APIs: 5, Strings: 6, Instructions: 2537COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C680097
                                  • Part of subcall function 6C6831D6: __EH_prolog.LIBCMT ref: 6C6831DB
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $ $*$0UJ$@$@
                                • API String ID: 3519838083-862571645
                                • Opcode ID: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                • Instruction ID: 1009e3cbbc692e6b33223841168f74039a27f439522c7481ba1297ecc32576f1
                                • Opcode Fuzzy Hash: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                • Instruction Fuzzy Hash: 2433A330E02258DFDF25CFA4C894BDDBBB1AF45308F1084A9D519A7A50DB709E89CF69
                                Function 6C6D289F Relevance: 15.6, APIs: 6, Strings: 2, Instructions: 1591COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6D28A4
                                • __aulldiv.LIBCMT ref: 6C6D2C4A
                                • __aulldiv.LIBCMT ref: 6C6D2C78
                                • __aulldiv.LIBCMT ref: 6C6D2D18
                                  • Part of subcall function 6C6D436D: __EH_prolog.LIBCMT ref: 6C6D4372
                                  • Part of subcall function 6C6D440E: __EH_prolog.LIBCMT ref: 6C6D4413
                                  • Part of subcall function 6C6D3E78: __EH_prolog.LIBCMT ref: 6C6D3E7D
                                  • Part of subcall function 6C6CE24A: __EH_prolog.LIBCMT ref: 6C6CE24F
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog$__aulldiv
                                • String ID: L$b
                                • API String ID: 604474441-3566554212
                                • Opcode ID: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                • Instruction ID: 4b1c7dc8ff24d1c37f4811e123d501eef51b52acbf80efdec0eb3b5342c48e88
                                • Opcode Fuzzy Hash: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                • Instruction Fuzzy Hash: CCE2AE70D05289DFCF15CFA4C994AECBBB0BF1A308F1540A9D449A7B41DB706E89CB69
                                Function 6C6C54AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6C54B1
                                  • Part of subcall function 6C6C693B: __EH_prolog.LIBCMT ref: 6C6C6940
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 1$`)K$h)K
                                • API String ID: 3519838083-3935664338
                                • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                • Instruction ID: 6480a7d4d1d0f7502f0969b384567d6137fcbdaa524c547d54dc8c7299d13d1f
                                • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                • Instruction Fuzzy Hash: EEF28D70A05248DFDB11CBA4C884BEDBBB5EF49308F244499D449EB741DB74DA85CF2A
                                Function 6C6B7EEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6B7EF4
                                  • Part of subcall function 6C6BB622: __EH_prolog.LIBCMT ref: 6C6BB627
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $h%K
                                • API String ID: 3519838083-1737110039
                                • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                • Instruction ID: 03af42dd8cc9c004ceb9bafbbef1411272d2019dac47ba6747cb05cba3e067d9
                                • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                • Instruction Fuzzy Hash: 8253B930901259DFDB15CFA4C884BEDBBB4AF1A308F1440D9D44AB7692CB70AE99CF59
                                Function 6C6C97F3 Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1546COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $J
                                • API String ID: 3519838083-1755042146
                                • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                • Instruction ID: c3be4161aa00be0da232caba78b545e8f1cb3b186893e4498c73c4bd23e326a6
                                • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                • Instruction Fuzzy Hash: 43E2A070A05249DFEF01CFA4C598BDDBBB4EF0630CF248099E855AB682C774D945CB6A
                                Function 6C693CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C693CE5
                                  • Part of subcall function 6C669C2A: __EH_prolog.LIBCMT ref: 6C669C2F
                                  • Part of subcall function 6C66B6A6: __EH_prolog.LIBCMT ref: 6C66B6AB
                                  • Part of subcall function 6C693A0E: __EH_prolog.LIBCMT ref: 6C693A13
                                  • Part of subcall function 6C693837: __EH_prolog.LIBCMT ref: 6C69383C
                                  • Part of subcall function 6C697143: __EH_prolog.LIBCMT ref: 6C697148
                                  • Part of subcall function 6C697143: ctype.LIBCPMT ref: 6C69716C
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog$ctype
                                • String ID:
                                • API String ID: 1039218491-3916222277
                                • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                • Instruction ID: 4278814827e5fe0da8106bc61a7471b99942ae84a22ad465f19dc9e89d72150a
                                • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                • Instruction Fuzzy Hash: 7D03DE3080528ADFDF11CFA4C854BECBBB0AF16308F244099D45967B91DB709B89DF6A
                                Function 6C6E9580 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: 3J$`/J$`1J$p0J
                                • API String ID: 0-2826663437
                                • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                • Instruction ID: 563d593fb5bbb0bdb3842aece58f36e463ad40ba9229f609bf9f84307d3aba09
                                • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                • Instruction Fuzzy Hash: 2F41EAB2F109601AF3488E7A8C855667FC3C7C9346B49C23DD575C76D9DA7DC40782A8
                                Function 6C6BDA52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: W
                                • API String ID: 3519838083-655174618
                                • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                • Instruction ID: 13219bf08812c61b9170f42cadc6085d1c21ec12701d6a34d449a1b0f8ab9102
                                • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                • Instruction Fuzzy Hash: 66B28A70A05259DFDB11CFA8C588B9EBBB4BF09308F244099E845EB782C775ED51CBA4
                                Function 6C6AC5EC Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 995COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-3916222277
                                • Opcode ID: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                • Instruction ID: ad881a08463fb3e57238715fe474b1c244ce09bb57852d2dfacedd4f4a0d9f01
                                • Opcode Fuzzy Hash: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                • Instruction Fuzzy Hash: 1E928E30905259DFDB04DFE8C854BEEBBB1AF0A308F244099E816AB751C771ED46CB69
                                Function 6C6BEF11 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 511COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-3916222277
                                • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                • Instruction ID: fdf239dd1526f5939750437478aca7abbb6df49fee25ee707c0bb1cafecfe885
                                • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                • Instruction Fuzzy Hash: E6225878A002099FCB14CFA8C494B9DBBF0FF09308F108569E859AB792D774E955CF99
                                Function 6C6B1896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6B189B
                                  • Part of subcall function 6C6B2FC9: __EH_prolog.LIBCMT ref: 6C6B2FCE
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @ K
                                • API String ID: 3519838083-4216449128
                                • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                • Instruction ID: fb3f9f923bc4d725ef63e732250b19bc9e686f2f375cb34a38dd74e7b48287ad
                                • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                • Instruction Fuzzy Hash: F9D12371E00244AFDB14CFA4C4907EEB7B6FF84318F24806AD415BBA94DB74E9A5CB58
                                Function 6C665EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: x=J
                                • API String ID: 3519838083-1497497802
                                • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction ID: 769a6a644f8b8c24b66429cef1cff3f353a3fd637654f75a4eb8dc92c30c6ed8
                                • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction Fuzzy Hash: 01911371C04109DACF04CFA6E5909EDFB75EF5630CF208069D451A7E52DB319989CB9E
                                Function 6C6CF521 Relevance: 2.6, APIs: 1, Instructions: 1105COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                • Instruction ID: 4fef1abb0637b7807461e782ec3c10967de972fc27a821a633bcd4d697b2065e
                                • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                • Instruction Fuzzy Hash: E0B29A30A05788DFCB21CFA9C490BDEBBF1FF09308F104599D59A97A81D770A985CB5A
                                Function 6C665972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: @4J$DsL
                                • API String ID: 0-2004129199
                                • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction ID: 0a308b9dab581d5569345c3a792238f3b33aa49e5cfa755af1a050e1f82375e2
                                • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction Fuzzy Hash: 1B216D37BA49564BD74CCA28EC37AB966C0E744305B89527EE94BCB7E1DE6D8800C64C
                                Function 6C68240A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C68240F
                                  • Part of subcall function 6C683137: __EH_prolog.LIBCMT ref: 6C68313C
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                • Instruction ID: f1c20362f705a65a780c9d6a55b085262090ccedc05cc4990c428a61422dadd7
                                • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                • Instruction Fuzzy Hash: 3F629E70D02259CFDF15CFA4C898BEDBBB1BF09308F14446AE815AB680D7749A45CFA9
                                Function 6C6DAAD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: YA1
                                • API String ID: 0-613462611
                                • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                • Instruction ID: 9a50e98cb02d924c2420005f88f5f3841034a72143730639374dc767d1b0b415
                                • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                • Instruction Fuzzy Hash: 0842B37160D3818FC315CF28C49069ABBE2FFD9308F164A6DE4D68B742D671E94ACB46
                                Function 6C7007C0 Relevance: 1.9, APIs: 1, Instructions: 356COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                • Instruction ID: b2d5f9937aeae01b6a19f25188619d4690ad7de1c14e515dcc6929b9f0c47720
                                • Opcode Fuzzy Hash: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                • Instruction Fuzzy Hash: 8EE19EB16083458FD724CF29C980AAAB7F5BFC8318F14862EF9988B755D730D945CB91
                                Function 6C6B4D43 Relevance: 1.8, APIs: 1, Instructions: 346COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                • Instruction ID: 3a1c078a29fe40f1f5e3f6490ab0fc8dc6cddc8593a37102ebda25b2181b10d2
                                • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                • Instruction Fuzzy Hash: C9F17970A05249DFCB14CFA4C590BEDBBB0BF05308F14806DD419ABB52DBB1AA69CF59
                                Function 6C702D90 Relevance: 1.8, Strings: 1, Instructions: 513COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                • Instruction ID: 16d83a1b986e7608b3fdf59127f02e8dd01f169142f535fb5f7df0ae61f01390
                                • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                • Instruction Fuzzy Hash: C3324AB1A083058FC318CF56C48495AF7E2BFCC314F468A6DE98997355DB74AA09CF86
                                Function 6C7037C0 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                • Instruction ID: 9a38e8d582f3a1cca586adc313facbbe538dadb6dcbc7023af9eb9eb9de16619
                                • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                • Instruction Fuzzy Hash: 411207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EE898A7311D770E9568BC6
                                Function 6C66DBCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: __aullrem
                                • String ID:
                                • API String ID: 3758378126-0
                                • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction ID: 4443f737e58f458289fa1aa26074ccd2247e4b79730f967fc98543893964b179
                                • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction Fuzzy Hash: E151FA71A042459BD710CF6AC4C02EDFBF6EF7A214F28C05DF88897642D27A499AC761
                                Function 6C6E6E80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction ID: e683918fc34974e4e6192eddd3f795fc4d2009f36d1a4b256c5c77a50f76e2ce
                                • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction Fuzzy Hash: B9029E3160E3418BD725CF28C49079EBBE2AFC9308F144A2EE9C597B52D774D945CB8A
                                Function 6C703999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                • Instruction ID: a44e57a1f5ec2970c6df2ae4430c9e9d2cdc044fd1d54feaad018c6e29687a9f
                                • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                • Instruction Fuzzy Hash: E8D13E729083148FC718DF4AD44045BF7E2BFC8314F1A8A2EF898A7315DB70A9568BC6
                                Function 6C6697CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: (SL
                                • API String ID: 0-669240678
                                • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction ID: 3ef0550ce5248fd5f4354a959a22cef458ae8ef94cba6c4e3f753ecb3a6c3171
                                • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction Fuzzy Hash: B1518473E208314AD78CCE24DC2177572D2E784310F8BC1B99D4BAB6E6DD78989587D4
                                Function 6C6D7B90 Relevance: .9, Instructions: 940COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                • Instruction ID: 209e828361f3a2930278eaf5fbe74108de7f1dab1879654a084552ce224dbc99
                                • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                • Instruction Fuzzy Hash: 41728EB1A042178FD748CF28C490258FBE1FF88314B5A56AED95ADB742DB30E895CBC5
                                Function 6C6DD020 Relevance: .8, Instructions: 762COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction ID: 625cf60e0cc23b307e2fb59e423254e82c835ac70b7cfc58568cb9f94a6d2689
                                • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction Fuzzy Hash: 38526E31608B458BD328DF29C4906AAB7E2BF85308F158A2DD4DAC7B41DB71F449CF59
                                Function 6C6F7930 Relevance: .7, Instructions: 740COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction ID: 4eb32902c30462e6892f141d8fc84e8f7397a0e6b685af8e444a16958e62c0af
                                • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction Fuzzy Hash: 17623771A083458FC714CF1AC48055AFBF2BFC9744F648A6EE8A587725D770E846CB8A
                                Function 6C6F5950 Relevance: .7, Instructions: 697COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                • Instruction ID: 6af1a919db5cff2338c55c1ea1902b5bae1c7f5109f752cfb756e7c5179ed830
                                • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                • Instruction Fuzzy Hash: CE427171604B058FD328CF69C8907AAB7E2FB84314F444A2DE4A7C7B94E774E94ACB45
                                Function 6C6E41F0 Relevance: .6, Instructions: 634COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                                • Instruction ID: 4cb1e105c4d10c97c198f25660700530abfa6276b179ae4facf301791f413fed
                                • Opcode Fuzzy Hash: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                                • Instruction Fuzzy Hash: D5329171A0924A8BDB08CF68C8902EE3BA2FF89348F15853EED55DB740D7B0D955CB94
                                Function 6C6E0D50 Relevance: .5, Instructions: 547COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction ID: 862089a19a9a840f3080a215cae1f9fcd5fcd332a03c93a263e5891d4088a7fc
                                • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction Fuzzy Hash: EB12B07120E7418FC718CF28C5906AABBF2BFC9304F54492EE99687B42DB31E845DB59
                                Function 6C6F1489 Relevance: .5, Instructions: 519COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                • Instruction ID: 96ad56254fd0c17784227787b35f51d025bbf91865edb5967537b884a6311f1a
                                • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                • Instruction Fuzzy Hash: 9A02F6B3A083514BD715CE1ECC90219B7E3BBC0394F6A5A2EF8A647784DAB0D947C785
                                Function 6C6F1AA0 Relevance: .5, Instructions: 474COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction ID: 7f5059bcc433335ab5d4e0a8439321911f81cd157f0edb558cab77ab1b9acf8f
                                • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction Fuzzy Hash: AF020CB2A083118FD318CE28C4D0259BBF3FBC4399F150B2EE4A697A54D774D946CB96
                                Function 6C6FB600 Relevance: .5, Instructions: 470COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                • Instruction ID: 93b319c7c9843ee1f0c38c97ce7602477f5d8ca62d833c1ba422504027cb2217
                                • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                • Instruction Fuzzy Hash: 1012D0306087518FC328CF2EC49066AFBF2AFC5304F188A6ED1E687AA5D735E549CB55
                                Function 6C6F92A0 Relevance: .5, Instructions: 461COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                • Instruction ID: e64f3fc3e24c7d8bc3f454e4d41f5a40da324a4add940d45af36afe5724c30d0
                                • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                • Instruction Fuzzy Hash: 2B02B3716087208FC328CF2ED49022AFBF2EF85305F148A6ED5D687B91D236E559CB55
                                Function 6C6DCA50 Relevance: .5, Instructions: 453COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                • Instruction ID: 231569e074d1fd96ab804368e3994150131f21be97bd318a4b739da5515d7b05
                                • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                • Instruction Fuzzy Hash: E9F122316082898BEB24DE2CD8507EEBBE2FBC5304F55453DD88ACBB40DB35A54AC795
                                Function 6C6E3D10 Relevance: .4, Instructions: 429COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                • Instruction ID: 735f0ed7deec7752ffe1b8d1b64bf93b5becb5869754dd7aa1a7c1fa36844339
                                • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                • Instruction Fuzzy Hash: 8BE10135709B008BD724CF29D4503ABB7E2EBC8314F544A3EC59687B90DB75E50ACB85
                                Function 6C6FBBC0 Relevance: .4, Instructions: 399COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                • Instruction ID: 66ee426eaa7fdb1a1b5ae6a3b6b40eb344ccb3ab62e3034957f0252da5598360
                                • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                • Instruction Fuzzy Hash: EAF1D1706087518FC328CF2DD490266FBE2BF89304F184A6ED1E6C7A91D339E555CB55
                                Function 6C6F98D0 Relevance: .4, Instructions: 383COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                • Instruction ID: 7f92bc60afbd6bf734eeb79205cd918188a8ff69fc4944a33943b731e1050d81
                                • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                • Instruction Fuzzy Hash: 19F1D470508B518FC329CF29C490266FBF2BF85309F288A2ED5E687B81D339E156CB55
                                Function 6C6E3900 Relevance: .3, Instructions: 341COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                • Instruction ID: 8eefba19038cafb590b4e0b50ebbd93647728c8685f03681b092e75a8c326e2d
                                • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                • Instruction Fuzzy Hash: FEC1C471609B068BE328CF2DC4905AAB7E2EBD8314F548A3EC19787B55E730F495CB85
                                Function 6C6EC5C0 Relevance: .3, Instructions: 333COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                • Instruction ID: 82ffaf0530f7e6031f3893178369b5430187203cbe72e02b2902d8071232a33b
                                • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                • Instruction Fuzzy Hash: 8DD1007150A6168FD718AF1DC4A4236BFE1FF8A308F054A7ED9A38B38AD7349515CB48
                                Function 6C701DE0 Relevance: .3, Instructions: 333COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                • Instruction ID: 4c7b039aaf69a37cbd991dc5c037f1eddae6e0259eb6b3b263c856404c0fee82
                                • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                • Instruction Fuzzy Hash: 61E1D6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                                Function 6C6EB0E0 Relevance: .3, Instructions: 320COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                • Instruction ID: af0bf448d1bb2fbd48b26413938a05ceed240d39d9f2f4098e167dcb1270aa28
                                • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                • Instruction Fuzzy Hash: 2BB1757160A2118FC341CF2DC8802597BA2FFC932977597AEC4A45FA5AD336E417CB98
                                Function 6C6DF580 Relevance: .3, Instructions: 316COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction ID: 5a687d0cfda976fd3a8509ed11a202bcd6b0a40f1dc62bcb7bccb850ee3eb374
                                • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction Fuzzy Hash: 45C1B4356047418BC718CF39E0A06D6BBE2EFDA314F158A6DC4CA4BB55DA70B40DCB5A
                                Function 6C6EB4D0 Relevance: .3, Instructions: 307COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                • Instruction ID: e1339eac4371153cfc9316006a2a1ef64c4e6435a26ac48d6368a56e6d47b0c5
                                • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                • Instruction Fuzzy Hash: ACB170716063048FC750CF29C880254BBA1FF8936CB79969EC8948FA46E337D847CB98
                                Function 6C701870 Relevance: .3, Instructions: 298COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                • Instruction ID: 9abf0aac8ec7ffb9c5d45bac220e5f5fc2836aec2abe5566cb2a32ef0b371f4c
                                • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                • Instruction Fuzzy Hash: FFD1E7B1848B9A5FD394EF4DEC81A357762AB88301F4A8239DB600B753D634BB12D794
                                Function 6C6DB810 Relevance: .3, Instructions: 296COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                • Instruction ID: 28f78cfe2eae0fca891897221852c803cbda2036157451bf56fec5e554ad3223
                                • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                • Instruction Fuzzy Hash: 1BB1D131309B454BD324DF39C890BEAB7E1AF86308F05492DC5AA87745EF35B5098B9C
                                Function 6C6DEAA0 Relevance: .3, Instructions: 291COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                • Instruction ID: e1fe9b0abfeccc44a55ee8109ecec3f1e773d7cacc61207d1d98b9bd49c7b6d9
                                • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                • Instruction Fuzzy Hash: 52B1BF756087028BC314DF29C8806ABF7E2FFC8304F55892DE49AC7711E771A55ACB9A
                                Function 6C6E69F0 Relevance: .3, Instructions: 287COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                • Instruction ID: 23cf0ab1a28fc5a6ccb9d2e4ecc39527fcbb270b80f75402ebaed4910cf2823d
                                • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                • Instruction Fuzzy Hash: 8CA1F47260D3458FC314CF29C49069EBBE1EBD9308F544A2EE5D6C7B41D631E94ACB4A
                                Function 6C6E15D0 Relevance: .2, Instructions: 224COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                • Instruction ID: 032c1b8fab20ed7b5902a0e1e072b12c924013b188ff5f46a03b58b863503000
                                • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                • Instruction Fuzzy Hash: EB614CB23192158FD708CFA9E580A96B3E9EB98321B1685BFE105CF362E771DC41D718
                                Function 6C6E66E0 Relevance: .2, Instructions: 223COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                • Instruction ID: 244fd9372805f2dd9412468b695570e9ea8fec496ea5475eca017529b7c327c2
                                • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                • Instruction Fuzzy Hash: 3B81A135A097058FC320CF29C080646B7E1FF99708F288A6EC699DB711E772E946CB85
                                Function 6C6F5200 Relevance: .2, Instructions: 222COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                • Instruction ID: 0851cec6849ede9df31984cdd6bfb5d10c82dd4c577665403a0c4f383198656c
                                • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                • Instruction Fuzzy Hash: 5F81F2B2D487298BD710CF88ECC4596B3A1FB88308F0A467DDE591B352D2B9B915DBD0
                                Function 6C6F48C8 Relevance: .2, Instructions: 216COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                • Instruction ID: efb4d2a3ac572d7ade171d872067a67764c00ecb98a562d5b022d60d49467a3e
                                • Opcode Fuzzy Hash: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                • Instruction Fuzzy Hash: FCA1CD7190824A8FD329CF18C490AAEB7F2FF84308F188A2DE4968B745D375A656CB45
                                Function 6C6F5520 Relevance: .2, Instructions: 216COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                • Instruction ID: a8b4a3583fa3d99a82f1f373aa2570cfdad862f71d8538e1898494e2b1da27ac
                                • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                • Instruction Fuzzy Hash: 33918EB2C1872A8BD314CF18D88025AB7E0FB88318F49467DED9A97341D739EA55CBC5
                                Function 6C67DB66 Relevance: .2, Instructions: 167COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction ID: ac4d82cacf49514e3eb31ac3590d8dbdc06b3a5f97fff6e0f246d2eba0f225f8
                                • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction Fuzzy Hash: 0D51AF72F006099BDB08CFA8DD916EDB7F6EB88308F24896DD011E7781D7749A41CB64
                                Function 6C6D8650 Relevance: .2, Instructions: 154COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                • Instruction ID: 8289d537b548373b20c29eb65a14db758f49f291508952a48c15e0f178eb66cc
                                • Opcode Fuzzy Hash: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                • Instruction Fuzzy Hash: 58519D316083458BD710DF1EC88460AB7E1FF9C718F254A6EE99487722D771E906CBD9
                                Function 6C67FEC9 Relevance: .1, Instructions: 136COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction ID: eebd80e2ec63894c57630a0ab340b7c3bd4bdbbcff3727682c4a1111e50f3672
                                • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction Fuzzy Hash: 953114277A440113C71CC93BCC12B9F91535BD422A71ECF39A805CAF55D92CC8124159
                                Function 6C6EC050 Relevance: .1, Instructions: 123COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                • Instruction ID: 7428372cb1d35ce8d06d04db0274510420576de018b2a42e1b80679dc194d556
                                • Opcode Fuzzy Hash: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                • Instruction Fuzzy Hash: 28316D7350FE052BF200691ACD403D67A23DFCA378F1A8727D82787EE8DA7594068148
                                Function 6C6EBEF0 Relevance: .1, Instructions: 123COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                • Instruction ID: 219e6f02343ffc3b27e97e081249b7b52681c27cd6382a58e47e67ddd0a2b599
                                • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                • Instruction Fuzzy Hash: 37317B7350EB050AF201992DC984356B623DFCA37CF2A8727C92787EECDA729406864C
                                Function 6C6F3820 Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                • Instruction ID: bc86cb53bdf3d381b8a80d5f194f4934e3dcc08de3deca7b7b5e22fbf0a878e0
                                • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                • Instruction Fuzzy Hash: 3B41D1B29047068BD700CF19C89056AB3E5FF88318F454A3DED6AA7391E334FA15CB86
                                Function 6C7016C0 Relevance: .1, Instructions: 88COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                • Instruction ID: 2dca6e6602db707f5d05a855c8f0a9988f86cd80772e8d615ddd404d012c2a35
                                • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                • Instruction Fuzzy Hash: 1F2128B1B047A607E7209E7DCCD037577D29BC130AF098279DAA48FA87D179D4A2D360
                                Function 6C70791A Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                • Instruction ID: bd004d58a5c7b197852c72aa02790d0686c17ed60e2f1e86e420d18d2a267d8f
                                • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                • Instruction Fuzzy Hash: 1221D7B262482547C305DF2DE988777B7E1FFC431DF678A3AD9918B581C624D845C790
                                Function 6C707A00 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                • Instruction ID: e79f3f6e330476a4259138d13a7a14536c0e6d44356e09f3fe0451b4e57f089e
                                • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                • Instruction Fuzzy Hash: 4121F1B26021148BC701EF6ED98469B73E6FBC8365F67C639ED8187641C630EA0687A0
                                Function 6C706700 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                • Instruction ID: 3b20c35a4b3904f7186c4f838b85a7e0cf78467858f0ce36cccbcaf204900260
                                • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                • Instruction Fuzzy Hash: 22219077320A0647E74C8A38D93737532D0A705318F98A26DEA6BCE2C2E77AC457C385
                                Function 6C6EA380 Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                                • Instruction ID: 22c3d47c48d8b8194e856542475cbefc457e4f56ce417f5979baba524fc3df42
                                • Opcode Fuzzy Hash: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                                • Instruction Fuzzy Hash: BF2190327193428FC308DF58D88096BBBE6FFC9210F15857EE9848B355C635E906CBA1
                                Function 6C6EA280 Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                                • Instruction ID: 9e77460ae15f6f0fc31f21e920ae4e53c6ebdfe2b77ea989d9b06342cd99e52a
                                • Opcode Fuzzy Hash: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                                • Instruction Fuzzy Hash: 111190723183464BC308CE1DDC90966BBE5FBC9304F24497EE985C7342C626D907DBA5
                                Function 6C6FC640 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                • Instruction ID: 9dfc1dcb6cc90a6438d4b053e063b9bbb83c9e501681c975811ca4014c5bf6c0
                                • Opcode Fuzzy Hash: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                • Instruction Fuzzy Hash: 5901DE6529668989D781DA79D890748FE80F756306FACC3E4E088CBF42D589C54BC3A1
                                Function 6C6F37A0 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                • Instruction ID: b763e0070d8eeab85a9adb2246937c4da52133d49e64010a85eb526e5a6f5592
                                • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                • Instruction Fuzzy Hash: 7E01DCB2914A2E97DB289F08CC41132B390FB84312F49823AED879B385E734F870C6C4
                                Function 6C647676 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2246467117.000000006C571000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C570000, based on PE: true
                                • Associated: 00000007.00000002.2246419704.000000006C570000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2247127722.000000006C655000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2251283473.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e07a2d561a90225e0d9a808b224c1f7fc207a4ac7a6abfed201fed0f8270f143
                                • Instruction ID: e45cf331e6675edffe838e0ab6050d0ff261dabbdb965a9169f880180dd8efcf
                                • Opcode Fuzzy Hash: e07a2d561a90225e0d9a808b224c1f7fc207a4ac7a6abfed201fed0f8270f143
                                • Instruction Fuzzy Hash: C7F0A071A102309BCB12CA4CD905B89B3F9EB46B65F11C096E400AB641C6B0DD40CBD8
                                Function 6C704720 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                • Instruction ID: f623c937a3a45d77dca43a8f5153c587d083f613adbac188ff33caba0660185f
                                • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                • Instruction Fuzzy Hash: F7C08CE322810017C312EA3599C0BAAF6A37361331F228C3EA0A2E7E43C328C0648611
                                Function 6C69BB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1435 6c69bb50-6c69bb78 call 6c703f10 1438 6c69bf6a-6c69bf74 call 6c6663a0 1435->1438 1439 6c69bb7e-6c69bb88 1435->1439 1447 6c69bf76-6c69bf84 1438->1447 1441 6c69bb8a-6c69bba2 call 6c69c016 1439->1441 1442 6c69bba4-6c69bba8 1439->1442 1450 6c69bbcb-6c69bbd0 1441->1450 1445 6c69bbaa-6c69bbbc 1442->1445 1446 6c69bbbe-6c69bbc6 call 6c6663b3 1442->1446 1445->1450 1446->1450 1452 6c69bc12-6c69bc1c 1450->1452 1453 6c69bbd2-6c69bbd4 1450->1453 1454 6c69bd2a-6c69bd43 1452->1454 1455 6c69bc22-6c69bc40 1452->1455 1456 6c69bbeb-6c69bc05 call 6c6664df 1453->1456 1457 6c69bbd6-6c69bbea 1453->1457 1459 6c69bdb0-6c69bdb7 1454->1459 1460 6c69bd45-6c69bd46 1454->1460 1455->1447 1472 6c69bc46-6c69bc4b 1455->1472 1469 6c69bf5b-6c69bf64 1456->1469 1470 6c69bc0b-6c69bc0d 1456->1470 1457->1456 1462 6c69bdb9-6c69bdbc 1459->1462 1463 6c69bdca-6c69bdcf 1459->1463 1465 6c69bd48-6c69bd4b 1460->1465 1466 6c69bd9f-6c69bda6 1460->1466 1471 6c69bdbe-6c69bdc1 call 6c66da04 1462->1471 1473 6c69be0f-6c69be14 1463->1473 1474 6c69bdd1-6c69bdd4 1463->1474 1475 6c69bd4d-6c69bd64 1465->1475 1476 6c69bd6c-6c69bd76 1465->1476 1466->1463 1468 6c69bda8-6c69bdae 1466->1468 1468->1471 1469->1438 1469->1439 1479 6c69bf56 call 6c6663a0 1470->1479 1490 6c69bdc6 1471->1490 1481 6c69bf4a-6c69bf4f 1472->1481 1482 6c69bc51-6c69bc58 1472->1482 1477 6c69be3b-6c69be3f 1473->1477 1478 6c69be16-6c69be19 1473->1478 1483 6c69bddc-6c69bdfe call 6c69bf9a 1474->1483 1484 6c69bdd6-6c69bdda 1474->1484 1507 6c69bd6a 1475->1507 1508 6c69bf8e-6c69bf98 call 6c66da5d 1475->1508 1476->1463 1485 6c69bd78-6c69bd9d call 6c66da30 1476->1485 1488 6c69beac-6c69beb0 1477->1488 1489 6c69be41-6c69be7a call 6c679133 call 6c69c0fe 1477->1489 1486 6c69be1f 1478->1486 1487 6c69bf3e-6c69bf45 call 6c66da5d 1478->1487 1479->1469 1481->1469 1495 6c69bf51 1481->1495 1491 6c69bc5a-6c69bc5e 1482->1491 1492 6c69bc85-6c69bc88 1482->1492 1519 6c69be09-6c69be0a 1483->1519 1520 6c69be00-6c69be07 1483->1520 1484->1473 1484->1483 1485->1490 1500 6c69be22-6c69be36 call 6c69c016 1486->1500 1487->1481 1501 6c69beee-6c69bf02 call 6c692bff 1488->1501 1502 6c69beb2-6c69bed3 call 6c667497 call 6c66649a 1488->1502 1545 6c69be7c-6c69be82 1489->1545 1546 6c69be90-6c69be9f call 6c704270 1489->1546 1490->1463 1505 6c69bc64-6c69bc76 call 6c692da0 1491->1505 1506 6c69bf87-6c69bf8c 1491->1506 1498 6c69bc8a-6c69bca7 call 6c667204 call 6c69317e 1492->1498 1499 6c69bcd2-6c69bcd6 1492->1499 1495->1479 1553 6c69bca9-6c69bcb8 call 6c666410 1498->1553 1554 6c69bcbd-6c69bccc call 6c666240 1498->1554 1499->1506 1518 6c69bcdc-6c69bce0 1499->1518 1500->1487 1532 6c69bf04-6c69bf11 1501->1532 1533 6c69bf16-6c69bf34 call 6c69c091 1501->1533 1555 6c69bee1-6c69beec call 6c69c042 1502->1555 1556 6c69bed5-6c69bedf call 6c666410 1502->1556 1537 6c69bc78-6c69bc80 1505->1537 1506->1447 1507->1490 1508->1447 1528 6c69bce2-6c69bd02 call 6c6665d8 1518->1528 1529 6c69bd07-6c69bd25 call 6c69c176 1518->1529 1531 6c69bf35-6c69bf3d call 6c704270 1519->1531 1530 6c69be83-6c69be8b 1520->1530 1528->1481 1529->1537 1530->1487 1531->1487 1532->1530 1533->1531 1537->1481 1545->1530 1546->1487 1563 6c69bea5-6c69bea7 1546->1563 1553->1554 1554->1481 1554->1499 1555->1487 1556->1487 1563->1500
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                • API String ID: 3519838083-609671
                                • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction ID: 99b6dfbc66059e3c3ac781f2bbee535ba4959034df27403bb08e526bc26f03f4
                                • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction Fuzzy Hash: FBD1C331A0420BEFCF21CFA4D980BEDB7B5FF85308F204159E056A3A50DB709909CB69
                                Function 6C6C4BB3 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 406COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2252 6c6c4bb3-6c6c4bef call 6c703f10 2255 6c6c4bf1-6c6c4bf4 2252->2255 2256 6c6c4c23-6c6c4c26 2252->2256 2257 6c6c4bf8-6c6c4bfb 2255->2257 2258 6c6c4c2c-6c6c4c3a call 6c666add 2256->2258 2259 6c6c4f08-6c6c4f0b 2256->2259 2260 6c6c4bfd-6c6c4bff 2257->2260 2261 6c6c4c04-6c6c4c06 2257->2261 2276 6c6c4c3c-6c6c4c48 2258->2276 2277 6c6c4c98-6c6c4c9c 2258->2277 2262 6c6c4f0d-6c6c4f11 2259->2262 2263 6c6c4f17-6c6c4f90 call 6c6c2258 call 6c666b5e 2259->2263 2265 6c6c4c1a-6c6c4c20 2260->2265 2266 6c6c4c01-6c6c4c02 2260->2266 2261->2265 2267 6c6c4c08-6c6c4c0f 2261->2267 2262->2263 2268 6c6c500d-6c6c5013 2262->2268 2303 6c6c4f96-6c6c4f99 2263->2303 2265->2256 2266->2257 2271 6c6c4c17 2267->2271 2272 6c6c4c11-6c6c4c15 2267->2272 2274 6c6c5019-6c6c5024 2268->2274 2275 6c6c50e7-6c6c50eb call 6c6c47d6 2268->2275 2271->2265 2272->2267 2272->2271 2284 6c6c5026-6c6c5033 call 6c666d7f 2274->2284 2285 6c6c5050-6c6c5062 call 6c666b5e 2274->2285 2293 6c6c50f0-6c6c50fe 2275->2293 2278 6c6c4c4a-6c6c4c4d 2276->2278 2279 6c6c4c82-6c6c4c85 2276->2279 2282 6c6c4c9e-6c6c4caa call 6c6c5101 2277->2282 2283 6c6c4caf-6c6c4cb3 2277->2283 2278->2279 2289 6c6c4c4f-6c6c4c53 2278->2289 2279->2277 2291 6c6c4c87-6c6c4c93 call 6c6c5101 2279->2291 2282->2283 2286 6c6c4cb5 2283->2286 2287 6c6c4cf1-6c6c4cf4 2283->2287 2306 6c6c50d5-6c6c50e2 call 6c666d49 2284->2306 2309 6c6c506b-6c6c5098 call 6c666ca1 call 6c7025a0 call 6c665e01 2285->2309 2310 6c6c5064-6c6c5069 2285->2310 2295 6c6c4cbb-6c6c4cf0 call 6c666add call 6c6676a0 call 6c6c5101 call 6c666240 2286->2295 2296 6c6c4cb7-6c6c4cb9 2286->2296 2301 6c6c4cf6-6c6c4d02 call 6c6c5315 2287->2301 2302 6c6c4d07-6c6c4d0a 2287->2302 2289->2279 2298 6c6c4c55-6c6c4c57 2289->2298 2291->2277 2295->2287 2296->2287 2296->2295 2298->2279 2308 6c6c4c59 2298->2308 2301->2302 2312 6c6c4d0c-6c6c4d18 call 6c6c5315 2302->2312 2313 6c6c4d1d-6c6c4d47 call 6c6c5315 * 2 2302->2313 2304 6c6c4f9b-6c6c4fa5 2303->2304 2305 6c6c4fa7-6c6c4fae 2303->2305 2315 6c6c4fb1-6c6c4fba 2304->2315 2305->2315 2306->2275 2318 6c6c4c5b-6c6c4c65 2308->2318 2319 6c6c509b-6c6c50a5 call 6c666ca1 2309->2319 2310->2319 2312->2313 2347 6c6c4d5f 2313->2347 2348 6c6c4d49 2313->2348 2323 6c6c4fbc-6c6c4fdd call 6c6c47d6 2315->2323 2324 6c6c4ff5-6c6c4ffc 2315->2324 2318->2279 2327 6c6c4c67-6c6c4c6b 2318->2327 2336 6c6c50cb-6c6c50cd call 6c666c89 2319->2336 2337 6c6c50a7-6c6c50b7 2319->2337 2345 6c6c4fdf-6c6c4ff0 call 6c6c53d4 2323->2345 2346 6c6c5038-6c6c5044 call 6c6c05ac 2323->2346 2324->2303 2334 6c6c4ffe-6c6c5008 call 6c6c05ac 2324->2334 2327->2318 2333 6c6c4c6d-6c6c4c78 2327->2333 2333->2279 2341 6c6c4c7a-6c6c4c7d 2333->2341 2334->2268 2358 6c6c50d2 2336->2358 2337->2336 2344 6c6c50b9-6c6c50c9 call 6c666bbb 2337->2344 2341->2279 2351 6c6c4c7f 2341->2351 2344->2358 2345->2346 2371 6c6c4ff2 2345->2371 2362 6c6c5049-6c6c504b 2346->2362 2360 6c6c4d63-6c6c4d6c 2347->2360 2356 6c6c4d4f-6c6c4d52 2348->2356 2357 6c6c4d4b-6c6c4d4d 2348->2357 2351->2279 2356->2347 2365 6c6c4d54 2356->2365 2357->2347 2357->2356 2358->2306 2367 6c6c4d6e-6c6c4d71 2360->2367 2368 6c6c4d98-6c6c4d9f 2360->2368 2362->2293 2372 6c6c4d5a-6c6c4d5d 2365->2372 2373 6c6c4d56-6c6c4d58 2365->2373 2374 6c6c4d86-6c6c4d93 call 6c6c51a4 2367->2374 2375 6c6c4d73-6c6c4d76 2367->2375 2369 6c6c4da1-6c6c4dae call 6c6c51a4 2368->2369 2370 6c6c4db3-6c6c4dc0 2368->2370 2369->2370 2379 6c6c4dd4-6c6c4dda 2370->2379 2380 6c6c4dc2-6c6c4dcf call 6c6c51a4 2370->2380 2371->2324 2372->2360 2373->2347 2373->2372 2374->2368 2375->2368 2376 6c6c4d78-6c6c4d7b 2375->2376 2376->2374 2381 6c6c4d7d-6c6c4d7f 2376->2381 2383 6c6c4ddc-6c6c4de8 call 6c6c5101 2379->2383 2384 6c6c4ded-6c6c4df1 2379->2384 2380->2379 2381->2368 2385 6c6c4d81-6c6c4d84 2381->2385 2383->2384 2387 6c6c4e04-6c6c4e0c 2384->2387 2388 6c6c4df3-6c6c4dff call 6c6c5101 2384->2388 2385->2368 2385->2374 2390 6c6c4ef6-6c6c4f03 call 6c666240 2387->2390 2391 6c6c4e12-6c6c4e81 call 6c6c2258 call 6c666b5e 2387->2391 2388->2387 2390->2268 2398 6c6c4e8f-6c6c4eb7 call 6c6c47d6 2391->2398 2399 6c6c4e83-6c6c4e89 2391->2399 2402 6c6c4eb9-6c6c4ec8 call 6c6c53d4 2398->2402 2403 6c6c4eca-6c6c4ee3 call 6c6c05ac call 6c666240 2398->2403 2399->2398 2402->2403 2409 6c6c4ee8-6c6c4ef1 call 6c6c05ac 2402->2409 2403->2362 2409->2390
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: L$L'K$T'K$\'K$d'K$p'K$)K
                                • API String ID: 3519838083-3887797823
                                • Opcode ID: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                • Instruction ID: 5dc2bb24c785be90052812a5b707ebb1a1bd182d262d012c3437d0c4f60fd7a8
                                • Opcode Fuzzy Hash: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                • Instruction Fuzzy Hash: 2202C371A01249DFDB10CF54C990AFDBBB5FF16308F5441AEC049A7A50DB70AA89CB6A
                                Function 6C6B2B6F Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 151COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2412 6c6b2b6f-6c6b2b9c call 6c703f10 call 6c667247 call 6c666685 2419 6c6b2b9e-6c6b2ba5 2412->2419 2420 6c6b2bcc-6c6b2bd1 2412->2420 2422 6c6b2ba7-6c6b2bb3 call 6c667963 2419->2422 2423 6c6b2be6-6c6b2bf6 call 6c672117 2419->2423 2421 6c6b2d43-6c6b2d5c call 6c666240 2420->2421 2432 6c6b2bb5-6c6b2bbf call 6c6b2ac2 2422->2432 2433 6c6b2bc4-6c6b2bca 2422->2433 2430 6c6b2bfc-6c6b2c0b call 6c6667ac 2423->2430 2431 6c6b2d36-6c6b2d3c call 6c6a4d82 2423->2431 2443 6c6b2c0d 2430->2443 2444 6c6b2c20-6c6b2c2f call 6c6667ac 2430->2444 2440 6c6b2d41 2431->2440 2432->2440 2433->2420 2434 6c6b2bd6-6c6b2be1 call 6c6b29b6 2433->2434 2434->2440 2440->2421 2445 6c6b2c13-6c6b2c1b call 6c6720d7 2443->2445 2449 6c6b2c31-6c6b2c34 2444->2449 2450 6c6b2c36-6c6b2c45 call 6c6667ac 2444->2450 2445->2440 2449->2445 2454 6c6b2c47-6c6b2c58 call 6c6720d7 2450->2454 2455 6c6b2c74-6c6b2c83 call 6c6667ac 2450->2455 2454->2440 2460 6c6b2c5e-6c6b2c6f 2454->2460 2461 6c6b2ca3-6c6b2cb9 call 6c6a50c1 2455->2461 2462 6c6b2c85-6c6b2c92 call 6c6720d7 2455->2462 2460->2440 2461->2440 2467 6c6b2cbf-6c6b2cc2 2461->2467 2462->2440 2468 6c6b2c98 2462->2468 2470 6c6b2ce2-6c6b2cf1 call 6c6667ac 2467->2470 2471 6c6b2cc4-6c6b2ccd 2467->2471 2469 6c6b2c9c-6c6b2c9e 2468->2469 2469->2421 2477 6c6b2cf3-6c6b2d00 call 6c6a5191 2470->2477 2478 6c6b2d02-6c6b2d11 call 6c6667ac 2470->2478 2471->2469 2472 6c6b2ccf-6c6b2cd1 2471->2472 2472->2469 2474 6c6b2cd3-6c6b2cd6 2472->2474 2474->2469 2476 6c6b2cd8-6c6b2cdb 2474->2476 2476->2469 2480 6c6b2cdd 2476->2480 2477->2440 2484 6c6b2d1b-6c6b2d2a call 6c6667ac 2478->2484 2485 6c6b2d13-6c6b2d19 2478->2485 2480->2420 2484->2431 2489 6c6b2d2c 2484->2489 2486 6c6b2d2f 2485->2486 2486->2431 2489->2486
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6B2B74
                                  • Part of subcall function 6C6B2AC2: __EH_prolog.LIBCMT ref: 6C6B2AC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: DJ$H K$L K$P K$T K$X K$\ K
                                • API String ID: 3519838083-3148776506
                                • Opcode ID: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                • Instruction ID: da9a2efd8ef22a93f3643b302df59be089e31a7ff42a8c91237b2ef7cbc8d45c
                                • Opcode Fuzzy Hash: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                • Instruction Fuzzy Hash: 1B5182309001069BCF14DF65C488AEEB3F2AB4630CF10C51ADD61ABE91DB75A95AC76D
                                Function 6C6B0CB2 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 347COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3077 6c6b0cb2-6c6b0cd3 call 6c703f10 call 6c66da86 3082 6c6b0cdc-6c6b0d1c call 6c6b353e 3077->3082 3083 6c6b0cd5-6c6b0cd7 3077->3083 3087 6c6b0d22-6c6b0d25 3082->3087 3088 6c6b10e0-6c6b10f0 call 6c66d875 3082->3088 3084 6c6b10f1-6c6b10fd 3083->3084 3089 6c6b0d2b-6c6b0d50 call 6c6b33b5 3087->3089 3090 6c6b10b1-6c6b10b5 3087->3090 3088->3084 3097 6c6b0d52-6c6b0d7f call 6c704250 3089->3097 3098 6c6b0d84-6c6b0d8e 3089->3098 3090->3088 3092 6c6b10b7-6c6b10ba 3090->3092 3092->3088 3095 6c6b10bc-6c6b10d8 3092->3095 3095->3088 3109 6c6b0d81 3097->3109 3100 6c6b0da0-6c6b0da8 3098->3100 3101 6c6b0d90-6c6b0d9b call 6c6b353e * 2 3098->3101 3102 6c6b0daa-6c6b0dbb call 6c6b353e 3100->3102 3103 6c6b0dbe-6c6b0dc6 3100->3103 3101->3100 3102->3103 3107 6c6b0dcc 3103->3107 3108 6c6b1021-6c6b103f call 6c666add call 6c66efdb 3103->3108 3112 6c6b0dd8-6c6b0de1 3107->3112 3113 6c6b0dce-6c6b0dd2 3107->3113 3130 6c6b104a-6c6b104f 3108->3130 3131 6c6b1041-6c6b1042 3108->3131 3109->3098 3116 6c6b0ecf-6c6b0ed2 3112->3116 3117 6c6b0de7-6c6b0df1 3112->3117 3113->3108 3113->3112 3119 6c6b0ef0-6c6b0ef6 3116->3119 3120 6c6b0ed4-6c6b0ede 3116->3120 3121 6c6b0e68-6c6b0e6d 3117->3121 3122 6c6b0df3-6c6b0e06 call 6c6b0a9a 3117->3122 3128 6c6b0ef8-6c6b0f02 3119->3128 3129 6c6b0f3e-6c6b0f41 3119->3129 3120->3121 3125 6c6b0ee0-6c6b0eeb call 6c6b0b0c 3120->3125 3121->3108 3126 6c6b0e73-6c6b0e79 3121->3126 3122->3121 3147 6c6b0e08-6c6b0e35 3122->3147 3125->3121 3135 6c6b0e7b-6c6b0e80 3126->3135 3136 6c6b0e82-6c6b0e87 3126->3136 3128->3121 3138 6c6b0f08-6c6b0f1c call 6c665cad 3128->3138 3132 6c6b0f5c-6c6b0f5f 3129->3132 3133 6c6b0f43-6c6b0f4d 3129->3133 3139 6c6b106a-6c6b106f 3130->3139 3140 6c6b1051-6c6b1068 call 6c6b07b7 3130->3140 3131->3130 3142 6c6b0f78-6c6b0f7e 3132->3142 3143 6c6b0f61-6c6b0f6b 3132->3143 3133->3121 3141 6c6b0f53-6c6b0f5a 3133->3141 3135->3135 3135->3136 3145 6c6b0e89-6c6b0e8f 3136->3145 3146 6c6b0e91-6c6b0e96 3136->3146 3173 6c6b0f22-6c6b0f26 3138->3173 3150 6c6b10a3-6c6b10ac call 6c666240 3139->3150 3151 6c6b1071-6c6b107a 3139->3151 3168 6c6b1091-6c6b109e call 6c666240 3140->3168 3152 6c6b0fc2-6c6b0fc7 call 6c665cad 3141->3152 3154 6c6b0f8c-6c6b0f92 3142->3154 3155 6c6b0f80-6c6b0f87 3142->3155 3143->3121 3153 6c6b0f71-6c6b0f76 3143->3153 3145->3145 3145->3146 3158 6c6b0e99-6c6b0e9d 3146->3158 3159 6c6b0e98 3146->3159 3156 6c6b0e37-6c6b0e42 call 6c6b1100 3147->3156 3157 6c6b0e44-6c6b0e46 3147->3157 3150->3090 3167 6c6b107c 3151->3167 3151->3168 3152->3121 3153->3152 3169 6c6b0fa0-6c6b0fa6 3154->3169 3170 6c6b0f94-6c6b0f9b 3154->3170 3155->3121 3156->3157 3163 6c6b0e48-6c6b0e53 call 6c6b1100 3157->3163 3164 6c6b0e55-6c6b0e58 3157->3164 3161 6c6b0e9f 3158->3161 3162 6c6b0ea0-6c6b0ea6 3158->3162 3159->3158 3161->3162 3183 6c6b10ae 3162->3183 3184 6c6b0eac-6c6b0ebe 3162->3184 3163->3164 3177 6c6b0e5a-6c6b0e60 call 6c6b1100 3164->3177 3178 6c6b0e65 3164->3178 3179 6c6b1083-6c6b108f 3167->3179 3194 6c6b100f-6c6b1016 3168->3194 3169->3108 3181 6c6b0fa8-6c6b0fb2 3169->3181 3170->3121 3174 6c6b0f28-6c6b0f2d 3173->3174 3175 6c6b0f2f-6c6b0f39 call 6c6b0a9a 3173->3175 3174->3173 3175->3121 3177->3178 3178->3121 3179->3168 3179->3179 3181->3121 3191 6c6b0fb8-6c6b0fc0 3181->3191 3183->3090 3192 6c6b0ebf-6c6b0ec2 3184->3192 3191->3152 3195 6c6b0ec8-6c6b0ecd 3192->3195 3196 6c6b0fcc-6c6b0fce 3192->3196 3194->3087 3199 6c6b101c 3194->3199 3195->3192 3197 6c6b0ff9-6c6b0ffd 3196->3197 3198 6c6b0fd0-6c6b0fed 3196->3198 3201 6c6b0fff-6c6b1004 3197->3201 3202 6c6b100c 3197->3202 3198->3197 3200 6c6b0fef-6c6b0ff7 3198->3200 3199->3088 3200->3197 3200->3200 3201->3202 3202->3194
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $ $$ K$, K$.$o
                                • API String ID: 3519838083-1786814033
                                • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                • Instruction ID: 52f4f94bf494c880087a44353cf5926d352c407f6eace1699bfb581a88136f00
                                • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                • Instruction Fuzzy Hash: 13D15771E042D98FCF01CFA8C6907EEBBB1BF06308F244269D851BBA41C7719916CB59
                                Function 6C683798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3203 6c683798-6c6837ba call 6c703f10 3206 6c6837bc 3203->3206 3207 6c6837bf-6c6837cf call 6c66f028 3203->3207 3206->3207 3210 6c683b20-6c683b25 3207->3210 3211 6c6837d5-6c6837da 3207->3211 3214 6c683cf6-6c683d04 3210->3214 3212 6c6837dc 3211->3212 3213 6c6837df-6c68380f call 6c704210 call 6c7040e0 * 2 3211->3213 3212->3213 3221 6c68381b-6c683833 3213->3221 3222 6c683811-6c683818 3213->3222 3223 6c683840-6c683863 call 6c683dba call 6c66620c 3221->3223 3224 6c683835-6c68383a 3221->3224 3222->3221 3233 6c68387f 3223->3233 3234 6c683865-6c68387d call 6c70402a 3223->3234 3224->3223 3226 6c683ace-6c683af9 call 6c666add call 6c66f36c 3224->3226 3236 6c683bbc-6c683bce call 6c666240 3226->3236 3237 6c683aff-6c683b04 3226->3237 3239 6c683881-6c683894 call 6c6fc2e0 3233->3239 3234->3239 3249 6c683bd0-6c683bd2 3236->3249 3250 6c683bd6-6c683bd8 3236->3250 3242 6c683b2a-6c683b42 3237->3242 3243 6c683b06-6c683b18 call 6c666240 3237->3243 3252 6c6838a9-6c6838b2 3239->3252 3253 6c683896 3239->3253 3254 6c683b44-6c683b54 call 6c67238c 3242->3254 3255 6c683b56-6c683b79 call 6c67f10c 3242->3255 3243->3210 3258 6c683b1a-6c683b1c 3243->3258 3249->3250 3250->3214 3256 6c6838b8-6c6838bb 3252->3256 3257 6c68399d-6c6839a3 3252->3257 3259 6c683898-6c68389d 3253->3259 3260 6c6838a2-6c6838a4 3253->3260 3254->3255 3277 6c683bab-6c683bb4 3254->3277 3278 6c683b7b-6c683ba1 call 6c67cff7 call 6c67f1fc 3255->3278 3279 6c683ba3-6c683ba6 call 6c6eae40 3255->3279 3261 6c6838be-6c6838e8 call 6c666add call 6c66f36c 3256->3261 3264 6c6839f0-6c6839f6 3257->3264 3265 6c6839a5 3257->3265 3258->3210 3259->3260 3266 6c683abd-6c683ac9 call 6c683dcd 3260->3266 3296 6c6838ee-6c6838f0 3261->3296 3297 6c683a91-6c683a93 3261->3297 3272 6c6839f8 3264->3272 3273 6c683a2a-6c683a40 call 6c67cff7 call 6c67f4b1 3264->3273 3270 6c6839a8-6c6839d2 call 6c683d07 3265->3270 3266->3250 3293 6c6839d4 3270->3293 3294 6c6839d7-6c6839d9 3270->3294 3275 6c6839fa-6c683a0b call 6c6fc180 3272->3275 3273->3253 3306 6c683a46-6c683a5d call 6c67d0a2 3273->3306 3275->3253 3295 6c683a11-6c683a16 3275->3295 3277->3236 3288 6c683bb6-6c683bb8 3277->3288 3278->3279 3310 6c683bdd-6c683c00 call 6c67d0a2 call 6c6eae40 3278->3310 3279->3277 3288->3236 3293->3294 3294->3260 3300 6c6839df-6c6839ec 3294->3300 3295->3266 3301 6c683a1c-6c683a28 3295->3301 3302 6c683a95-6c683a9a 3296->3302 3303 6c6838f6-6c683910 3296->3303 3304 6c683aaf-6c683ab8 call 6c666240 3297->3304 3300->3270 3307 6c6839ee 3300->3307 3301->3273 3301->3275 3302->3304 3316 6c683928-6c68394f 3303->3316 3317 6c683912-6c683922 call 6c67238c 3303->3317 3304->3266 3318 6c683a5f-6c683a62 3306->3318 3319 6c683a80-6c683a8c call 6c683dcd 3306->3319 3307->3264 3337 6c683c08-6c683c1a call 6c666240 3310->3337 3338 6c683c02-6c683c04 3310->3338 3323 6c68395a-6c68396e 3316->3323 3324 6c683951-6c683957 3316->3324 3317->3316 3336 6c683a9c-6c683aa5 3317->3336 3325 6c683a65-6c683a6a 3318->3325 3335 6c683c22-6c683c62 call 6c704210 * 2 3319->3335 3326 6c683970-6c683972 3323->3326 3327 6c683976-6c683997 call 6c666240 3323->3327 3324->3323 3325->3266 3331 6c683a6c-6c683a6e 3325->3331 3326->3327 3327->3257 3327->3261 3332 6c683a70-6c683a75 3331->3332 3333 6c683a77-6c683a7e 3331->3333 3332->3333 3339 6c683aba-6c683abc 3332->3339 3333->3319 3333->3325 3350 6c683ccc-6c683cf4 call 6c67d2d6 call 6c67d1df 3335->3350 3351 6c683c64-6c683c68 3335->3351 3342 6c683aad 3336->3342 3343 6c683aa7-6c683aa9 3336->3343 3337->3335 3347 6c683c1c-6c683c1e 3337->3347 3338->3337 3339->3266 3342->3304 3343->3342 3347->3335 3350->3214 3352 6c683c6a-6c683c6e 3351->3352 3353 6c683cc0-6c683cca 3351->3353 3356 6c683c7f-6c683cbb call 6c704210 call 6c7041d0 call 6c67d2d6 call 6c67f7ff 3352->3356 3357 6c683c70-6c683c7a call 6c704210 3352->3357 3353->3214 3353->3350 3356->3353 3357->3356
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: __aulldiv$H_prolog
                                • String ID: >WJ$x$x
                                • API String ID: 2300968129-3162267903
                                • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction ID: 346a112f911b42b7c61c3dcb791e38f8473e15cb8867f2d1c4e848a2f14c5f21
                                • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction Fuzzy Hash: 24129BB1901209EFCF10DFA4C884AEDBBB5FF09318F20856DE815ABA50D7759949CF68
                                Function 6C671FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3369 6c671fa6-6c671fe0 call 6c7040e0 call 6c704150 3374 6c671fe2-6c671fef call 6c7040e0 3369->3374 3375 6c672009-6c67200e 3369->3375 3382 6c671ff1 3374->3382 3383 6c671ff8-6c672006 call 6c704210 3374->3383 3377 6c672071-6c672074 3375->3377 3378 6c672010-6c67201f call 6c7040e0 3375->3378 3381 6c672077-6c67207b 3377->3381 3388 6c672041-6c672053 call 6c7040e0 call 6c704210 3378->3388 3389 6c672021 3378->3389 3385 6c671ff3-6c671ff6 3382->3385 3386 6c67206a-6c67206f 3382->3386 3383->3375 3385->3383 3385->3386 3386->3381 3399 6c672058-6c672061 3388->3399 3392 6c672023-6c672026 3389->3392 3393 6c672028-6c67203f call 6c704210 call 6c7040e0 3389->3393 3392->3388 3392->3393 3393->3399 3399->3377 3401 6c672063 3399->3401 3401->3386 3402 6c672065-6c672068 3401->3402 3402->3377 3402->3386
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: __aulldiv$__aullrem
                                • String ID:
                                • API String ID: 2022606265-0
                                • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction ID: 7fdedecd6f9d8e69a596e26d003c0dec0b4298d211370003a5143d2b06658e9d
                                • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction Fuzzy Hash: A121E170A00219FADF208F959D8CDCF7BB9EB517ACF208626B52061690D2718DA0D775
                                Function 6C6776EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3403 6c6776ec-6c677705 call 6c703f10 3406 6c677707-6c67770c 3403->3406 3407 6c67771c-6c677723 3403->3407 3408 6c677715-6c67771a 3406->3408 3409 6c67770e-6c677713 3406->3409 3410 6c677724-6c677787 call 6c677e93 call 6c667204 call 6c6778f4 call 6c6a48d2 call 6c678009 3407->3410 3408->3410 3409->3410 3421 6c67779a-6c6777a3 3410->3421 3422 6c677789-6c677795 call 6c6779b9 3410->3422 3424 6c6777a5-6c6777b1 3421->3424 3425 6c6777cc-6c6777d9 3421->3425 3422->3421 3428 6c6777b3-6c6777be call 6c66a89f 3424->3428 3429 6c6777c0-6c6777c7 call 6c6673ec 3424->3429 3426 6c6777f0-6c6777f9 3425->3426 3427 6c6777db-6c6777eb call 6c6673ec 3425->3427 3432 6c677882-6c6778ae call 6c677965 call 6c666240 3426->3432 3433 6c6777ff-6c67780a 3426->3433 3427->3426 3428->3425 3429->3425 3433->3432 3436 6c67780c 3433->3436 3439 6c677811-6c677828 call 6c692109 3436->3439 3444 6c6778b1-6c6778d2 call 6c686173 call 6c703f30 3439->3444 3445 6c67782e-6c67783d 3439->3445 3450 6c6778d7-6c6778ee call 6c686173 3444->3450 3447 6c67783f-6c677843 3445->3447 3448 6c677849-6c677880 call 6c674c9e 3445->3448 3447->3448 3447->3450 3448->3432 3455 6c67780e 3448->3455 3457 6c6778f4-6c677964 call 6c703f10 call 6c667204 * 7 3450->3457 3458 6c6778ef call 6c703f30 3450->3458 3455->3439 3458->3457
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6776F1
                                  • Part of subcall function 6C686173: __EH_prolog.LIBCMT ref: 6C686178
                                • __EH_prolog.LIBCMT ref: 6C6778F9
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: IJ$WIJ$J
                                • API String ID: 3519838083-740443243
                                • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction ID: e7f5d1475f1debb3c1bc0e40c7f0e4d69d595cff287db51237667b5b83b178b1
                                • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction Fuzzy Hash: F571B030904255DFDB15CFA4C444BEDB7F4FF16308F1088A9E8556BB91CB74AA48CBA9
                                Function 6C6C084E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6C0853
                                  • Part of subcall function 6C6C05DF: __EH_prolog.LIBCMT ref: 6C6C05E4
                                  • Part of subcall function 6C6C0943: __EH_prolog.LIBCMT ref: 6C6C0948
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: ((K$<(K$L(K$\(K
                                • API String ID: 3519838083-3238140439
                                • Opcode ID: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                • Instruction ID: 4dbb00783cd40e02781e69196eee1499a5ba3f2f05bda6d40f1a6d9fb0efae50
                                • Opcode Fuzzy Hash: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                • Instruction Fuzzy Hash: 58215CB0A01B449ED724DF6AC54469BFBF8EF55304F108A1F80A687B50D7B4AA08CB69
                                Function 6C68B418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • __EH_prolog.LIBCMT ref: 6C68B41D
                                  • Part of subcall function 6C68BE40: __EH_prolog.LIBCMT ref: 6C68BE45
                                  • Part of subcall function 6C68B8EB: __EH_prolog.LIBCMT ref: 6C68B8F0
                                  • Part of subcall function 6C68B593: __EH_prolog.LIBCMT ref: 6C68B598
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: &qB$0aJ$A0$XqB
                                • API String ID: 3519838083-1326096578
                                • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction ID: 9c8ee28340c843562276315c79225cb66290e71c5fe664c92d4f8ccc6bf71f1e
                                • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction Fuzzy Hash: E821BB70D01248AECF04CBE1D9849ECBBB4AF26318F20006AD41273B80DF744E0CCB69
                                Function 6C68B234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J$DJ$`J
                                • API String ID: 3519838083-2453737217
                                • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction ID: c18c158f4353379bc73d81306a3327a46ad36959ee84cb92ca6b133c6e58f39e
                                • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction Fuzzy Hash: 7F11C2B0905B64CEC720CF5AC55459AFBE4BFA6708B10C91FC4A687B50CBF8A548CB99
                                Function 6C6B3E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5288 6c6b3e3f-6c6b3eea call 6c703f10 call 6c6b3c9d call 6c6b353e call 6c6b3314 call 6c6bc04a call 6c6b59c7 call 6c6bc04a * 2 5305 6c6b41ee-6c6b422d call 6c66869a 5288->5305 5306 6c6b3ef0 5288->5306 5311 6c6b422f-6c6b423b call 6c7040c8 5305->5311 5312 6c6b423e-6c6b4276 call 6c666240 * 2 call 6c6b3284 call 6c6b3c9d call 6c6b599a 5305->5312 5308 6c6b3ef7-6c6b3f1d call 6c6b353e 5306->5308 5316 6c6b438b-6c6b439a call 6c703f30 5308->5316 5317 6c6b3f23-6c6b3f26 5308->5317 5311->5312 5339 6c6b4290-6c6b429c call 6c6b3447 5312->5339 5380 6c6b4278-6c6b428e call 6c6b3447 5312->5380 5322 6c6b439f-6c6b43a7 call 6c6b3434 5316->5322 5317->5316 5321 6c6b3f2c-6c6b3f32 5317->5321 5324 6c6b3f38-6c6b3f47 call 6c6b33b5 5321->5324 5325 6c6b40bf-6c6b40c2 5321->5325 5322->5339 5337 6c6b3f4d-6c6b3f56 5324->5337 5338 6c6b42c3-6c6b42d2 call 6c703f30 5324->5338 5327 6c6b40a7-6c6b40ac 5325->5327 5333 6c6b40ae-6c6b40b1 5327->5333 5334 6c6b40c4-6c6b40ca 5327->5334 5333->5334 5341 6c6b40b3-6c6b40ba 5333->5341 5335 6c6b40d0-6c6b40ed call 6c6b43bd * 2 5334->5335 5336 6c6b4327-6c6b4336 call 6c703f30 5334->5336 5382 6c6b40ef-6c6b40fa call 6c6b353e 5335->5382 5383 6c6b4140-6c6b414f 5335->5383 5355 6c6b433b-6c6b434a call 6c703f30 5336->5355 5343 6c6b3f5c-6c6b3f65 5337->5343 5344 6c6b42d7-6c6b42e6 call 6c703f30 5337->5344 5338->5344 5366 6c6b43ac-6c6b43ba 5339->5366 5367 6c6b42a2-6c6b42a5 5339->5367 5349 6c6b41a9-6c6b41cb 5341->5349 5352 6c6b3f6c-6c6b3f84 5343->5352 5353 6c6b3f67 call 6c6b3367 5343->5353 5360 6c6b42eb-6c6b42fa call 6c703f30 5344->5360 5356 6c6b41cd call 6c6b3367 5349->5356 5357 6c6b41d2-6c6b41e8 5349->5357 5364 6c6b3fc0-6c6b3fd2 5352->5364 5365 6c6b3f86 5352->5365 5353->5352 5375 6c6b434f-6c6b435e call 6c703f30 5355->5375 5356->5357 5357->5305 5361 6c6b3ef2-6c6b3ef5 5357->5361 5381 6c6b42ff-6c6b430e call 6c703f30 5360->5381 5361->5308 5376 6c6b3fe2-6c6b3fed 5364->5376 5377 6c6b3fd4-6c6b3fdd call 6c68b61b 5364->5377 5373 6c6b3f8b-6c6b3fb8 call 6c704250 5365->5373 5367->5322 5374 6c6b42ab-6c6b42ad 5367->5374 5408 6c6b3fba-6c6b3fbd 5373->5408 5409 6c6b3f88 5373->5409 5374->5322 5385 6c6b42b3-6c6b42c1 call 6c6b3d1d 5374->5385 5398 6c6b4363-6c6b4372 call 6c703f30 5375->5398 5378 6c6b3fef-6c6b3ffc call 6c6b353e 5376->5378 5379 6c6b4012-6c6b401c 5376->5379 5377->5376 5378->5360 5412 6c6b4002-6c6b400c call 6c6b353e 5378->5412 5394 6c6b4313-6c6b4322 call 6c703f30 5379->5394 5395 6c6b4022-6c6b4026 5379->5395 5380->5339 5381->5394 5382->5375 5413 6c6b4100-6c6b4108 5382->5413 5388 6c6b4151-6c6b4157 5383->5388 5389 6c6b4185-6c6b418a 5383->5389 5385->5339 5388->5389 5399 6c6b4159-6c6b4163 call 6c6b353e 5388->5399 5403 6c6b418c-6c6b4193 5389->5403 5404 6c6b41a3 5389->5404 5394->5336 5406 6c6b4028-6c6b403a call 6c6b353e 5395->5406 5407 6c6b4095-6c6b409e 5395->5407 5415 6c6b4377-6c6b4386 call 6c703f30 5398->5415 5399->5398 5431 6c6b4169-6c6b4171 5399->5431 5417 6c6b419d 5403->5417 5418 6c6b4195-6c6b4199 5403->5418 5404->5349 5404->5415 5429 6c6b403c-6c6b4041 call 6c6b3367 5406->5429 5430 6c6b4044-6c6b4048 5406->5430 5407->5324 5419 6c6b40a4 5407->5419 5408->5364 5409->5373 5412->5379 5412->5381 5413->5375 5424 6c6b410e-6c6b411e call 6c6b353e 5413->5424 5415->5316 5426 6c6b41a0 5417->5426 5418->5403 5423 6c6b419b 5418->5423 5419->5327 5423->5426 5424->5355 5437 6c6b4124-6c6b412c 5424->5437 5426->5404 5429->5430 5432 6c6b406a-6c6b4071 5430->5432 5433 6c6b404a-6c6b404e 5430->5433 5431->5398 5434 6c6b4177-6c6b4183 5431->5434 5440 6c6b4073-6c6b4077 5432->5440 5441 6c6b4092 5432->5441 5433->5432 5439 6c6b4050-6c6b4053 5433->5439 5434->5389 5434->5399 5437->5355 5444 6c6b4132-6c6b413e 5437->5444 5439->5441 5442 6c6b4055-6c6b4063 5439->5442 5440->5441 5443 6c6b4079-6c6b407c 5440->5443 5441->5407 5442->5441 5445 6c6b4065-6c6b4068 5442->5445 5443->5441 5446 6c6b407e-6c6b408d 5443->5446 5444->5382 5444->5383 5445->5441 5446->5441 5447 6c6b408f 5446->5447 5447->5441
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $!$@
                                • API String ID: 3519838083-2517134481
                                • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction ID: fd435bd5000e3a2b1a5bc9b4f38e483824aca62ba4aa993146543b4ef6da17b1
                                • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction Fuzzy Hash: D5129D74E05249DFCB04CFA5C580AEEBBB1BF09308F148469E446BBB51CB71E965CB68
                                Function 6C67FB91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5448 6c67fb91-6c67fbba call 6c703f10 5451 6c67fbc3-6c67fbda call 6c7041d0 5448->5451 5452 6c67fbbc 5448->5452 5455 6c67fbe0-6c67fbee call 6c7041d0 5451->5455 5456 6c67fbdc-6c67fbde 5451->5456 5452->5451 5460 6c67fbfd-6c67fc0c 5455->5460 5456->5455 5457 6c67fbf0-6c67fbfa 5456->5457 5457->5460 5461 6c67fc0e-6c67fc13 5460->5461 5462 6c67fc19-6c67fc3a call 6c66620c 5460->5462 5461->5462 5463 6c67fd6e-6c67fd92 call 6c67cff7 5461->5463 5468 6c67fc5c 5462->5468 5469 6c67fc3c-6c67fc5a call 6c70402a 5462->5469 5471 6c67fd94-6c67fd96 5463->5471 5472 6c67fd98-6c67fdae call 6c67fec9 5463->5472 5470 6c67fc5e-6c67fc6c 5468->5470 5469->5470 5475 6c67fc6e 5470->5475 5476 6c67fc9a-6c67fcab call 6c67cff7 5470->5476 5471->5472 5477 6c67fdce-6c67fdd1 5471->5477 5486 6c67fdb0-6c67fdb9 5472->5486 5487 6c67fdbf-6c67fdc7 5472->5487 5480 6c67fc70-6c67fc98 5475->5480 5490 6c67fcad 5476->5490 5491 6c67fd0b-6c67fd15 call 6c68003a 5476->5491 5479 6c67fdd4-6c67fddb 5477->5479 5483 6c67fdf0-6c67fe6c call 6c67d0a2 call 6c704210 * 2 call 6c67d2d6 call 6c7040e0 call 6c67d1df 5479->5483 5484 6c67fddd-6c67fddf 5479->5484 5480->5476 5480->5480 5535 6c67feb6 5483->5535 5536 6c67fe6e-6c67fe76 5483->5536 5484->5483 5489 6c67fde1-6c67fdea 5484->5489 5486->5487 5497 6c67feb8-6c67fec6 5486->5497 5487->5472 5488 6c67fdc9-6c67fdcc 5487->5488 5488->5472 5488->5477 5489->5483 5489->5497 5494 6c67fcb0-6c67fcc0 5490->5494 5504 6c67fd17-6c67fd1f 5491->5504 5505 6c67fd49 5491->5505 5500 6c67fce3-6c67fce9 call 6c6fc200 5494->5500 5501 6c67fcc2-6c67fce1 call 6c67d506 call 6c6fc240 5494->5501 5510 6c67fcee-6c67fcf3 5500->5510 5501->5510 5511 6c67fd21-6c67fd24 5504->5511 5512 6c67fd38-6c67fd44 call 6c68007b 5504->5512 5508 6c67fd55-6c67fd57 5505->5508 5509 6c67fd4b-6c67fd50 5505->5509 5515 6c67fd5b-6c67fd69 call 6c68007b 5508->5515 5509->5508 5516 6c67fcf5 5510->5516 5517 6c67fcf8-6c67fcfa 5510->5517 5518 6c67fd27-6c67fd2b 5511->5518 5512->5479 5515->5497 5516->5517 5517->5505 5523 6c67fcfc-6c67fd09 5517->5523 5524 6c67fd2d-6c67fd36 5518->5524 5525 6c67fd59 5518->5525 5523->5491 5523->5494 5524->5512 5524->5518 5525->5515 5535->5497 5537 6c67fe90-6c67fe92 5536->5537 5538 6c67fe78-6c67fe82 5536->5538 5541 6c67fe94-6c67feb4 call 6c67f7ff 5537->5541 5539 6c67fe84-6c67fe86 5538->5539 5540 6c67fe88-6c67fe8e 5538->5540 5539->5541 5540->5541 5541->5497 5541->5535
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog__aulldiv
                                • String ID: $SJ
                                • API String ID: 4125985754-3948962906
                                • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction ID: d1349507b145050ba5b7e5238303abda2cedf9c53f5c9a1f6898aa417ecdadfa
                                • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction Fuzzy Hash: 3AB14EB1E00209DFCB24CFA5C9909EEBBF1FF48358B20892ED415A7B50D7309A45CB69
                                Function 6C6831D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5545 6c6831d6-6c683202 call 6c703f10 call 6c6832bf 5550 6c68321c-6c68321e 5545->5550 5551 6c683204-6c683217 5545->5551 5552 6c683223-6c683229 5550->5552 5555 6c6832a0-6c6832ad 5551->5555 5552->5552 5554 6c68322b-6c683238 call 6c683300 5552->5554 5558 6c68323a-6c68324d call 6c67f173 5554->5558 5559 6c68328b-6c68329f 5554->5559 5563 6c683251-6c683257 5558->5563 5559->5555 5564 6c68325a-6c683272 call 6c683300 call 6c7025a0 5563->5564 5569 6c6832ae-6c6832b0 5564->5569 5570 6c683274-6c68327b 5564->5570 5569->5559 5570->5564 5571 6c68327d-6c683287 5570->5571 5572 6c683289 5571->5572 5573 6c68324f 5571->5573 5572->5559 5573->5563
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $CK$CK
                                • API String ID: 3519838083-2957773085
                                • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction ID: 7f6d3872b169d4855c30ea5d8a1d3a2a1dd411ffa953d2490ad8a40e97c6ce04
                                • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction Fuzzy Hash: C421B270E062058BCB04DFA8C4A01EEF7B2BB85304F14463AC512A3B81C7745A068B78
                                Function 6C69A584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5574 6c69a584-6c69a5ac call 6c703f10 call 6c666add 5579 6c69a5b1-6c69a5bb 5574->5579 5580 6c69a5bd-6c69a5c6 5579->5580 5581 6c69a5df-6c69a5eb 5579->5581 5582 6c69a5c8-6c69a5cb call 6c666c81 5580->5582 5583 6c69a5d0-6c69a5dd call 6c666ca1 5580->5583 5581->5579 5584 6c69a5ed-6c69a5ef 5581->5584 5582->5583 5583->5581 5587 6c69a61d-6c69a643 call 6c666b39 call 6c666240 5584->5587 5588 6c69a5f1-6c69a607 call 6c665d77 5584->5588 5595 6c69a609-6c69a60c call 6c666c81 5588->5595 5596 6c69a611-6c69a618 call 6c666ca1 5588->5596 5595->5596 5596->5587
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0$LrJ$x
                                • API String ID: 3519838083-658305261
                                • Opcode ID: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                • Instruction ID: 6321b0e66e1fee1c6028f154d54f84fb4c463f497e9a73ce72c44d3c9d035aad
                                • Opcode Fuzzy Hash: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                • Instruction Fuzzy Hash: C9218E32D0111A9BCF04DBD8D990AEDB7F5EF59308F20005AD411B3B40DB75AE08CBAA
                                Function 6C691EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C691ECC
                                  • Part of subcall function 6C67C58A: __EH_prolog.LIBCMT ref: 6C67C58F
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :hJ$dJ$xJ
                                • API String ID: 3519838083-2437443688
                                • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction ID: 73e0dda4ab3d86dad336a68f4ca7e8af0f350d4c815fc8d50e16df3382fe1862
                                • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction Fuzzy Hash: 2A21DAB0805B40CFC761CF6AC15428ABBF4BF2A708B00C95EC0AA97F11D7B4A548CF99
                                Function 6C6B01B5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6B01BA
                                  • Part of subcall function 6C6B0269: __EH_prolog.LIBCMT ref: 6C6B026E
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J$DJ
                                • API String ID: 3519838083-3152824450
                                • Opcode ID: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                                • Instruction ID: c456ea5f27ec4aa3c864876f1b75fd2f161aa3369e4042e55ff368a39cd0fd4b
                                • Opcode Fuzzy Hash: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                                • Instruction Fuzzy Hash: C71104B1901750CFC320CF5AC5986D6FBF4FB25304F50C8AE90AA47711C7B4A508CB68
                                Function 6C688D0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: <J$DJ$HJ$TJ$]
                                • API String ID: 0-686860805
                                • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction ID: ec4b540a31aa0c1cbd81a805fe6c5b69b5cb70165bf17126b7e1667e3d5aeaef
                                • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction Fuzzy Hash: F641A931C06249AFCF14DBA1D4908EEB774AF16308B20815ED1216BE70EB35AA4DCB7D
                                Function 6C6D6300 Relevance: 6.3, Strings: 5, Instructions: 49COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,3K$,3K@3KP3K$@3K$P3K$p3K
                                • API String ID: 0-3393562052
                                • Opcode ID: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                                • Instruction ID: f3b20959cc3b043883a69564fe9d81f795dab0673a03a632bc82598fc3fdfae9
                                • Opcode Fuzzy Hash: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                                • Instruction Fuzzy Hash: 5421F4B1580B419FC320CF16C58978BFBE4FB15755F90DA2E95AA57A40C7B8A208CB98
                                Function 6C683331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction ID: dc7b030b9867cf32337438d767e102441b27d0fcbe14f3918d435e3d74f30ca4
                                • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction Fuzzy Hash: DB1190B6200348BFEB214BA5DC48EAFBBBDEB95758F00842DF24156A50CAB1AC14D734
                                Function 6C66B072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C66B077
                                  • Part of subcall function 6C66AFF5: __EH_prolog.LIBCMT ref: 6C66AFFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :$\
                                • API String ID: 3519838083-1166558509
                                • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction ID: 0f0466b049d9c3fba0406fe65e7fba3b674468ac6096c7b150fdd226ac11ce27
                                • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction Fuzzy Hash: A2E1F130904209EACF10DFA6C890BEDB7B5AF9631CF108119E85267E91DB70A589DB5F
                                Function 6C6C0BED Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: x'K$|'K
                                • API String ID: 3519838083-1041342148
                                • Opcode ID: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                • Instruction ID: 1597190ac8068fc35651b189fa9b751f386f51e31dcec537bb550cb094b7270f
                                • Opcode Fuzzy Hash: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                • Instruction Fuzzy Hash: 8ED1E870B44BC69ACB20DB61D850AEEB7B0EF0230CF204619D06653EA0DB75E94AD75F
                                Function 6C690C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$hfJ
                                • API String ID: 3519838083-1391159562
                                • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction ID: 22db46bed5949be58a6990320d08d88421cdf4a2ba6287c6b5ff1ca1dc21e9f0
                                • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction Fuzzy Hash: 67915A70914349EFCB10DFA9C8849DEFBF4BF19308F54451EE456A7A90D770AA48CB19
                                Function 6C685C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C685C5D
                                  • Part of subcall function 6C68461A: __EH_prolog.LIBCMT ref: 6C68461F
                                  • Part of subcall function 6C684A2E: __EH_prolog.LIBCMT ref: 6C684A33
                                  • Part of subcall function 6C685EA5: __EH_prolog.LIBCMT ref: 6C685EAA
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: WZJ
                                • API String ID: 3519838083-1089469559
                                • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction ID: 8e063465178a1896074dd2191053054bb1e9f2807afb2dbb79e9d288ca402b6f
                                • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction Fuzzy Hash: 4781AF31D01159DFCF15DFA4D994ADDB7B4AF1A308F20409AE402B7BA0DB70AE09CB69
                                Function 6C6B73DF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog__aullrem
                                • String ID: d%K
                                • API String ID: 3415659256-3110269457
                                • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                • Instruction ID: 9059e7bfe3e6fed506b5eb47709022d860976fa48f648e1f17300b83f274f065
                                • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                • Instruction Fuzzy Hash: 2B61D272A006098FDF01CF64C640BEEBBF5AF45309F248058D854BBA81DB71DA19CBB9
                                Function 6C6B35B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: CK$CK
                                • API String ID: 3519838083-2096518401
                                • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                • Instruction ID: 289bc77e901c90556763c7bebffba9fef450ee20b356320c3c1ecce7547ff4ef
                                • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                • Instruction Fuzzy Hash: A15181B6B003169FDB04CFA4C8D4AEEB3B5FF84318F148539D901AB741EB74A9158B68
                                Function 6C68CF9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: <dJ$Q
                                • API String ID: 3519838083-2252229148
                                • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                • Instruction ID: bc93f8ad7e7eacedfbb00430c83c4e08719ab6e7fd76e202c87877d2b5613b57
                                • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                • Instruction Fuzzy Hash: 1E51A17190520AEFCF00DF95D8808EDB7B1FF49318F10852EE511ABA90D7759A8ACB79
                                Function 6C6889B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $D^J
                                • API String ID: 3519838083-3977321784
                                • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                • Instruction ID: 6d8cbd1f7e9db821ead45a90109c15e6bbcf0ef54c81294a995aa7ecf938c8b4
                                • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                • Instruction Fuzzy Hash: 8E415A60A066906ED7229A28C4507E8BBA15F5F348F14815BC49147EE1DBA8588BC3BD
                                Function 6C69AB66 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 8)L$8)L
                                • API String ID: 3519838083-2235878380
                                • Opcode ID: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                • Instruction ID: 238bc1d0e3b9c52be18fab05c2ee2505f1d139b1ac031ee70b9ec20f93b4651c
                                • Opcode Fuzzy Hash: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                • Instruction Fuzzy Hash: 7351D231A01601CFD7148F65D990AEAB7F2FF86318F50452ED19A9BA61DB307848CF5C
                                Function 6C698606 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: qJ$#
                                • API String ID: 3519838083-4209149730
                                • Opcode ID: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                • Instruction ID: 40cf6589725ab1f55417fac45170db8416be92eaf7e2e9f1112de1eb247e9861
                                • Opcode Fuzzy Hash: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                • Instruction Fuzzy Hash: 60516D7590424ADFCF00CFA9C5409DDBBB5BF09318F14855AE811ABBA1C735EE05CBA5
                                Function 6C68D14A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: PdJ$Q
                                • API String ID: 3519838083-3674001488
                                • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                • Instruction ID: 0aa07f46f760769ed90553f46d5c96540a3ee6323295242d0370aa12b692a382
                                • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                • Instruction Fuzzy Hash: 67419D71D0A206DBCB10DFA9C4A08DDB7B0FF49718B10816BEA65A7A50C3309A45CBB9
                                Function 6C6A212C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: X&L$p|J
                                • API String ID: 3519838083-2944591232
                                • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                • Instruction ID: 65cf7beb2bea046885339fcd3e64f15bc0af10de1a870f60fdd96833b6012b63
                                • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                • Instruction Fuzzy Hash: 903135316CD105CBD7009BDAE90DFE97775EB12328F10012AD618E2EA0CB61CDC78A6D
                                Function 6C6A1C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0|J$`)L
                                • API String ID: 3519838083-117937767
                                • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction ID: 7468734fb89835c9853fd43233ccf5f678336d7bbed192846a41a6ba090b9a39
                                • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction Fuzzy Hash: 7C416E31601785EFDF119FA1C4907EEBBE2FF46308F00442EE55A97A50CB31A956CB9A
                                Function 6C6A4CB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID: 3333
                                • API String ID: 3732870572-2924271548
                                • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction ID: 5d2cc57a0b7bd6f04c3e7b2d999adc968404a015a5531ce0e8dfe573e2f6e2fa
                                • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction Fuzzy Hash: 5B2188F0A007046ED720DFA98C84B5BFAFDEB54754F10891EE185D7B40DB70A9458769
                                Function 6C69877E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: #$4qJ
                                • API String ID: 3519838083-3965466581
                                • Opcode ID: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                • Instruction ID: a99e5582b3b1626cec788874ed5ba6835e575a2068b7c6ba95e6e09bfaa1007f
                                • Opcode Fuzzy Hash: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                • Instruction Fuzzy Hash: 5931BD35A0521ADFDF10CF56C950AEE73B9AF49318F04415AE812ABB60CB74ED05CBA8
                                Function 6C69D906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$LuJ
                                • API String ID: 3519838083-205571748
                                • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction ID: 009e7d0e7de867073e6d66921c51d57f8760ee0eb28aedfe246cf33f1c8a5b6b
                                • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction Fuzzy Hash: BB016D72E0520ADACB10DFA984809AEFBB4EF59708F90842EE569E3A41C3345904CB99
                                Function 6C6790AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$xMJ
                                • API String ID: 3519838083-951924499
                                • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction ID: 952bc1e4e77b33a81228ef00de8388399a3759d5d942570744ad28fa09832317
                                • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction Fuzzy Hash: 57117C71A00209DBCB10CFA9C49459EB7F5FF59308B50C82ED429E7B00D3349A15CB69
                                Function 6C6C95D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: p/K$J
                                • API String ID: 3519838083-2069324279
                                • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                • Instruction ID: edafdd652f659c63b28900c717becfcddb446e95a8d9c0cf2d8fe8a274ffc1ed
                                • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                • Instruction Fuzzy Hash: EF01BCB2A017019FD724CF59D5087AAF7F8EF5571DF10C81E9052A3B80C7F8A5088BA9
                                Function 6C6AA180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6AA185
                                  • Part of subcall function 6C6AA22B: __EH_prolog.LIBCMT ref: 6C6AA230
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J
                                • API String ID: 3519838083-2882003284
                                • Opcode ID: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                                • Instruction ID: 29bc16d9955c28203bd3366e6b7a9a8764e2009260428fe7070a1138cf4016f4
                                • Opcode Fuzzy Hash: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                                • Instruction Fuzzy Hash: D6116DB0911B108BC3249F2AD4546D6FBF8FFA5714B50C91F94AA87B20C7B8A5588F98
                                Function 6C6A7FC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6A7FCC
                                  • Part of subcall function 6C6A74D1: __EH_prolog.LIBCMT ref: 6C6A74D6
                                  • Part of subcall function 6C6A614B: __EH_prolog.LIBCMT ref: 6C6A6150
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J
                                • API String ID: 3519838083-2882003284
                                • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                • Instruction ID: 893f9142a63e1d2467e22156e104701ae70d287b306da742aa20f7a304aeaccc
                                • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                • Instruction Fuzzy Hash: F901C5B1904B51CFC325CF9AC5A468AFBE0FB15708F90CD5EC0A657B51D7B8A908CB68
                                Function 6C6C8434 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6C8439
                                  • Part of subcall function 6C6C84BA: __EH_prolog.LIBCMT ref: 6C6C84BF
                                  • Part of subcall function 6C6AA22B: __EH_prolog.LIBCMT ref: 6C6AA230
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: D.K$T.K
                                • API String ID: 3519838083-2437000251
                                • Opcode ID: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                • Instruction ID: bd8e1d0eb3fb8fecb59c6e4555c8b2af4930ffabf6bbd6686458d38b64a8e9c3
                                • Opcode Fuzzy Hash: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                • Instruction Fuzzy Hash: 86011E70911751CFC724CF65C5142DABBF0EF19704F00C95F80AA97B40D7B8AA48CB99
                                Function 6C69A425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 8)L$8rJ
                                • API String ID: 3519838083-896068166
                                • Opcode ID: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                • Instruction ID: 4bc6821e342ceb81810cb922a2cf62ef1bc3f51f2b81dbed4a72b34b2afdef9e
                                • Opcode Fuzzy Hash: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                • Instruction Fuzzy Hash: A2F01776A04114EFC700CF98D949ADEBBF8EF46354F14806AF405A7211C7B89A048BA5
                                Function 6C6A13F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6A13F9
                                  • Part of subcall function 6C6A1320: __EH_prolog.LIBCMT ref: 6C6A1325
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: `)L$|{J
                                • API String ID: 3519838083-2198066115
                                • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                • Instruction ID: 0333c58a2e1b5150a1a9dccdfabd82e6dfda45ee2865d91c0f9bf57ee5133485
                                • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                • Instruction Fuzzy Hash: DDF0A076610014FFCB059F94DC08FDEBBB9FF4A314F00802AF505A6650CBB5AA15CB98
                                Function 6C6A0431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: |zJ
                                • API String ID: 3037903784-3782439380
                                • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                • Instruction ID: dc6af35dfbe629abc6f934d6a290e878c26f32a271383fd85b31bce1a6801033
                                • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                • Instruction Fuzzy Hash: 4FE03972A05661EFEB148F89D800BDEB3A8FF55B14F10401F9016A7A51CBB1AC558689
                                Function 6C6A44CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: \~J
                                • API String ID: 3037903784-3176329776
                                • Opcode ID: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                • Instruction ID: 7a48c53bb6df00f8627c373bbe8dd18d981cadec936962ac5dddb7408179c616
                                • Opcode Fuzzy Hash: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                • Instruction Fuzzy Hash: EBE06D76A0A5119FEB28CF89EC51BEEF3B8EF55B18F10415E9011A7A51CFF1EC018689
                                Function 6C6A60DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C6A60E0
                                  • Part of subcall function 6C6A614B: __EH_prolog.LIBCMT ref: 6C6A6150
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J
                                • API String ID: 3519838083-2882003284
                                • Opcode ID: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                • Instruction ID: 39b1bbcd4eba01ecade949c97c57650fdb7dd5efee6f1e54af70910a78dc21e0
                                • Opcode Fuzzy Hash: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                • Instruction Fuzzy Hash: C0F0C4B0901B51CFC724DF59D95468ABBF0FB16708B50C91F80AA97B10D7B8A548CBA8
                                Function 6C697143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: <oJ
                                • API String ID: 3037903784-2791053824
                                • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction ID: e873f21a4b52486302b8a30afaa07a3f2353c2a6f6de529831a6ef5e43668bf0
                                • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction Fuzzy Hash: C1E06D72B055129BDB089F49E810BDEF7B9EF55714F15011EA011A7B51CBB1A8008689
                                Function 6C6CC4AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: @ K$DJ$T)K$X/K
                                • API String ID: 0-3815299647
                                • Opcode ID: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                • Instruction ID: f3abc04bbfd064b535d6af89393494fad55358e853f8e55d2bb2a21fec9eaabf
                                • Opcode Fuzzy Hash: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                • Instruction Fuzzy Hash: C9918D34705205ABCB00EB65C4507EAB7A2EF4230CF148819C8679BF85DB75E969C76F
                                Function 6C6C1E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: D)K$H)K$P)K$T)K
                                • API String ID: 0-2262112463
                                • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                • Instruction ID: 7cd3ead1c636333751f39aeef2ed35b954e4ba5ee5c526177d4365b340761f26
                                • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                • Instruction Fuzzy Hash: 1E518431A082099BDF00DF96E840ADEB7B5EF1631CF10451AE821A7F90DB75E949C79E
                                Function 6C6E1F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: (?K$8?K$H?K$CK
                                • API String ID: 0-3450752836
                                • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                • Instruction ID: 149969a3e78d021a1c96c6f07466db89c694b6479963286215b62c3e58e6ae71
                                • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                • Instruction Fuzzy Hash: 1AF01DB06067009FC3208F06D54869BB7F4AB45709F50C91FE09A97A40D3B8A5088FAD
                                Function 6C6CAAAC Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2247196621.000000006C665000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C665000, based on PE: true
                                • Associated: 00000007.00000002.2247793860.000000006C736000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c570000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: 00K$@0K$P0K$`0K
                                • API String ID: 0-1070766156
                                • Opcode ID: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                • Instruction ID: cc08c49e7cab151d94aeeb036fe5aa8110f11b29cf5188a6292b857041db77c5
                                • Opcode Fuzzy Hash: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                • Instruction Fuzzy Hash: 2DF03FB14152408FD348DF1A9598A82BFE0AF95319B56C1DED0184F276C3B9CA48CFA8

                                Execution Graph

                                Execution Coverage:3.9%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:1.8%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:36
                                execution_graph 75362 28a42c 75363 28a449 75362->75363 75364 28a435 fputs 75362->75364 75521 28545d 75363->75521 75520 251fa0 fputc 75364->75520 75371 28a4c9 75590 251e40 free 75371->75590 75373 28a4d8 75374 28a4ee 75373->75374 75591 28c7d7 75373->75591 75376 28a50e 75374->75376 75599 2857fb 75374->75599 75609 28c73e 75376->75609 75381 28ac17 75383 28ac23 75381->75383 75798 282db9 free ctype 75381->75798 75387 28ac3a 75383->75387 75390 28ac35 75383->75390 75386 28a54d 75632 252fec 75386->75632 75800 28b96d _CxxThrowException 75387->75800 75799 28b988 33 API calls __aulldiv 75390->75799 75391 28ac42 75801 251e40 free 75391->75801 75395 28ac4d 75802 273247 75395->75802 75398 28a586 75638 28ad06 75398->75638 75401 28ac7d 75809 2511c2 free __EH_prolog ctype 75401->75809 75405 28ac89 75810 28be0c free __EH_prolog ctype 75405->75810 75409 28ac98 75811 282db9 free ctype 75409->75811 75412 252e04 2 API calls 75414 28a636 75412->75414 75413 28aca4 75656 274345 75414->75656 75417 28a676 75662 272096 75417->75662 75420 28a66f 75758 28b96d _CxxThrowException 75420->75758 75423 28a6e2 75425 28a722 75423->75425 75759 251fa0 fputc 75423->75759 75424 28c7d7 ctype 6 API calls 75424->75423 75426 28a79e 75425->75426 75774 251fa0 fputc 75425->75774 75430 28a6fa fputs 75497 28aae5 75797 282db9 free ctype 75497->75797 75520->75363 75522 285473 75521->75522 75523 285466 75521->75523 75525 252e04 75522->75525 75812 25275e malloc _CxxThrowException free ctype 75523->75812 75526 251e0c ctype 2 API calls 75525->75526 75527 252e11 75526->75527 75528 271858 75527->75528 75529 271862 __EH_prolog 75528->75529 75813 27021a 75529->75813 75534 2718b9 75827 271aa5 free __EH_prolog ctype 75534->75827 75536 271935 75838 271aa5 free __EH_prolog ctype 75536->75838 75537 2718c7 75828 282db9 free ctype 75537->75828 75540 271944 75562 271966 75540->75562 75839 271d73 5 API calls __EH_prolog 75540->75839 75542 2718d3 75542->75371 75545 271958 _CxxThrowException 75545->75562 75547 2719be 75846 27f1f1 malloc _CxxThrowException free _CxxThrowException 75547->75846 75548 252e04 2 API calls 75548->75562 75549 2718db 75549->75536 75829 270144 malloc _CxxThrowException free _CxxThrowException 75549->75829 75830 2904d2 75549->75830 75836 251524 malloc _CxxThrowException __EH_prolog ctype 75549->75836 75837 251e40 free 75549->75837 75552 2719d6 75847 277ebb 75552->75847 75556 2904d2 5 API calls 75556->75562 75559 277ebb free 75561 2719f7 75559->75561 75563 2612d4 4 API calls 75561->75563 75562->75547 75562->75548 75562->75556 75840 25631f 75562->75840 75844 251524 malloc _CxxThrowException __EH_prolog ctype 75562->75844 75845 251e40 free 75562->75845 75572 2719ff 75563->75572 75565 271a4f 75860 251e40 free 75565->75860 75566 251524 malloc _CxxThrowException 75566->75572 75568 271a57 75861 282db9 free ctype 75568->75861 75570 271a64 75862 282db9 free ctype 75570->75862 75572->75565 75572->75566 75574 271a83 75572->75574 75859 2542e3 CharUpperW 75572->75859 75863 271d73 5 API calls __EH_prolog 75574->75863 75576 271a97 _CxxThrowException 75577 271aa5 __EH_prolog 75576->75577 75864 251e40 free 75577->75864 75579 271ac8 75865 2702e8 free ctype 75579->75865 75581 271ad1 75866 271eab free __EH_prolog ctype 75581->75866 75583 271add 75867 251e40 free 75583->75867 75585 271ae5 75868 251e40 free 75585->75868 75587 271aed 75869 282db9 free ctype 75587->75869 75589 271afa 75589->75371 75590->75373 75592 28c849 75591->75592 75593 28c7ea 75591->75593 75595 28c85a 75592->75595 76345 251f91 fflush 75592->76345 75594 28c7fe fputs 75593->75594 76344 2525cb malloc _CxxThrowException free _CxxThrowException ctype 75593->76344 75594->75592 75595->75374 75600 285805 __EH_prolog 75599->75600 75608 285847 75600->75608 76346 2526dd 75600->76346 75606 28583f 76366 251e40 free 75606->76366 75608->75376 75610 28c748 __EH_prolog 75609->75610 75611 28c7d7 ctype 6 API calls 75610->75611 75612 28c75d 75611->75612 76405 251e40 free 75612->76405 75614 28c768 76406 272c0b 75614->76406 75618 28c77d 76412 251e40 free 75618->76412 75620 28c785 76413 251e40 free 75620->76413 75622 28c78d 76414 251e40 free 75622->76414 75624 28c795 75625 272c0b ctype free 75624->75625 75626 28a51d 75625->75626 75626->75497 75627 251e0c 75626->75627 75628 251e15 75627->75628 75629 251e1c malloc 75627->75629 75628->75629 75630 251e3e 75629->75630 75631 251e2a _CxxThrowException 75629->75631 75630->75386 75756 28b0fa malloc _CxxThrowException __EH_prolog 75630->75756 75631->75630 75633 252ffc 75632->75633 75634 252ff8 75632->75634 75633->75634 75635 251e0c ctype 2 API calls 75633->75635 75634->75398 75636 253010 75635->75636 76417 251e40 free 75636->76417 76418 28ad29 75638->76418 75641 28bf3e 75642 252fec 3 API calls 75641->75642 75643 28bf85 75642->75643 75644 252fec 3 API calls 75643->75644 75645 28a5ee 75644->75645 75646 263a29 75645->75646 75647 263a37 75646->75647 75648 263a3b 75646->75648 75647->75412 76424 263bd9 free ctype 75648->76424 75650 263a42 75651 263a67 75650->75651 75652 263a52 _CxxThrowException 75650->75652 75655 263a6f 75650->75655 76425 290551 malloc _CxxThrowException free memcpy ctype 75651->76425 75652->75651 75655->75647 76426 263b76 malloc _CxxThrowException __EH_prolog ctype 75655->76426 75657 27434f __EH_prolog 75656->75657 75658 252e04 2 API calls 75657->75658 75659 27436d 75658->75659 75660 252e04 2 API calls 75659->75660 75661 274379 75660->75661 75661->75417 75757 27375c 22 API calls 2 library calls 75661->75757 75680 2720a0 __EH_prolog 75662->75680 75663 2721f0 75664 272209 75663->75664 75665 251e0c ctype 2 API calls 75663->75665 75666 251e0c ctype 2 API calls 75664->75666 75665->75664 75668 272235 75666->75668 75667 252e04 2 API calls 75667->75680 75669 272248 75668->75669 76427 264250 75668->76427 76445 272c22 75669->76445 75670 252f1c 2 API calls 75670->75680 75673 256c72 44 API calls 75673->75680 75674 251e40 free ctype 75674->75680 75676 27224c 76623 25757d GetLastError 75676->76623 75677 272251 76624 272c6c 6 API calls 2 library calls 75677->76624 75680->75663 75680->75667 75680->75670 75680->75673 75680->75674 75680->75676 75680->75677 76622 26089e malloc _CxxThrowException free _CxxThrowException memcpy 75680->76622 75682 272277 76625 251e40 free 75682->76625 75684 27232b 75687 272347 75684->75687 75690 252e04 2 API calls 75684->75690 75695 256c72 44 API calls 75684->75695 75696 272969 75684->75696 75700 272836 75684->75700 75707 252fec malloc _CxxThrowException free 75684->75707 75708 272855 75684->75708 75712 27289d 75684->75712 75719 251e40 free ctype 75684->75719 75724 273247 free 75684->75724 75727 252f1c 2 API calls 75684->75727 75731 2728e6 75684->75731 75737 272921 75684->75737 75750 251fa0 fputc 75684->75750 76449 2647dd 75684->76449 76453 286086 75684->76453 76465 272b09 75684->76465 76471 2731d8 75684->76471 76477 272a72 75684->76477 76481 286359 75684->76481 76524 272cdb 75684->76524 76610 272bb5 75684->76610 76628 263e26 30 API calls 2 library calls 75684->76628 76629 256456 9 API calls 2 library calls 75684->76629 76630 25859e malloc _CxxThrowException free _CxxThrowException 75684->76630 76631 27204d CharUpperW 75684->76631 75686 27227f 76626 251e40 free 75686->76626 76644 251e40 free 75687->76644 75688 272a55 76645 251e40 free 75688->76645 75690->75684 75692 272287 76627 251e40 free 75692->76627 75693 27228f 75693->75423 75693->75424 75695->75684 76641 25757d GetLastError 75696->76641 75698 27296e 76632 251e40 free 75700->76632 75707->75684 76633 251e40 free 75708->76633 75710 272860 76635 251e40 free 75712->76635 75715 2728a8 75717 273247 free 75715->75717 75719->75684 75724->75684 75727->75684 76637 251e40 free 75731->76637 75735 2728f1 76639 251e40 free 75737->76639 75742 27292c 75750->75684 75756->75386 75757->75420 75758->75417 75759->75430 75797->75381 75798->75383 75799->75387 75800->75391 75801->75395 75806 27324e 75802->75806 75803 273260 77865 251e40 free 75803->77865 75806->75803 77866 251e40 free 75806->77866 75807 273267 75808 251e40 free 75807->75808 75808->75401 75809->75405 75810->75409 75811->75413 75812->75522 75814 270224 __EH_prolog 75813->75814 75870 263d66 75814->75870 75817 27062e 75818 270638 __EH_prolog 75817->75818 75819 2706de 75818->75819 75823 2701bc malloc _CxxThrowException free _CxxThrowException memcpy 75818->75823 75826 2706ee 75818->75826 75886 270703 75818->75886 75956 282db9 free ctype 75818->75956 75957 27019a malloc _CxxThrowException free memcpy 75819->75957 75821 2706e6 75958 271453 26 API calls 2 library calls 75821->75958 75823->75818 75826->75534 75826->75549 75827->75537 75828->75542 75829->75549 75831 2904df 75830->75831 75832 290513 75830->75832 75833 2904e8 _CxxThrowException 75831->75833 75834 2904fd 75831->75834 75832->75549 75833->75834 76290 290551 malloc _CxxThrowException free memcpy ctype 75834->76290 75836->75549 75837->75549 75838->75540 75839->75545 75841 259245 75840->75841 76291 2590da 75841->76291 75844->75562 75845->75562 75846->75552 75848 277ec6 75847->75848 75849 2719e1 75847->75849 75848->75849 75850 251e40 free ctype 75848->75850 75851 2612d4 75849->75851 75850->75848 75852 2612e7 75851->75852 75858 261327 75851->75858 75853 261304 75852->75853 75854 2612ef _CxxThrowException 75852->75854 76343 251e40 free 75853->76343 75854->75853 75856 26130b 75857 251e0c ctype 2 API calls 75856->75857 75857->75858 75858->75559 75859->75572 75860->75568 75861->75570 75862->75542 75863->75576 75864->75579 75865->75581 75866->75583 75867->75585 75868->75587 75869->75589 75881 2efb10 75870->75881 75872 263d70 GetCurrentProcess 75882 263e04 75872->75882 75874 263d8d OpenProcessToken 75875 263de3 75874->75875 75876 263d9e LookupPrivilegeValueW 75874->75876 75878 263e04 CloseHandle 75875->75878 75876->75875 75877 263dc0 AdjustTokenPrivileges 75876->75877 75877->75875 75879 263dd5 GetLastError 75877->75879 75880 263def 75878->75880 75879->75875 75880->75817 75881->75872 75883 263e11 CloseHandle 75882->75883 75884 263e0d 75882->75884 75885 263e21 75883->75885 75884->75874 75885->75874 75887 27070d __EH_prolog 75886->75887 75892 270c83 75887->75892 75898 270ab5 75887->75898 75906 252e04 2 API calls 75887->75906 75917 252fec 3 API calls 75887->75917 75927 270b26 75887->75927 75942 270b40 75887->75942 75943 282db9 free ctype 75887->75943 75950 270b48 75887->75950 75951 2904d2 malloc _CxxThrowException free _CxxThrowException memcpy 75887->75951 75953 251524 malloc _CxxThrowException 75887->75953 75954 251e40 free ctype 75887->75954 75959 252da9 75887->75959 75962 252f4a malloc _CxxThrowException free ctype 75887->75962 75963 251089 malloc _CxxThrowException free _CxxThrowException 75887->75963 75964 2713eb 5 API calls 2 library calls 75887->75964 75965 27050b 75887->75965 75970 270021 GetLastError 75887->75970 75971 2549bd 9 API calls 2 library calls 75887->75971 75972 270306 12 API calls 75887->75972 75973 26ff00 5 API calls 2 library calls 75887->75973 75974 27057d 16 API calls 2 library calls 75887->75974 75975 270f8e 24 API calls 2 library calls 75887->75975 75976 25472e CharUpperW 75887->75976 75977 268984 malloc _CxxThrowException free _CxxThrowException memcpy 75887->75977 75978 270ef4 68 API calls 2 library calls 75887->75978 75888 270e1d 76000 270416 18 API calls 2 library calls 75888->76000 75890 270e47 75904 270ea6 75890->75904 76001 27117d 68 API calls 2 library calls 75890->76001 75891 270d11 75991 257496 7 API calls 2 library calls 75891->75991 75892->75888 75892->75891 75895 270c13 75988 251e40 free 75895->75988 75898->75895 75901 252da9 2 API calls 75898->75901 75908 252e04 2 API calls 75898->75908 75920 252fec 3 API calls 75898->75920 75924 27050b 44 API calls 75898->75924 75932 270c79 75898->75932 75940 251e40 free ctype 75898->75940 75979 252f4a malloc _CxxThrowException free ctype 75898->75979 75984 251089 malloc _CxxThrowException free _CxxThrowException 75898->75984 75985 2713eb 5 API calls 2 library calls 75898->75985 75986 270ef4 68 API calls 2 library calls 75898->75986 75987 282db9 free ctype 75898->75987 75989 270021 GetLastError 75898->75989 75900 270de0 75996 282db9 free ctype 75900->75996 75901->75898 76002 29ec78 free ctype 75904->76002 75905 270df8 75998 251e40 free 75905->75998 75906->75887 75908->75898 75912 270e02 75999 282db9 free ctype 75912->75999 75913 252e04 2 API calls 75930 270d29 75913->75930 75917->75887 75919 252fec 3 API calls 75919->75930 75920->75898 75924->75898 75926 270df3 75997 251e40 free 75926->75997 75980 251e40 free 75927->75980 75930->75900 75930->75905 75930->75913 75930->75919 75930->75926 75933 251e40 free ctype 75930->75933 75992 252f1c 75930->75992 75995 27117d 68 API calls 2 library calls 75930->75995 75990 251e40 free 75932->75990 75933->75930 75934 270b30 75981 251e40 free 75934->75981 75938 270b38 75982 251e40 free 75938->75982 75940->75898 75942->75818 75943->75887 75983 282db9 free ctype 75950->75983 75951->75887 75953->75887 75954->75887 75956->75818 75957->75821 75958->75826 76003 252d4d 75959->76003 75962->75887 75963->75887 75964->75887 76009 256c72 75965->76009 75968 270575 75968->75887 75970->75887 75971->75887 75972->75887 75973->75887 75974->75887 75975->75887 75976->75887 75977->75887 75978->75887 75979->75898 75980->75934 75981->75938 75982->75942 75983->75927 75984->75898 75985->75898 75986->75898 75987->75898 75988->75942 75989->75898 75990->75892 75991->75930 75993 252ba6 2 API calls 75992->75993 75994 252f2c 75993->75994 75994->75930 75995->75930 75996->75942 75997->75905 75998->75912 75999->75942 76000->75890 76001->75890 76002->75942 76006 252ba6 76003->76006 76007 251e0c ctype 2 API calls 76006->76007 76008 252bbb 76007->76008 76008->75887 76010 256c7c __EH_prolog 76009->76010 76011 256cd3 76010->76011 76012 256cb7 76010->76012 76013 256ce2 76011->76013 76015 256d87 76011->76015 76014 252f88 3 API calls 76012->76014 76017 252f88 3 API calls 76013->76017 76016 256cc7 76014->76016 76025 256f4a 76015->76025 76137 252e47 76015->76137 76016->75968 76110 252f88 76016->76110 76020 256cf5 76017->76020 76021 256d4a 76020->76021 76023 256d0b 76020->76023 76133 257b41 28 API calls 76021->76133 76022 252e47 2 API calls 76036 256dc0 76022->76036 76132 259252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 76023->76132 76026 256fd1 76025->76026 76029 256f7e 76025->76029 76032 2570e5 76026->76032 76033 256fed 76026->76033 76053 25701d 76026->76053 76028 256d5f 76134 25764c 76028->76134 76155 256bf5 11 API calls 2 library calls 76029->76155 76030 256d36 76030->76021 76035 256d3a 76030->76035 76116 256868 76032->76116 76157 256bf5 11 API calls 2 library calls 76033->76157 76035->76016 76044 256dfe 76036->76044 76141 253221 malloc _CxxThrowException free _CxxThrowException 76036->76141 76038 256f85 76038->76032 76041 256f99 76038->76041 76049 252f88 3 API calls 76041->76049 76042 256fca 76046 256848 FindClose 76042->76046 76043 256e43 76047 256c72 42 API calls 76043->76047 76044->76043 76056 256e1e 76044->76056 76045 257006 76045->76042 76046->76016 76050 256e4e 76047->76050 76057 256fb0 76049->76057 76052 256f3a 76050->76052 76067 256e41 76050->76067 76153 251e40 free 76052->76153 76053->76032 76158 25717b 13 API calls 76053->76158 76061 252fec 3 API calls 76056->76061 76056->76067 76156 25717b 13 API calls 76057->76156 76058 257052 76063 257064 76058->76063 76064 257056 76058->76064 76059 252f1c 2 API calls 76065 256e77 76059->76065 76060 256f42 76154 251e40 free 76060->76154 76061->76067 76070 252e47 2 API calls 76063->76070 76068 252f88 3 API calls 76064->76068 76069 252e04 2 API calls 76065->76069 76067->76059 76071 25705f 76068->76071 76097 256e83 76069->76097 76072 25706d 76070->76072 76075 256848 FindClose 76071->76075 76159 251089 malloc _CxxThrowException free _CxxThrowException 76072->76159 76075->76016 76076 25707b 76160 251089 malloc _CxxThrowException free _CxxThrowException 76076->76160 76077 256ecf 76146 251e40 free 76077->76146 76079 256ec7 SetLastError 76079->76077 76080 257085 76083 256868 12 API calls 76080->76083 76085 257095 76083->76085 76084 256f11 76147 251e40 free 76084->76147 76088 2570bb 76085->76088 76089 257099 wcscmp 76085->76089 76087 256ed3 76145 2531e5 malloc _CxxThrowException free _CxxThrowException 76087->76145 76161 256bf5 11 API calls 2 library calls 76088->76161 76089->76088 76093 2570b1 76089->76093 76091 256f19 76148 256848 76091->76148 76098 252f88 3 API calls 76093->76098 76094 2570c6 76102 2570d8 76094->76102 76109 257129 76094->76109 76097->76077 76097->76079 76097->76087 76100 252e04 2 API calls 76097->76100 76142 256bb5 17 API calls 76097->76142 76143 2522bf CharUpperW 76097->76143 76144 251e40 free 76097->76144 76103 25714c 76098->76103 76100->76097 76162 251e40 free 76102->76162 76164 251e40 free 76103->76164 76104 256f2b 76152 251e40 free 76104->76152 76108 256ff2 76108->76032 76108->76045 76109->76093 76111 252f9a 76110->76111 76112 252fbe 76111->76112 76113 251e0c ctype 2 API calls 76111->76113 76112->75968 76114 252fb4 76113->76114 76289 251e40 free 76114->76289 76117 256872 __EH_prolog 76116->76117 76118 256848 FindClose 76117->76118 76120 256880 76118->76120 76119 2568f6 76119->76042 76163 25717b 13 API calls 76119->76163 76120->76119 76121 2568a9 76120->76121 76122 25689b FindFirstFileW 76120->76122 76123 2568ee 76121->76123 76125 252e04 2 API calls 76121->76125 76122->76121 76123->76119 76171 256919 malloc _CxxThrowException free 76123->76171 76126 2568ba 76125->76126 76165 258b4a 76126->76165 76128 2568d0 76129 2568d4 FindFirstFileW 76128->76129 76130 2568e2 76128->76130 76129->76130 76170 251e40 free 76130->76170 76132->76030 76133->76028 76135 257656 CloseHandle 76134->76135 76136 257661 76134->76136 76135->76136 76136->76016 76138 252e57 76137->76138 76139 252ba6 2 API calls 76138->76139 76140 252e6a 76139->76140 76140->76022 76141->76044 76142->76097 76143->76097 76144->76097 76145->76077 76146->76084 76147->76091 76149 256852 FindClose 76148->76149 76150 25685d 76148->76150 76149->76150 76151 251e40 free 76150->76151 76151->76104 76152->76016 76153->76060 76154->76025 76155->76038 76156->76042 76157->76108 76158->76058 76159->76076 76160->76080 76161->76094 76162->76108 76163->76042 76164->76071 76172 258b80 76165->76172 76168 258b6e 76168->76128 76169 252f88 3 API calls 76169->76168 76170->76123 76171->76119 76173 258b8a __EH_prolog 76172->76173 76174 258c7b 76173->76174 76180 258be1 76173->76180 76235 258b55 76173->76235 76175 258d23 76174->76175 76177 258c8f 76174->76177 76176 258e8a 76175->76176 76179 258d3b 76175->76179 76178 252e47 2 API calls 76176->76178 76177->76179 76185 258c9e 76177->76185 76181 258e96 76178->76181 76182 252e04 2 API calls 76179->76182 76183 252e47 2 API calls 76180->76183 76180->76235 76189 252e47 2 API calls 76181->76189 76184 258d43 76182->76184 76186 258c05 76183->76186 76269 256332 6 API calls 2 library calls 76184->76269 76188 252e47 2 API calls 76185->76188 76192 258c24 76186->76192 76193 258c17 76186->76193 76196 258ca7 76188->76196 76191 258eb8 76189->76191 76190 258d52 76253 258d56 76190->76253 76270 25859e malloc _CxxThrowException free _CxxThrowException 76190->76270 76281 258f57 memmove 76191->76281 76199 252e47 2 API calls 76192->76199 76259 251e40 free 76193->76259 76201 252e47 2 API calls 76196->76201 76198 258ec4 76202 258ede 76198->76202 76203 258ec8 76198->76203 76204 258c35 76199->76204 76206 258cd0 76201->76206 76284 253221 malloc _CxxThrowException free _CxxThrowException 76202->76284 76282 251e40 free 76203->76282 76260 258f57 memmove 76204->76260 76264 258f57 memmove 76206->76264 76209 258d65 76225 252e04 2 API calls 76209->76225 76209->76253 76210 258eeb 76285 2531e5 malloc _CxxThrowException free _CxxThrowException 76210->76285 76212 258ed0 76283 251e40 free 76212->76283 76213 258c41 76216 258c6b 76213->76216 76261 2531e5 malloc _CxxThrowException free _CxxThrowException 76213->76261 76214 258cdc 76219 258d13 76214->76219 76265 253221 malloc _CxxThrowException free _CxxThrowException 76214->76265 76263 251e40 free 76216->76263 76268 251e40 free 76219->76268 76222 258f06 76286 2531e5 malloc _CxxThrowException free _CxxThrowException 76222->76286 76223 258c73 76288 251e40 free 76223->76288 76229 258ddf 76225->76229 76226 258c60 76262 2531e5 malloc _CxxThrowException free _CxxThrowException 76226->76262 76228 258ced 76266 2531e5 malloc _CxxThrowException free _CxxThrowException 76228->76266 76233 258e0e 76229->76233 76237 258df1 76229->76237 76231 258f11 76287 251e40 free 76231->76287 76238 252f88 3 API calls 76233->76238 76235->76168 76235->76169 76271 253199 malloc _CxxThrowException free _CxxThrowException 76237->76271 76241 258e0c 76238->76241 76239 258d08 76267 2531e5 malloc _CxxThrowException free _CxxThrowException 76239->76267 76273 258f57 memmove 76241->76273 76243 258e03 76272 253199 malloc _CxxThrowException free _CxxThrowException 76243->76272 76246 258e22 76247 258e26 76246->76247 76248 258e3b 76246->76248 76274 253221 malloc _CxxThrowException free _CxxThrowException 76246->76274 76279 251e40 free 76247->76279 76275 258f34 malloc _CxxThrowException 76248->76275 76252 258e49 76276 2531e5 malloc _CxxThrowException free _CxxThrowException 76252->76276 76280 251e40 free 76253->76280 76255 258e56 76277 251e40 free 76255->76277 76257 258e62 76278 2531e5 malloc _CxxThrowException free _CxxThrowException 76257->76278 76259->76235 76260->76213 76261->76226 76262->76216 76263->76223 76264->76214 76265->76228 76266->76239 76267->76219 76268->76223 76269->76190 76270->76209 76271->76243 76272->76241 76273->76246 76274->76248 76275->76252 76276->76255 76277->76257 76278->76247 76279->76253 76280->76235 76281->76198 76282->76212 76283->76235 76284->76210 76285->76222 76286->76231 76287->76223 76288->76235 76289->76112 76290->75832 76292 2590e4 __EH_prolog 76291->76292 76293 252f88 3 API calls 76292->76293 76294 2590f7 76293->76294 76295 25915d 76294->76295 76301 259109 76294->76301 76296 252e04 2 API calls 76295->76296 76297 259165 76296->76297 76298 2591be 76297->76298 76302 259174 76297->76302 76337 256332 6 API calls 2 library calls 76298->76337 76300 259155 76300->75562 76301->76300 76304 252e47 2 API calls 76301->76304 76305 252f88 3 API calls 76302->76305 76303 25917d 76306 2591ca 76303->76306 76335 25859e malloc _CxxThrowException free _CxxThrowException 76303->76335 76307 259122 76304->76307 76305->76303 76342 251e40 free 76306->76342 76332 258f57 memmove 76307->76332 76311 259185 76316 252e04 2 API calls 76311->76316 76312 25912e 76313 25914d 76312->76313 76333 2531e5 malloc _CxxThrowException free _CxxThrowException 76312->76333 76334 251e40 free 76313->76334 76317 259197 76316->76317 76318 25919f 76317->76318 76319 2591ce 76317->76319 76320 2591b9 76318->76320 76336 251089 malloc _CxxThrowException free _CxxThrowException 76318->76336 76321 252f88 3 API calls 76319->76321 76338 253199 malloc _CxxThrowException free _CxxThrowException 76320->76338 76321->76320 76324 2591e6 76339 258f57 memmove 76324->76339 76326 2591ee 76327 2591f2 76326->76327 76328 252fec 3 API calls 76326->76328 76341 251e40 free 76327->76341 76330 259212 76328->76330 76340 2531e5 malloc _CxxThrowException free _CxxThrowException 76330->76340 76332->76312 76333->76313 76334->76300 76335->76311 76336->76320 76337->76303 76338->76324 76339->76326 76340->76327 76341->76306 76342->76300 76343->75856 76344->75594 76345->75595 76347 251e0c ctype 2 API calls 76346->76347 76348 2526ea 76347->76348 76349 285678 76348->76349 76350 285689 76349->76350 76351 2856b1 76349->76351 76352 285593 6 API calls 76350->76352 76367 285593 76351->76367 76354 2856a5 76352->76354 76381 2528a1 76354->76381 76359 28570e fputs 76365 251fa0 fputc 76359->76365 76361 2856ef 76362 285593 6 API calls 76361->76362 76363 285701 76362->76363 76364 285711 6 API calls 76363->76364 76364->76359 76365->75606 76366->75608 76368 2855ad 76367->76368 76369 2528a1 5 API calls 76368->76369 76370 2855b8 76369->76370 76386 25286d 76370->76386 76373 2528a1 5 API calls 76374 2855c7 76373->76374 76375 285711 76374->76375 76376 2856e0 76375->76376 76377 285721 76375->76377 76376->76359 76385 252881 malloc _CxxThrowException free memcpy _CxxThrowException 76376->76385 76378 2528a1 5 API calls 76377->76378 76379 28572b 76378->76379 76394 2855cd 6 API calls 76379->76394 76382 2528b0 76381->76382 76395 25267f 76382->76395 76384 2528bf 76384->76351 76385->76361 76389 251e9d 76386->76389 76390 251ead 76389->76390 76391 251ea8 76389->76391 76390->76373 76393 25263c malloc _CxxThrowException free memcpy _CxxThrowException 76391->76393 76393->76390 76394->76376 76396 2526c2 76395->76396 76397 252693 76395->76397 76396->76384 76398 2526c8 _CxxThrowException 76397->76398 76400 2526bc 76397->76400 76399 2526dd 76398->76399 76401 251e0c ctype 2 API calls 76399->76401 76404 252595 malloc _CxxThrowException free memcpy ctype 76400->76404 76403 2526ea 76401->76403 76403->76384 76404->76396 76405->75614 76415 251e40 free 76406->76415 76408 272c16 76416 251e40 free 76408->76416 76410 272c1e 76411 251e40 free 76410->76411 76411->75618 76412->75620 76413->75622 76414->75624 76415->76408 76416->76410 76417->75634 76419 28ad33 __EH_prolog 76418->76419 76420 252e04 2 API calls 76419->76420 76421 28ad5f 76420->76421 76422 252e04 2 API calls 76421->76422 76423 28a5d8 76422->76423 76423->75641 76424->75650 76425->75655 76426->75655 76428 26425a __EH_prolog 76427->76428 76429 252e04 2 API calls 76428->76429 76430 2642c4 76429->76430 76431 252e04 2 API calls 76430->76431 76432 2642d0 76431->76432 76646 26440b 76432->76646 76446 272c2e 76445->76446 76448 272c35 76445->76448 76447 251e0c ctype 2 API calls 76446->76447 76447->76448 76448->75684 76450 2647ee 76449->76450 76451 2647f4 76449->76451 76657 251e40 free 76450->76657 76451->75684 76454 286092 76453->76454 76455 28612c 76454->76455 76658 285d3c 76454->76658 76455->75684 76466 272b13 __EH_prolog 76465->76466 76467 252e04 2 API calls 76466->76467 76468 272b48 76467->76468 76473 2731e2 __EH_prolog 76471->76473 76472 273234 76472->75684 76473->76472 76474 251e0c ctype 2 API calls 76473->76474 76478 272a82 76477->76478 76479 252e04 2 API calls 76478->76479 76482 286363 __EH_prolog 76481->76482 76483 28637f 76482->76483 76484 28c7d7 ctype 6 API calls 76482->76484 76698 285a4d 76483->76698 76484->76483 76525 272ce5 __EH_prolog 76524->76525 76526 252f1c 2 API calls 76525->76526 76527 272d35 76526->76527 76611 272bbf __EH_prolog 76610->76611 77832 27d24e 76611->77832 76622->75680 76623->75677 76624->75682 76625->75686 76626->75692 76627->75693 76628->75684 76629->75684 76630->75684 76631->75684 76632->75687 76633->75710 76635->75715 76637->75735 76639->75742 76641->75698 76644->75688 76645->75693 76647 264415 __EH_prolog 76646->76647 76657->76451 77834 27d259 77832->77834 77865->75807 77866->75806 77867 257b20 77870 257ab2 77867->77870 77871 257ac5 77870->77871 77878 25759a 77871->77878 77874 257aeb SetFileTime 77875 257b03 77874->77875 77892 257919 77875->77892 77879 2575a4 __EH_prolog 77878->77879 77880 25764c CloseHandle 77879->77880 77881 2575af 77880->77881 77882 2575d4 CreateFileW 77881->77882 77883 2575e9 77881->77883 77891 257632 77881->77891 77882->77883 77884 252e04 2 API calls 77883->77884 77883->77891 77885 2575fb 77884->77885 77886 258b4a 9 API calls 77885->77886 77887 257611 77886->77887 77888 257615 CreateFileW 77887->77888 77889 25762a 77887->77889 77888->77889 77908 251e40 free 77889->77908 77891->77874 77891->77875 77893 257aac 77892->77893 77894 25793c 77892->77894 77894->77893 77895 257945 DeviceIoControl 77894->77895 77896 2579e6 77895->77896 77897 257969 77895->77897 77898 2579ef DeviceIoControl 77896->77898 77901 257a14 77896->77901 77897->77896 77904 2579a7 77897->77904 77899 257a22 DeviceIoControl 77898->77899 77898->77901 77900 257a44 DeviceIoControl 77899->77900 77899->77901 77900->77901 77901->77893 77910 25780d 8 API calls ctype 77901->77910 77903 257aa5 77906 2577de 5 API calls 77903->77906 77909 259252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 77904->77909 77906->77893 77907 2579d0 77907->77896 77908->77891 77909->77907 77910->77903 77911 28c2e6 77912 28c52f 77911->77912 77915 28544f SetConsoleCtrlHandler 77912->77915 77914 28c53b 77915->77914 77916 29bf67 77917 29bf85 77916->77917 77918 29bf74 77916->77918 77918->77917 77922 29bf8c 77918->77922 77923 29bf96 __EH_prolog 77922->77923 77939 29d144 77923->77939 77927 29bfd0 77946 251e40 free 77927->77946 77929 29bfdb 77947 251e40 free 77929->77947 77931 29bfe6 77948 29c072 free ctype 77931->77948 77933 29bff4 77949 26aafa free VariantClear ctype 77933->77949 77935 29c023 77950 2773d2 free VariantClear __EH_prolog ctype 77935->77950 77937 29bf7f 77938 251e40 free 77937->77938 77938->77917 77941 29d14e __EH_prolog 77939->77941 77951 29d1b7 77941->77951 77944 29bfc5 77945 251e40 free 77944->77945 77945->77927 77946->77929 77947->77931 77948->77933 77949->77935 77950->77937 77959 29d23c 77951->77959 77953 29d1ed 77966 251e40 free 77953->77966 77955 29d209 77967 251e40 free 77955->77967 77957 29d180 77958 298e04 memset 77957->77958 77958->77944 77968 29d2b8 77959->77968 77962 29d25e 77985 251e40 free 77962->77985 77965 29d275 77965->77953 77966->77955 77967->77957 77987 251e40 free 77968->77987 77970 29d2c8 77988 251e40 free 77970->77988 77972 29d2dc 77989 251e40 free 77972->77989 77974 29d2e7 77990 251e40 free 77974->77990 77976 29d2f2 77991 251e40 free 77976->77991 77978 29d2fd 77992 251e40 free 77978->77992 77980 29d308 77993 251e40 free 77980->77993 77982 29d313 77983 29d246 77982->77983 77994 251e40 free 77982->77994 77983->77962 77986 251e40 free 77983->77986 77985->77965 77986->77962 77987->77970 77988->77972 77989->77974 77990->77976 77991->77978 77992->77980 77993->77982 77994->77983 77995 261368 77997 26136d 77995->77997 77998 26138c 77997->77998 78001 2e7d80 WaitForSingleObject 77997->78001 78004 28f745 77997->78004 78008 2e7ea0 SetEvent GetLastError 77997->78008 78002 2e7d8e GetLastError 78001->78002 78003 2e7d98 78001->78003 78002->78003 78003->77997 78005 28f74f __EH_prolog 78004->78005 78009 28f784 78005->78009 78007 28f765 78007->77997 78008->77997 78010 28f78e __EH_prolog 78009->78010 78011 2612d4 4 API calls 78010->78011 78012 28f7c7 78011->78012 78013 2612d4 4 API calls 78012->78013 78014 28f7d4 78013->78014 78015 28f871 78014->78015 78018 2d6b23 VirtualAlloc 78014->78018 78019 25c4d6 78014->78019 78015->78007 78018->78015 78023 25c4e9 78019->78023 78020 25c6f3 78020->78015 78023->78020 78024 25c695 memmove 78023->78024 78025 26111c 78023->78025 78030 2611b4 78023->78030 78024->78023 78027 261130 78025->78027 78026 26115f 78026->78023 78027->78026 78035 25b668 78027->78035 78054 25d331 78027->78054 78032 2611c1 78030->78032 78031 2611eb 78031->78023 78032->78031 78066 29ae7c 78032->78066 78071 29af27 78032->78071 78045 25b675 78035->78045 78036 25b864 78058 257b7c 78036->78058 78039 25b8aa GetLastError 78040 25b6aa 78039->78040 78040->78027 78041 25b81b 78041->78040 78044 25b839 memcpy 78041->78044 78042 25b7e7 78042->78036 78048 257731 5 API calls 78042->78048 78043 257731 5 API calls 78043->78045 78044->78040 78045->78036 78045->78040 78045->78041 78045->78042 78045->78043 78046 25b7ad 78045->78046 78047 25b811 78045->78047 78063 257b4f ReadFile 78045->78063 78046->78045 78053 25b8c7 78046->78053 78062 2d6a20 VirtualAlloc 78046->78062 78064 25b8ec GetLastError 78047->78064 78051 25b80d 78048->78051 78051->78036 78051->78047 78053->78040 78056 25d355 78054->78056 78055 25d374 78055->78027 78056->78055 78057 25b668 10 API calls 78056->78057 78057->78055 78059 257b89 78058->78059 78065 257b4f ReadFile 78059->78065 78061 257b9a 78061->78039 78061->78040 78062->78046 78063->78045 78064->78040 78065->78061 78067 29ae86 78066->78067 78070 267140 7 API calls 78067->78070 78078 267190 78067->78078 78068 29aebb 78068->78032 78070->78068 78076 29af36 78071->78076 78072 29b010 78072->78032 78073 29aeeb 107 API calls 78073->78076 78074 29ad3a 99 API calls 78074->78076 78076->78072 78076->78073 78076->78074 78149 25bd0c 78076->78149 78154 29aebf 107 API calls 78076->78154 78079 26719a __EH_prolog 78078->78079 78080 2671b0 78079->78080 78085 2671dd 78079->78085 78081 264d78 VariantClear 78080->78081 78082 2671b7 78081->78082 78082->78068 78084 267236 78084->78082 78086 2672b4 78084->78086 78090 2672a3 SetFileSecurityW 78084->78090 78091 266fc5 78085->78091 78087 2672c0 78086->78087 78088 264d78 VariantClear 78086->78088 78087->78082 78089 267140 7 API calls 78087->78089 78088->78087 78089->78082 78090->78086 78092 266fcf __EH_prolog 78091->78092 78093 2644a6 2 API calls 78092->78093 78096 266fec 78093->78096 78094 26706a 78117 2668ac 78094->78117 78096->78094 78101 267029 78096->78101 78135 266e71 12 API calls 2 library calls 78096->78135 78098 26709e 78141 251e40 free 78098->78141 78100 267051 78100->78094 78105 2611b4 107 API calls 78100->78105 78101->78094 78136 264dff 7 API calls 2 library calls 78101->78136 78104 2670c0 78137 256096 15 API calls 2 library calls 78104->78137 78105->78094 78106 26712e 78106->78084 78108 2670d1 78109 2670e2 78108->78109 78138 264dff 7 API calls 2 library calls 78108->78138 78114 2670e6 78109->78114 78139 266b5e 69 API calls 2 library calls 78109->78139 78112 2670fd 78113 267103 78112->78113 78112->78114 78140 251e40 free 78113->78140 78114->78098 78116 26710b 78116->78106 78118 2668b6 __EH_prolog 78117->78118 78120 266921 78118->78120 78121 257d4b 6 API calls 78118->78121 78132 2668c5 78118->78132 78119 266962 78125 266998 78119->78125 78145 252dcd malloc _CxxThrowException 78119->78145 78120->78119 78120->78125 78144 266a17 6 API calls 2 library calls 78120->78144 78124 266906 78121->78124 78124->78120 78143 264dff 7 API calls 2 library calls 78124->78143 78126 2669e1 78125->78126 78142 257c3b SetFileTime 78125->78142 78148 25bcf8 CloseHandle 78126->78148 78128 26697a 78146 266b09 13 API calls __EH_prolog 78128->78146 78132->78098 78132->78104 78133 26698c 78147 251e40 free 78133->78147 78135->78101 78136->78100 78137->78108 78138->78109 78139->78112 78140->78116 78141->78106 78142->78126 78143->78120 78144->78119 78145->78128 78146->78133 78147->78125 78148->78132 78155 257ca2 78149->78155 78152 25bd3d 78152->78076 78154->78076 78157 257caf 78155->78157 78158 257cdb 78157->78158 78160 257c68 78157->78160 78158->78152 78159 25b8ec GetLastError 78158->78159 78159->78152 78161 257c76 78160->78161 78162 257c79 WriteFile 78160->78162 78161->78162 78162->78157 78163 2d6ba3 VirtualFree 78164 2e7da0 WaitForSingleObject 78165 2e7dbb GetLastError 78164->78165 78166 2e7dc1 78164->78166 78165->78166 78167 2e7dce CloseHandle 78166->78167 78168 2e7ddf 78166->78168 78167->78168 78169 2e7dd9 GetLastError 78167->78169 78169->78168 78170 28993d 78254 28b5b1 78170->78254 78173 289963 78260 261f33 78173->78260 78174 251fb3 11 API calls 78174->78173 78176 289975 78177 2899ce 78176->78177 78178 2899b7 GetStdHandle GetConsoleScreenBufferInfo 78176->78178 78179 251e0c ctype 2 API calls 78177->78179 78178->78177 78180 2899dc 78179->78180 78381 277b48 78180->78381 78182 289a29 78398 28b96d _CxxThrowException 78182->78398 78184 289a30 78399 277018 8 API calls 2 library calls 78184->78399 78186 289a7c 78400 27ddb5 6 API calls 2 library calls 78186->78400 78188 289a66 _CxxThrowException 78188->78186 78189 289aa6 78191 289aaa _CxxThrowException 78189->78191 78200 289ac0 78189->78200 78190 289a37 78190->78186 78190->78188 78191->78200 78192 289b3a 78404 251fa0 fputc 78192->78404 78195 289bfa _CxxThrowException 78204 289be6 78195->78204 78196 289b63 fputs 78405 251fa0 fputc 78196->78405 78199 289b79 strlen strlen 78201 289baa fputs fputc 78199->78201 78202 289e25 78199->78202 78200->78192 78200->78195 78401 277dd7 7 API calls 2 library calls 78200->78401 78402 28c077 6 API calls 78200->78402 78403 251e40 free 78200->78403 78201->78204 78413 251fa0 fputc 78202->78413 78204->78201 78204->78202 78212 28b67d 12 API calls 78204->78212 78217 252e04 2 API calls 78204->78217 78228 2531e5 malloc _CxxThrowException free _CxxThrowException 78204->78228 78234 289d2a fputs 78204->78234 78238 289d5f fputs 78204->78238 78406 2521d8 fputs 78204->78406 78407 25315e malloc _CxxThrowException free _CxxThrowException 78204->78407 78408 253221 malloc _CxxThrowException free _CxxThrowException 78204->78408 78409 251089 malloc _CxxThrowException free _CxxThrowException 78204->78409 78411 251fa0 fputc 78204->78411 78412 251e40 free 78204->78412 78206 289e2c fputs 78414 251fa0 fputc 78206->78414 78208 289f0c 78419 251fa0 fputc 78208->78419 78212->78204 78213 289f13 fputs 78420 251fa0 fputc 78213->78420 78216 289f9f 78218 28ac3a 78216->78218 78220 28ac35 78216->78220 78217->78204 78426 28b96d _CxxThrowException 78218->78426 78425 28b988 33 API calls __aulldiv 78220->78425 78222 28ac42 78427 251e40 free 78222->78427 78226 28ac4d 78229 273247 free 78226->78229 78228->78204 78231 28ac5d 78229->78231 78230 289f29 78230->78216 78241 289f77 fputs 78230->78241 78421 28b650 fputc fputs fputs fputc 78230->78421 78422 28b5e9 fputc fputs 78230->78422 78423 28bde4 fputc fputs 78230->78423 78428 251e40 free 78231->78428 78410 2521d8 fputs 78234->78410 78238->78204 78240 28ac7d 78429 2511c2 free __EH_prolog ctype 78240->78429 78424 251fa0 fputc 78241->78424 78246 28ac89 78430 28be0c free __EH_prolog ctype 78246->78430 78247 289ee0 fputs 78418 251fa0 fputc 78247->78418 78250 28ac98 78431 282db9 free ctype 78250->78431 78252 289e42 78252->78208 78252->78247 78415 28b650 fputc fputs fputs fputc 78252->78415 78416 2521d8 fputs 78252->78416 78417 28bde4 fputc fputs 78252->78417 78253 28aca4 78255 28b5bc fputs 78254->78255 78256 28994a 78254->78256 78432 251fa0 fputc 78255->78432 78256->78173 78256->78174 78258 28b5d5 78258->78256 78259 28b5d9 fputs 78258->78259 78259->78256 78261 261f4f 78260->78261 78262 261f6c 78260->78262 78465 271d73 5 API calls __EH_prolog 78261->78465 78433 2629eb 78262->78433 78265 261f5e _CxxThrowException 78265->78262 78267 261fa3 78268 261fbc 78267->78268 78271 254fc0 5 API calls 78267->78271 78272 261fda 78268->78272 78273 252fec 3 API calls 78268->78273 78270 261f95 _CxxThrowException 78270->78267 78271->78268 78274 262022 wcscmp 78272->78274 78283 262036 78272->78283 78273->78272 78275 2620af 78274->78275 78274->78283 78467 271d73 5 API calls __EH_prolog 78275->78467 78277 2620a9 78468 26393c 6 API calls 2 library calls 78277->78468 78278 2620be _CxxThrowException 78278->78283 78280 2620f4 78469 26393c 6 API calls 2 library calls 78280->78469 78282 262108 78284 262135 78282->78284 78470 262e04 62 API calls 2 library calls 78282->78470 78283->78277 78286 26219a 78283->78286 78291 262159 78284->78291 78471 262e04 62 API calls 2 library calls 78284->78471 78472 271d73 5 API calls __EH_prolog 78286->78472 78289 2621a9 _CxxThrowException 78289->78291 78290 26227f 78438 262aa9 78290->78438 78291->78290 78293 262245 78291->78293 78473 271d73 5 API calls __EH_prolog 78291->78473 78296 252fec 3 API calls 78293->78296 78299 26225c 78296->78299 78297 2622d9 78301 262302 78297->78301 78303 252fec 3 API calls 78297->78303 78298 262237 _CxxThrowException 78298->78293 78299->78290 78474 271d73 5 API calls __EH_prolog 78299->78474 78300 252fec 3 API calls 78300->78297 78304 254fc0 5 API calls 78301->78304 78303->78301 78306 262315 78304->78306 78305 262271 _CxxThrowException 78305->78290 78456 26384c 78306->78456 78308 262322 78310 2626c6 78308->78310 78321 2623a1 78308->78321 78309 2628ce 78312 26293a 78309->78312 78322 2628d5 78309->78322 78310->78309 78311 262700 78310->78311 78487 271d73 5 API calls __EH_prolog 78310->78487 78488 2632ec 14 API calls 2 library calls 78311->78488 78315 2629a5 78312->78315 78316 26293f 78312->78316 78318 2629ae _CxxThrowException 78315->78318 78338 26264d 78315->78338 78495 254eec 16 API calls 78316->78495 78317 2626f2 _CxxThrowException 78317->78311 78319 262713 78323 263a29 5 API calls 78319->78323 78325 26247a wcscmp 78321->78325 78341 26248e 78321->78341 78322->78338 78494 271d73 5 API calls __EH_prolog 78322->78494 78337 262722 78323->78337 78324 26294c 78496 254ea1 8 API calls 78324->78496 78328 2624cf wcscmp 78325->78328 78325->78341 78330 2624ef wcscmp 78328->78330 78328->78341 78334 26250f 78330->78334 78330->78341 78331 262953 78335 254fc0 5 API calls 78331->78335 78333 262920 _CxxThrowException 78333->78338 78478 271d73 5 API calls __EH_prolog 78334->78478 78335->78338 78340 2627cf 78337->78340 78344 252fec 3 API calls 78337->78344 78338->78176 78339 26251e _CxxThrowException 78342 26252c 78339->78342 78343 262880 78340->78343 78352 26281f 78340->78352 78490 271d73 5 API calls __EH_prolog 78340->78490 78341->78342 78475 254eec 16 API calls 78341->78475 78476 254ea1 8 API calls 78341->78476 78477 271d73 5 API calls __EH_prolog 78341->78477 78346 262569 78342->78346 78479 262e04 62 API calls 2 library calls 78342->78479 78349 252fec 3 API calls 78343->78349 78351 26289b 78343->78351 78354 2627a9 78344->78354 78347 26258c 78346->78347 78480 262e04 62 API calls 2 library calls 78346->78480 78356 2625a4 78347->78356 78481 262a61 malloc _CxxThrowException free _CxxThrowException memcpy 78347->78481 78348 2624c1 _CxxThrowException 78348->78328 78349->78351 78351->78338 78493 271d73 5 API calls __EH_prolog 78351->78493 78352->78343 78358 262847 78352->78358 78491 271d73 5 API calls __EH_prolog 78352->78491 78354->78340 78489 253563 memmove 78354->78489 78482 254eec 16 API calls 78356->78482 78357 262811 _CxxThrowException 78357->78352 78358->78343 78492 271d73 5 API calls __EH_prolog 78358->78492 78365 2625ad 78483 271b07 49 API calls 78365->78483 78366 2628c0 _CxxThrowException 78366->78309 78367 262839 _CxxThrowException 78367->78358 78368 262872 _CxxThrowException 78368->78343 78370 2625b4 78484 254ea1 8 API calls 78370->78484 78372 2625bb 78373 252fec 3 API calls 78372->78373 78375 2625d6 78372->78375 78373->78375 78374 26261f 78374->78338 78377 252fec 3 API calls 78374->78377 78375->78338 78375->78374 78485 271d73 5 API calls __EH_prolog 78375->78485 78379 26263f 78377->78379 78378 262611 _CxxThrowException 78378->78374 78486 25859e malloc _CxxThrowException free _CxxThrowException 78379->78486 78382 277b52 __EH_prolog 78381->78382 78506 277eec 78382->78506 78384 277ca4 78384->78182 78386 2530ea malloc _CxxThrowException free 78388 277b63 78386->78388 78387 252e04 malloc _CxxThrowException 78387->78388 78388->78384 78388->78386 78388->78387 78390 251e40 free ctype 78388->78390 78393 2904d2 5 API calls 78388->78393 78394 25429a 3 API calls 78388->78394 78396 277c61 memcpy 78388->78396 78511 2770ea 78388->78511 78514 277a40 78388->78514 78532 277cc3 6 API calls 78388->78532 78533 2612a5 78388->78533 78538 2774eb malloc _CxxThrowException memcpy __EH_prolog ctype 78388->78538 78539 277193 78388->78539 78390->78388 78393->78388 78394->78388 78396->78388 78398->78184 78399->78190 78400->78189 78401->78200 78402->78200 78403->78200 78404->78196 78405->78199 78406->78204 78407->78204 78408->78204 78409->78204 78410->78204 78411->78204 78412->78204 78413->78206 78414->78252 78415->78252 78416->78252 78417->78252 78418->78252 78419->78213 78420->78230 78421->78230 78422->78230 78423->78230 78424->78230 78425->78218 78426->78222 78427->78226 78428->78240 78429->78246 78430->78250 78431->78253 78432->78258 78434 252f1c 2 API calls 78433->78434 78435 2629fe 78434->78435 78497 251e40 free 78435->78497 78437 261f7e 78437->78267 78466 271d73 5 API calls __EH_prolog 78437->78466 78439 262ab3 __EH_prolog 78438->78439 78440 252e8a 2 API calls 78439->78440 78448 262b0f 78439->78448 78442 262af4 78440->78442 78441 2622ad 78441->78297 78441->78300 78498 262a61 malloc _CxxThrowException free _CxxThrowException memcpy 78442->78498 78444 262bc6 78504 271d73 5 API calls __EH_prolog 78444->78504 78445 262b04 78499 251e40 free 78445->78499 78448->78441 78448->78444 78453 262b9f 78448->78453 78500 262cb4 48 API calls 2 library calls 78448->78500 78501 262bf5 8 API calls __EH_prolog 78448->78501 78502 262a61 malloc _CxxThrowException free _CxxThrowException memcpy 78448->78502 78449 262bd6 _CxxThrowException 78449->78441 78453->78441 78503 271d73 5 API calls __EH_prolog 78453->78503 78455 262bb8 _CxxThrowException 78455->78444 78458 263856 __EH_prolog 78456->78458 78457 252e04 malloc _CxxThrowException 78457->78458 78458->78457 78459 252fec 3 API calls 78458->78459 78460 252f88 3 API calls 78458->78460 78461 2904d2 5 API calls 78458->78461 78463 251e40 free ctype 78458->78463 78464 263917 78458->78464 78505 263b76 malloc _CxxThrowException __EH_prolog ctype 78458->78505 78459->78458 78460->78458 78461->78458 78463->78458 78464->78308 78465->78265 78466->78270 78467->78278 78468->78280 78469->78282 78470->78284 78471->78291 78472->78289 78473->78298 78474->78305 78475->78341 78476->78341 78477->78348 78478->78339 78479->78346 78480->78347 78481->78356 78482->78365 78483->78370 78484->78372 78485->78378 78486->78338 78487->78317 78488->78319 78489->78340 78490->78357 78491->78367 78492->78368 78493->78366 78494->78333 78495->78324 78496->78331 78497->78437 78498->78445 78499->78448 78500->78448 78501->78448 78502->78448 78503->78455 78504->78449 78505->78458 78507 277f14 78506->78507 78509 277ef7 78506->78509 78507->78388 78508 277193 free 78508->78509 78509->78507 78509->78508 78547 251e40 free 78509->78547 78512 252e04 2 API calls 78511->78512 78513 277103 78512->78513 78513->78388 78515 277a4a __EH_prolog 78514->78515 78548 25361b 6 API calls 2 library calls 78515->78548 78517 277a78 78549 25361b 6 API calls 2 library calls 78517->78549 78519 277b20 78551 282db9 free ctype 78519->78551 78521 277b2b 78552 282db9 free ctype 78521->78552 78522 252e04 malloc _CxxThrowException 78524 277a83 78522->78524 78524->78519 78524->78522 78526 252fec 3 API calls 78524->78526 78527 252fec 3 API calls 78524->78527 78528 2904d2 5 API calls 78524->78528 78531 251e40 free ctype 78524->78531 78550 277955 malloc _CxxThrowException __EH_prolog ctype 78524->78550 78525 277b37 78525->78388 78526->78524 78529 277aca wcscmp 78527->78529 78528->78524 78529->78524 78531->78524 78532->78388 78534 2904d2 5 API calls 78533->78534 78535 2612ad 78534->78535 78536 251e0c ctype 2 API calls 78535->78536 78537 2612b4 78536->78537 78537->78388 78538->78388 78540 27719d __EH_prolog 78539->78540 78553 282db9 free ctype 78540->78553 78542 2771b3 78554 2771d5 free __EH_prolog ctype 78542->78554 78544 2771bf 78555 251e40 free 78544->78555 78546 2771c7 78546->78388 78547->78509 78548->78517 78549->78524 78550->78524 78551->78521 78552->78525 78553->78542 78554->78544 78555->78546 78556 298eb1 78561 298ed1 78556->78561 78559 298ec9 78562 298edb __EH_prolog 78561->78562 78570 299267 78562->78570 78566 298efd 78575 28e5f1 free ctype 78566->78575 78568 298eb9 78568->78559 78569 251e40 free 78568->78569 78569->78559 78571 299271 __EH_prolog 78570->78571 78576 251e40 free 78571->78576 78573 298ef1 78574 29922b free CloseHandle GetLastError ctype 78573->78574 78574->78566 78575->78568 78576->78573 78577 25c3bd 78578 25c3db 78577->78578 78579 25c3ca 78577->78579 78579->78578 78581 251e40 free 78579->78581 78581->78578 78582 27cefb 78583 27cf03 78582->78583 78612 27d0cc 78582->78612 78583->78612 78629 27cae9 VariantClear 78583->78629 78585 27cf59 78585->78612 78630 27cae9 VariantClear 78585->78630 78587 27cf71 78587->78612 78631 27cae9 VariantClear 78587->78631 78589 27cf87 78589->78612 78632 27cae9 VariantClear 78589->78632 78591 27cf9d 78591->78612 78633 27cae9 VariantClear 78591->78633 78593 27cfb3 78593->78612 78634 27cae9 VariantClear 78593->78634 78595 27cfc9 78595->78612 78635 254504 malloc _CxxThrowException 78595->78635 78597 27cfdc 78598 252e04 2 API calls 78597->78598 78600 27cfe7 78598->78600 78599 27d009 78602 27d07b 78599->78602 78604 27d080 78599->78604 78605 27d030 78599->78605 78600->78599 78601 252f88 3 API calls 78600->78601 78601->78599 78643 251e40 free 78602->78643 78640 277a0c CharUpperW 78604->78640 78608 252e04 2 API calls 78605->78608 78606 27d0c4 78644 251e40 free 78606->78644 78611 27d038 78608->78611 78610 27d08b 78641 26fdbc 4 API calls 2 library calls 78610->78641 78613 252e04 2 API calls 78611->78613 78615 27d046 78613->78615 78636 26fdbc 4 API calls 2 library calls 78615->78636 78616 27d0a7 78618 252fec 3 API calls 78616->78618 78620 27d0b3 78618->78620 78619 27d057 78621 252fec 3 API calls 78619->78621 78642 251e40 free 78620->78642 78623 27d063 78621->78623 78637 251e40 free 78623->78637 78625 27d06b 78638 251e40 free 78625->78638 78627 27d073 78639 251e40 free 78627->78639 78629->78585 78630->78587 78631->78589 78632->78591 78633->78593 78634->78595 78635->78597 78636->78619 78637->78625 78638->78627 78639->78602 78640->78610 78641->78616 78642->78602 78643->78606 78644->78612 78645 285475 78646 252fec 3 API calls 78645->78646 78647 2854b4 78646->78647 78648 28c911 24 API calls 78647->78648 78649 2854bb 78648->78649 78653 2d69f0 free 78654 2effb1 __setusermatherr 78655 2effbd 78654->78655 78659 2f0068 _controlfp 78655->78659 78657 2effc2 _initterm __getmainargs _initterm __p___initenv 78658 28c27c 78657->78658 78659->78657 78660 28adb7 78661 28adc1 __EH_prolog 78660->78661 78662 2526dd 2 API calls 78661->78662 78663 28ae1d 78662->78663 78664 252e04 2 API calls 78663->78664 78665 28ae38 78664->78665 78666 252e04 2 API calls 78665->78666 78667 28ae44 78666->78667 78668 252e04 2 API calls 78667->78668 78669 28ae68 78668->78669 78670 28ad29 2 API calls 78669->78670 78671 28ae85 78670->78671 78676 28af2d 78671->78676 78673 28ae94 78674 252e04 2 API calls 78673->78674 78675 28aeb2 78674->78675 78677 28af37 __EH_prolog 78676->78677 78688 2634f4 malloc _CxxThrowException __EH_prolog 78677->78688 78679 28afac 78680 252e04 2 API calls 78679->78680 78681 28afbb 78680->78681 78682 252e04 2 API calls 78681->78682 78683 28afca 78682->78683 78684 252e04 2 API calls 78683->78684 78685 28afd9 78684->78685 78686 252e04 2 API calls 78685->78686 78687 28afe8 78686->78687 78687->78673 78688->78679 78689 25b144 78690 25b153 78689->78690 78692 25b159 78689->78692 78691 2611b4 107 API calls 78690->78691 78691->78692 78693 27a7c5 78710 27a7e9 78693->78710 78725 27a96b 78693->78725 78694 27ade3 78798 251e40 free 78694->78798 78696 27a952 78696->78725 78779 27e0b0 6 API calls 78696->78779 78697 27adeb 78799 251e40 free 78697->78799 78701 27ac1e 78785 251e40 free 78701->78785 78702 27ae99 78705 251e0c ctype 2 API calls 78702->78705 78708 27aea9 memset memset 78705->78708 78706 27ac26 78786 251e40 free 78706->78786 78707 27adf3 78707->78702 78713 2904d2 malloc _CxxThrowException free _CxxThrowException memcpy 78707->78713 78711 27aedd 78708->78711 78710->78696 78718 2904d2 5 API calls 78710->78718 78778 27e0b0 6 API calls 78710->78778 78800 251e40 free 78711->78800 78713->78707 78714 27aee5 78801 251e40 free 78714->78801 78718->78710 78719 27aef0 78802 251e40 free 78719->78802 78722 27c430 78804 251e40 free 78722->78804 78725->78694 78725->78701 78727 27ac6c 78725->78727 78740 27ad88 78725->78740 78745 27ad17 78725->78745 78746 27acbc 78725->78746 78760 26101c 78725->78760 78763 2798f2 78725->78763 78769 27cc6f 78725->78769 78780 279531 5 API calls __EH_prolog 78725->78780 78781 2780c1 malloc _CxxThrowException __EH_prolog 78725->78781 78782 27c820 5 API calls 2 library calls 78725->78782 78783 27814d 6 API calls 78725->78783 78784 278125 free ctype 78725->78784 78726 27c438 78805 251e40 free 78726->78805 78787 251e40 free 78727->78787 78729 27ac2e 78803 251e40 free 78729->78803 78732 27c443 78806 251e40 free 78732->78806 78733 27ac85 78788 251e40 free 78733->78788 78736 27c44e 78807 251e40 free 78736->78807 78738 27c459 78795 278125 free ctype 78740->78795 78744 27ad93 78796 251e40 free 78744->78796 78792 278125 free ctype 78745->78792 78789 278125 free ctype 78746->78789 78750 27ad3c 78793 251e40 free 78750->78793 78751 27adac 78797 251e40 free 78751->78797 78752 27acc7 78790 251e40 free 78752->78790 78756 27ace0 78791 251e40 free 78756->78791 78757 27ad55 78794 251e40 free 78757->78794 78762 25b95a 6 API calls 78760->78762 78761 261028 78761->78725 78762->78761 78764 2798fc __EH_prolog 78763->78764 78808 279987 78764->78808 78766 279970 78766->78725 78768 279911 78768->78766 78812 27ef8d 12 API calls 2 library calls 78768->78812 78852 29cf91 78769->78852 78860 29f445 78769->78860 78866 295505 78769->78866 78770 27cc8b 78771 27cccb 78770->78771 78870 27979e VariantClear __EH_prolog 78770->78870 78771->78725 78773 27ccb1 78773->78771 78871 27cae9 VariantClear 78773->78871 78778->78710 78779->78725 78780->78725 78781->78725 78782->78725 78783->78725 78784->78725 78785->78706 78786->78729 78787->78733 78788->78729 78789->78752 78790->78756 78791->78729 78792->78750 78793->78757 78794->78729 78795->78744 78796->78751 78797->78729 78798->78697 78799->78707 78800->78714 78801->78719 78802->78729 78803->78722 78804->78726 78805->78732 78806->78736 78807->78738 78809 279991 __EH_prolog 78808->78809 78813 2a80aa 78809->78813 78810 2799a8 78810->78768 78812->78766 78814 2a80b4 __EH_prolog 78813->78814 78815 251e0c ctype 2 API calls 78814->78815 78816 2a80bf 78815->78816 78817 2a80d3 78816->78817 78819 29bdb5 78816->78819 78817->78810 78820 29bdbf __EH_prolog 78819->78820 78825 29be69 78820->78825 78822 29bdef 78823 252e04 2 API calls 78822->78823 78824 29be16 78823->78824 78824->78817 78826 29be73 __EH_prolog 78825->78826 78829 295e2b 78826->78829 78828 29be7f 78828->78822 78830 295e35 __EH_prolog 78829->78830 78835 2908b6 78830->78835 78832 295e41 78840 26dfc9 malloc _CxxThrowException __EH_prolog 78832->78840 78834 295e57 78834->78828 78841 259c60 78835->78841 78837 2908c4 78846 259c8f GetModuleHandleA GetProcAddress 78837->78846 78839 2908f3 __aulldiv 78839->78832 78840->78834 78851 259c4d GetCurrentProcess GetProcessAffinityMask 78841->78851 78843 259c80 GetSystemInfo 78843->78837 78844 259c6e 78844->78843 78845 259c79 78844->78845 78845->78837 78847 259cc4 GlobalMemoryStatusEx 78846->78847 78848 259cef GlobalMemoryStatus 78846->78848 78847->78848 78850 259cce 78847->78850 78849 259d08 78848->78849 78849->78850 78850->78839 78851->78844 78853 29cf9b __EH_prolog 78852->78853 78854 29f445 14 API calls 78853->78854 78855 29d018 78854->78855 78859 29d01f 78855->78859 78872 2a1511 78855->78872 78857 29d08b 78857->78859 78878 2a2c5d 11 API calls 2 library calls 78857->78878 78859->78770 78861 29f455 78860->78861 79004 261092 78861->79004 78865 29f478 78865->78770 78867 29550f __EH_prolog 78866->78867 79017 294e8a 78867->79017 78870->78773 78871->78771 78873 2a151b __EH_prolog 78872->78873 78879 2a10d3 78873->78879 78876 2a1589 78876->78857 78877 2a1552 _CxxThrowException 78877->78857 78878->78859 78880 2a10dd __EH_prolog 78879->78880 78881 29d1b7 free 78880->78881 78882 2a10f2 78881->78882 78883 2a12ef 78882->78883 78884 2a11f4 78882->78884 78889 261168 10 API calls 78882->78889 78883->78876 78883->78877 78884->78883 78910 25b95a 6 API calls 78884->78910 78885 2a139e 78885->78883 78886 2a13c4 78885->78886 78887 251e0c ctype 2 API calls 78885->78887 78911 261168 78886->78911 78887->78886 78889->78884 78890 2a13da 78891 2a13de 78890->78891 78894 2a13f9 78890->78894 78949 29ef67 _CxxThrowException 78890->78949 78955 251e40 free 78891->78955 78914 29f047 78894->78914 78897 2a14ba 78953 2a0943 50 API calls 2 library calls 78897->78953 78899 2a1450 78918 2a06ae 78899->78918 78901 2a14e7 78954 282db9 free ctype 78901->78954 78906 2a148e 78907 29f047 _CxxThrowException 78906->78907 78908 2a14ac 78907->78908 78908->78897 78952 29ef67 _CxxThrowException 78908->78952 78910->78885 78912 26111c 10 API calls 78911->78912 78913 26117b 78912->78913 78913->78890 78915 29f063 78914->78915 78916 29f072 78915->78916 78956 29ef67 _CxxThrowException 78915->78956 78916->78897 78916->78899 78950 29ef67 _CxxThrowException 78916->78950 78919 2a06b8 __EH_prolog 78918->78919 78957 2a03f4 78919->78957 78921 2612a5 5 API calls 78947 2a0715 78921->78947 78922 29b8dc ctype free 78923 2a08a6 78922->78923 78987 251e40 free 78923->78987 78924 2a08e3 _CxxThrowException 78926 2a08f7 78924->78926 78931 29b8dc ctype free 78926->78931 78927 2a08ae 78988 251e40 free 78927->78988 78928 25429a 3 API calls 78928->78947 78930 2a08b6 78989 251e40 free 78930->78989 78933 2a0914 78931->78933 78991 251e40 free 78933->78991 78934 251e0c ctype 2 API calls 78934->78947 78935 2a08be 78990 29c149 free ctype 78935->78990 78938 2a091c 78992 251e40 free 78938->78992 78939 2a08d0 78939->78901 78939->78906 78951 29ef67 _CxxThrowException 78939->78951 78941 2a0924 78993 251e40 free 78941->78993 78943 2981ec 29 API calls 78943->78947 78944 2a092c 78994 29c149 free ctype 78944->78994 78946 2a0877 78946->78922 78947->78921 78947->78924 78947->78926 78947->78928 78947->78934 78947->78943 78947->78946 78948 29ef67 _CxxThrowException 78947->78948 78948->78947 78949->78894 78950->78899 78951->78906 78952->78897 78953->78901 78954->78891 78955->78883 78956->78916 78958 29f047 _CxxThrowException 78957->78958 78959 2a0407 78958->78959 78962 29f047 _CxxThrowException 78959->78962 78963 2a0475 78959->78963 78960 2a049a 78961 2a04b8 78960->78961 78999 2a159a malloc _CxxThrowException free ctype 78960->78999 78964 2a04e8 78961->78964 78968 2a04cd 78961->78968 78965 2a0421 78962->78965 78963->78960 78998 29fa3f 22 API calls 2 library calls 78963->78998 79001 2a7c4a malloc _CxxThrowException free ctype 78964->79001 78969 2a043e 78965->78969 78995 29ef67 _CxxThrowException 78965->78995 79000 29fff0 9 API calls 2 library calls 78968->79000 78996 29f93c 7 API calls 2 library calls 78969->78996 78971 2a0492 78974 29f047 _CxxThrowException 78971->78974 78974->78960 78975 2a04e3 78982 2a054a 78975->78982 79003 29ef67 _CxxThrowException 78975->79003 78976 2a0446 78979 2a046d 78976->78979 78997 29ef67 _CxxThrowException 78976->78997 78977 2a04db 78980 29f047 _CxxThrowException 78977->78980 78981 29f047 _CxxThrowException 78979->78981 78980->78975 78981->78963 78982->78947 78986 2a04f3 78986->78975 79002 26089e malloc _CxxThrowException free _CxxThrowException memcpy 78986->79002 78987->78927 78988->78930 78989->78935 78990->78939 78991->78938 78992->78941 78993->78944 78994->78939 78995->78969 78996->78976 78997->78979 78998->78971 78999->78961 79000->78977 79001->78986 79002->78986 79003->78982 79006 25b95a 6 API calls 79004->79006 79005 2610aa 79005->78865 79007 29f1b2 79005->79007 79006->79005 79008 29f1bc __EH_prolog 79007->79008 79009 261168 10 API calls 79008->79009 79010 29f1d3 79009->79010 79011 29f21c _CxxThrowException 79010->79011 79012 29f231 memcpy 79010->79012 79014 29f1e6 79010->79014 79011->79012 79013 29f24c 79012->79013 79013->79014 79015 29f2f0 memmove 79013->79015 79016 29f31a memcpy 79013->79016 79014->78865 79015->79013 79016->79014 79018 294e94 __EH_prolog 79017->79018 79019 252e04 2 API calls 79018->79019 79035 294f1d 79018->79035 79020 294ed7 79019->79020 79149 267fc5 79020->79149 79022 294f0a 79024 25965d VariantClear 79022->79024 79023 294f37 79025 294f41 79023->79025 79026 294f63 79023->79026 79029 294f15 79024->79029 79027 25965d VariantClear 79025->79027 79028 252f88 3 API calls 79026->79028 79030 294f4c 79027->79030 79031 294f71 79028->79031 79170 251e40 free 79029->79170 79171 251e40 free 79030->79171 79034 25965d VariantClear 79031->79034 79036 294f80 79034->79036 79035->78770 79172 265bcf malloc _CxxThrowException 79036->79172 79038 294f9a 79039 252e47 2 API calls 79038->79039 79040 294fad 79039->79040 79041 252f1c 2 API calls 79040->79041 79042 294fbd 79041->79042 79043 252e04 2 API calls 79042->79043 79044 294fd1 79043->79044 79045 252e04 2 API calls 79044->79045 79053 294fdd 79045->79053 79046 295404 79211 251e40 free 79046->79211 79048 29540c 79212 251e40 free 79048->79212 79050 295414 79213 251e40 free 79050->79213 79053->79046 79173 265bcf malloc _CxxThrowException 79053->79173 79054 295099 79056 252da9 2 API calls 79054->79056 79055 29541c 79214 251e40 free 79055->79214 79059 2950a9 79056->79059 79058 295424 79215 251e40 free 79058->79215 79060 252fec 3 API calls 79059->79060 79062 2950b6 79060->79062 79174 251e40 free 79062->79174 79063 29542c 79216 251e40 free 79063->79216 79066 2950be 79175 251e40 free 79066->79175 79068 2950cd 79069 252f88 3 API calls 79068->79069 79070 2950e3 79069->79070 79071 2950f1 79070->79071 79072 295100 79070->79072 79073 2530ea 3 API calls 79071->79073 79176 253044 malloc _CxxThrowException free ctype 79072->79176 79075 2950fe 79073->79075 79177 261029 6 API calls 79075->79177 79077 29511a 79078 29516b 79077->79078 79079 295120 79077->79079 79184 26089e malloc _CxxThrowException free _CxxThrowException memcpy 79078->79184 79178 251e40 free 79079->79178 79082 295187 79086 2904d2 5 API calls 79082->79086 79083 295128 79179 251e40 free 79083->79179 79085 295130 79180 251e40 free 79085->79180 79088 2951ba 79086->79088 79185 290516 malloc _CxxThrowException ctype 79088->79185 79089 295138 79181 251e40 free 79089->79181 79092 2951c5 79097 29522d 79092->79097 79098 2951f5 79092->79098 79093 295140 79182 251e40 free 79093->79182 79095 295148 79183 251e40 free 79095->79183 79100 252e04 2 API calls 79097->79100 79186 251e40 free 79098->79186 79146 295235 79100->79146 79101 2951fd 79187 251e40 free 79101->79187 79104 295205 79188 251e40 free 79104->79188 79105 29532e 79197 251e40 free 79105->79197 79107 29520d 79189 251e40 free 79107->79189 79110 295347 79110->79046 79111 295358 79110->79111 79198 251e40 free 79111->79198 79112 295215 79190 251e40 free 79112->79190 79114 2953a3 79204 251e40 free 79114->79204 79116 295360 79199 251e40 free 79116->79199 79117 29521d 79191 251e40 free 79117->79191 79121 295368 79200 251e40 free 79121->79200 79124 2953bc 79205 251e40 free 79124->79205 79125 295370 79201 251e40 free 79125->79201 79129 2953c4 79206 251e40 free 79129->79206 79130 295378 79202 251e40 free 79130->79202 79132 2904d2 5 API calls 79132->79146 79134 2953cc 79207 251e40 free 79134->79207 79135 295380 79203 251e40 free 79135->79203 79139 2953d4 79208 251e40 free 79139->79208 79141 2953dc 79209 251e40 free 79141->79209 79143 2953e4 79210 251e40 free 79143->79210 79146->79105 79146->79114 79146->79132 79147 252e04 2 API calls 79146->79147 79192 29545c 5 API calls 2 library calls 79146->79192 79193 261029 6 API calls 79146->79193 79194 26089e malloc _CxxThrowException free _CxxThrowException memcpy 79146->79194 79195 290516 malloc _CxxThrowException ctype 79146->79195 79196 251e40 free 79146->79196 79147->79146 79150 267fcf __EH_prolog 79149->79150 79152 268061 79150->79152 79154 26805c 79150->79154 79155 268019 79150->79155 79156 267ff4 79150->79156 79151 26800a 79226 259736 VariantClear 79151->79226 79152->79154 79167 268025 79152->79167 79225 259630 VariantClear 79154->79225 79155->79156 79157 26801e 79155->79157 79156->79151 79217 25950d 79156->79217 79160 268042 79157->79160 79161 268022 79157->79161 79159 2680b8 79163 25965d VariantClear 79159->79163 79223 259597 VariantClear 79160->79223 79164 268032 79161->79164 79161->79167 79166 2680c0 79163->79166 79222 259604 VariantClear 79164->79222 79166->79022 79166->79023 79167->79151 79224 2595df VariantClear 79167->79224 79170->79035 79171->79035 79172->79038 79173->79054 79174->79066 79175->79068 79176->79075 79177->79077 79178->79083 79179->79085 79180->79089 79181->79093 79182->79095 79183->79035 79184->79082 79185->79092 79186->79101 79187->79104 79188->79107 79189->79112 79190->79117 79191->79035 79192->79146 79193->79146 79194->79146 79195->79146 79196->79146 79197->79110 79198->79116 79199->79121 79200->79125 79201->79130 79202->79135 79203->79035 79204->79124 79205->79129 79206->79134 79207->79139 79208->79141 79209->79143 79210->79035 79211->79048 79212->79050 79213->79055 79214->79058 79215->79063 79216->79035 79227 259767 79217->79227 79219 259518 SysAllocStringLen 79220 25954f 79219->79220 79221 259539 _CxxThrowException 79219->79221 79220->79151 79221->79220 79222->79151 79223->79151 79224->79151 79225->79151 79226->79159 79228 259770 79227->79228 79229 259779 79227->79229 79228->79219 79232 259686 VariantClear 79229->79232 79231 259780 79231->79219 79232->79231 79233 27d3c2 79234 27d3e9 79233->79234 79235 25965d VariantClear 79234->79235 79236 27d42a 79235->79236 79237 27d883 2 API calls 79236->79237 79238 27d4b1 79237->79238 79324 278d4a 79238->79324 79241 278b05 VariantClear 79244 27d4e3 79241->79244 79242 272a72 2 API calls 79243 27d54c 79242->79243 79245 252fec 3 API calls 79243->79245 79244->79242 79246 27d594 79245->79246 79247 27d742 79246->79247 79248 27d5cd 79246->79248 79356 27cd49 malloc _CxxThrowException free 79247->79356 79249 27d7d9 79248->79249 79341 279317 79248->79341 79359 251e40 free 79249->79359 79253 27d754 79254 252fec 3 API calls 79253->79254 79257 27d763 79254->79257 79255 27d7e1 79360 251e40 free 79255->79360 79357 251e40 free 79257->79357 79259 27d5f1 79262 2904d2 5 API calls 79259->79262 79261 27d7e9 79264 27326b free 79261->79264 79265 27d5f9 79262->79265 79263 27d76b 79358 251e40 free 79263->79358 79274 27d69a 79264->79274 79347 27e332 79265->79347 79268 27d773 79270 27326b free 79268->79270 79270->79274 79272 27d610 79354 251e40 free 79272->79354 79275 27d618 79276 27326b free 79275->79276 79277 27d2a8 79276->79277 79277->79274 79299 27d883 79277->79299 79280 252fec 3 API calls 79281 27d361 79280->79281 79282 252fec 3 API calls 79281->79282 79283 27d36d 79282->79283 79311 27d0e1 79283->79311 79285 27d380 79286 27d665 79285->79286 79287 27d38a 79285->79287 79288 27d68b 79286->79288 79355 27cd49 malloc _CxxThrowException free 79286->79355 79289 2904d2 5 API calls 79287->79289 79291 27326b free 79288->79291 79292 27d392 79289->79292 79291->79274 79294 27e332 2 API calls 79292->79294 79293 27d67c 79295 252fec 3 API calls 79293->79295 79296 27d3a1 79294->79296 79295->79288 79297 27326b free 79296->79297 79298 27d3b0 79297->79298 79300 27d88d __EH_prolog 79299->79300 79301 252e04 2 API calls 79300->79301 79302 27d8c6 79301->79302 79303 252e04 2 API calls 79302->79303 79304 27d8d2 79303->79304 79305 252e04 2 API calls 79304->79305 79306 27d8de 79305->79306 79307 272b63 2 API calls 79306->79307 79308 27d8fa 79307->79308 79309 272b63 2 API calls 79308->79309 79310 27d34f 79309->79310 79310->79280 79312 27d0eb __EH_prolog 79311->79312 79313 27d10b 79312->79313 79314 27d138 79312->79314 79315 251e0c ctype 2 API calls 79313->79315 79316 251e0c ctype 2 API calls 79314->79316 79323 27d112 79314->79323 79315->79323 79317 27d14b 79316->79317 79318 252fec 3 API calls 79317->79318 79319 27d17b 79318->79319 79361 257b41 28 API calls 79319->79361 79321 27d18a 79321->79323 79362 25757d GetLastError 79321->79362 79323->79285 79331 278d54 __EH_prolog 79324->79331 79325 278e15 79328 278e2d 79325->79328 79330 278e5e 79325->79330 79333 278e21 79325->79333 79326 278e09 79327 25965d VariantClear 79326->79327 79332 278e11 79327->79332 79329 278e2b 79328->79329 79328->79330 79336 25965d VariantClear 79329->79336 79334 25965d VariantClear 79330->79334 79339 278da4 79331->79339 79363 252b55 malloc _CxxThrowException free _CxxThrowException ctype 79331->79363 79332->79241 79364 253097 malloc _CxxThrowException free SysStringLen ctype 79333->79364 79334->79332 79338 278e47 79336->79338 79338->79332 79365 278e7c 6 API calls __EH_prolog 79338->79365 79339->79325 79339->79326 79339->79332 79344 279321 __EH_prolog 79341->79344 79342 25965d VariantClear 79343 2793d0 79342->79343 79343->79249 79343->79259 79346 279360 79344->79346 79366 259686 VariantClear 79344->79366 79346->79342 79348 27e33c __EH_prolog 79347->79348 79349 251e0c ctype 2 API calls 79348->79349 79350 27e34a 79349->79350 79351 27d608 79350->79351 79367 27e3d1 malloc _CxxThrowException __EH_prolog 79350->79367 79353 251e40 free 79351->79353 79353->79272 79354->79275 79355->79293 79356->79253 79357->79263 79358->79268 79359->79255 79360->79261 79361->79321 79362->79323 79363->79339 79364->79329 79365->79332 79366->79346 79367->79351 79368 290343 79373 29035f 79368->79373 79371 290358 79374 290369 __EH_prolog 79373->79374 79390 26139e 79374->79390 79379 290143 ctype free 79380 29039a 79379->79380 79400 251e40 free 79380->79400 79382 2903a2 79401 251e40 free 79382->79401 79384 2903aa 79402 2903d8 79384->79402 79389 251e40 free 79389->79371 79391 2613b3 79390->79391 79392 2613ae 79390->79392 79394 2901c4 79391->79394 79418 2e7ea0 SetEvent GetLastError 79392->79418 79395 2901ce __EH_prolog 79394->79395 79398 290203 79395->79398 79420 251e40 free 79395->79420 79397 29020b 79397->79379 79419 251e40 free 79398->79419 79400->79382 79401->79384 79403 2903e2 __EH_prolog 79402->79403 79404 26139e ctype 2 API calls 79403->79404 79405 2903fb 79404->79405 79421 2e7d50 79405->79421 79407 290403 79408 2e7d50 ctype 2 API calls 79407->79408 79409 29040b 79408->79409 79410 2e7d50 ctype 2 API calls 79409->79410 79411 2903b7 79410->79411 79412 29004a 79411->79412 79413 290054 __EH_prolog 79412->79413 79427 251e40 free 79413->79427 79415 290067 79428 251e40 free 79415->79428 79417 29006f 79417->79371 79417->79389 79418->79391 79419->79397 79420->79395 79422 2e7d7b 79421->79422 79423 2e7d59 CloseHandle 79421->79423 79422->79407 79424 2e7d64 GetLastError 79423->79424 79425 2e7d75 79423->79425 79424->79422 79426 2e7d6e 79424->79426 79425->79422 79426->79407 79427->79415 79428->79417 79429 2d6bc6 79430 2d6bcd 79429->79430 79431 2d6bca 79429->79431 79430->79431 79432 2d6bd1 malloc 79430->79432 79432->79431 79433 27d948 79463 27dac7 79433->79463 79435 27d94f 79436 252e04 2 API calls 79435->79436 79437 27d97b 79436->79437 79438 252e04 2 API calls 79437->79438 79439 27d987 79438->79439 79440 27d9e7 79439->79440 79471 256404 79439->79471 79444 27da0f 79440->79444 79461 27da36 79440->79461 79496 251e40 free 79444->79496 79446 27d9bf 79494 251e40 free 79446->79494 79447 27da94 79500 251e40 free 79447->79500 79451 27da17 79497 251e40 free 79451->79497 79453 27d9c7 79495 251e40 free 79453->79495 79454 27da9c 79501 251e40 free 79454->79501 79455 252da9 2 API calls 79455->79461 79458 27d9cf 79459 2904d2 5 API calls 79459->79461 79461->79447 79461->79455 79461->79459 79498 251524 malloc _CxxThrowException __EH_prolog ctype 79461->79498 79499 251e40 free 79461->79499 79464 27dad1 __EH_prolog 79463->79464 79465 252e04 2 API calls 79464->79465 79466 27db33 79465->79466 79467 252e04 2 API calls 79466->79467 79468 27db3f 79467->79468 79469 252e04 2 API calls 79468->79469 79470 27db55 79469->79470 79470->79435 79472 25631f 9 API calls 79471->79472 79473 256414 79472->79473 79474 256423 79473->79474 79475 252f88 3 API calls 79473->79475 79476 252f88 3 API calls 79474->79476 79475->79474 79477 25643d 79476->79477 79478 267e5a 79477->79478 79479 267e64 __EH_prolog 79478->79479 79502 268179 79479->79502 79482 277ebb free 79483 267e7f 79482->79483 79484 252fec 3 API calls 79483->79484 79485 267e9a 79484->79485 79486 252da9 2 API calls 79485->79486 79487 267ea7 79486->79487 79488 256c72 44 API calls 79487->79488 79489 267eb7 79488->79489 79507 251e40 free 79489->79507 79491 267ecb 79492 267ed8 79491->79492 79508 25757d GetLastError 79491->79508 79492->79440 79492->79446 79494->79453 79495->79458 79496->79451 79497->79458 79498->79461 79499->79461 79500->79454 79501->79458 79503 268906 79502->79503 79505 267e77 79503->79505 79509 268804 free ctype 79503->79509 79510 251e40 free 79503->79510 79505->79482 79507->79491 79508->79492 79509->79503 79510->79503 79511 2542d1 79512 2542bd 79511->79512 79513 2542c5 79512->79513 79514 251e0c ctype 2 API calls 79512->79514 79514->79513 79515 261ade 79516 261ae8 __EH_prolog 79515->79516 79566 2513f5 79516->79566 79519 261b32 6 API calls 79521 261b8d 79519->79521 79530 261bf8 79521->79530 79584 261ea4 9 API calls 79521->79584 79522 261b24 _CxxThrowException 79522->79519 79524 261bdf 79525 2527bb 3 API calls 79524->79525 79526 261bec 79525->79526 79585 251e40 free 79526->79585 79528 261c89 79580 261eb9 79528->79580 79530->79528 79586 271d73 5 API calls __EH_prolog 79530->79586 79534 261cb2 _CxxThrowException 79534->79528 79567 2513ff __EH_prolog 79566->79567 79568 277ebb free 79567->79568 79569 25142b 79568->79569 79570 251438 79569->79570 79587 251212 free ctype 79569->79587 79572 251e0c ctype 2 API calls 79570->79572 79573 25144d 79572->79573 79574 2904d2 5 API calls 79573->79574 79577 251507 79573->79577 79579 2514f4 79573->79579 79588 251265 5 API calls 2 library calls 79573->79588 79589 251524 malloc _CxxThrowException __EH_prolog ctype 79573->79589 79574->79573 79578 252fec 3 API calls 79577->79578 79578->79579 79579->79519 79583 271d73 5 API calls __EH_prolog 79579->79583 79590 259313 GetCurrentProcess OpenProcessToken 79580->79590 79583->79522 79584->79524 79585->79530 79586->79534 79587->79570 79588->79573 79589->79573 79591 259390 79590->79591 79592 25933a LookupPrivilegeValueW 79590->79592 79593 259382 79592->79593 79594 25934c AdjustTokenPrivileges 79592->79594 79595 259385 CloseHandle 79593->79595 79594->79593 79596 259372 GetLastError 79594->79596 79595->79591 79596->79595 79597 28acd3 79598 28ace0 79597->79598 79602 28acf1 79597->79602 79598->79602 79603 28acf8 79598->79603 79604 28c0b3 __EH_prolog 79603->79604 79607 28c0ed 79604->79607 79608 277193 free 79604->79608 79611 251e40 free 79604->79611 79606 28aceb 79610 251e40 free 79606->79610 79612 251e40 free 79607->79612 79608->79604 79610->79602 79611->79604 79612->79606 79613 25b5d9 79614 25b5f7 79613->79614 79615 25b5e6 79613->79615 79615->79614 79619 25b5fe 79615->79619 79620 25b608 __EH_prolog 79619->79620 79626 2d6a40 VirtualFree 79620->79626 79622 25b63d 79623 25764c CloseHandle 79622->79623 79624 25b5f1 79623->79624 79625 251e40 free 79624->79625 79625->79614 79626->79622 79627 2d4e90 79628 251e0c ctype 2 API calls 79627->79628 79630 2d4ead 79628->79630 79629 2d4ed6 79630->79629 79633 2d4590 malloc _CxxThrowException _CxxThrowException ctype 79630->79633 79632 2d4ec7 79633->79632 79635 2d69d0 79636 2d69d4 79635->79636 79637 2d69d7 malloc 79635->79637

                                Executed Functions

                                Function 00259313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1073 259313-259338 GetCurrentProcess OpenProcessToken 1074 259390 1073->1074 1075 25933a-25934a LookupPrivilegeValueW 1073->1075 1076 259393-259398 1074->1076 1077 259382 1075->1077 1078 25934c-259370 AdjustTokenPrivileges 1075->1078 1079 259385-25938e CloseHandle 1077->1079 1078->1077 1080 259372-259380 GetLastError 1078->1080 1079->1076 1080->1079
                                APIs
                                • GetCurrentProcess.KERNEL32(00000020,00261EC5,?,7633AB50,?,?,?,?,00261EC5,00261CEF), ref: 00259329
                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00261EC5,00261CEF), ref: 00259330
                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00259342
                                • AdjustTokenPrivileges.KERNELBASE(00261EC5,00000000,?,00000000,00000000,00000000), ref: 00259368
                                • GetLastError.KERNEL32 ref: 00259372
                                • CloseHandle.KERNELBASE(00261EC5,?,?,?,?,00261EC5,00261CEF), ref: 00259388
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeRestorePrivilege
                                • API String ID: 3398352648-1684392131
                                • Opcode ID: 4929e787bc1e8e10b013e9ba2343c88a8afc40c2a0d59739fb6c10b6d84a2f3b
                                • Instruction ID: 7dd717b940f54fa35e10f511406e3c172361aaa32c75c24653cb77fa2b7e0cea
                                • Opcode Fuzzy Hash: 4929e787bc1e8e10b013e9ba2343c88a8afc40c2a0d59739fb6c10b6d84a2f3b
                                • Instruction Fuzzy Hash: 0E01AD72995218FFDB105FF1AC4DBEE7F7CAF017A1F1401A8E842E2180DA708649C7A0
                                Function 00263D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1081 263d66-263d9c call 2efb10 GetCurrentProcess call 263e04 OpenProcessToken 1086 263de3-263dfe call 263e04 1081->1086 1087 263d9e-263dbe LookupPrivilegeValueW 1081->1087 1087->1086 1088 263dc0-263dd3 AdjustTokenPrivileges 1087->1088 1088->1086 1090 263dd5-263de1 GetLastError 1088->1090 1090->1086
                                APIs
                                • __EH_prolog.LIBCMT ref: 00263D6B
                                • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,76368E30), ref: 00263D7D
                                • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,76368E30), ref: 00263D94
                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00263DB6
                                • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,76368E30), ref: 00263DCB
                                • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,76368E30), ref: 00263DD5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeSecurityPrivilege
                                • API String ID: 3475889169-2333288578
                                • Opcode ID: 88048550005090bc00f564519f4ae2d0c53216ba2b4f43e26b262809d47d0eeb
                                • Instruction ID: d9689e4ab98feef1183e662f64d7f9ff83550af4c793ae02262c44bb64ba3c79
                                • Opcode Fuzzy Hash: 88048550005090bc00f564519f4ae2d0c53216ba2b4f43e26b262809d47d0eeb
                                • Instruction Fuzzy Hash: 771130B195011EAFDB10EFA4DD89AFEFBBCFB04394F500539E412E2190DB718A19CA60
                                Function 002981EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002981F1
                                  • Part of subcall function 0029F749: _CxxThrowException.MSVCRT(?,00304A58), ref: 0029F792
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionH_prologThrow
                                • String ID:
                                • API String ID: 461045715-3916222277
                                • Opcode ID: efc9068d9567a585898e317ff54a0c2ad9c3a22a98fb90454dde6146bbbd8a98
                                • Instruction ID: b2c016f4dd87f5a419d893011b9bcd04de133a97c97581dd81383c8324d09ba8
                                • Opcode Fuzzy Hash: efc9068d9567a585898e317ff54a0c2ad9c3a22a98fb90454dde6146bbbd8a98
                                • Instruction Fuzzy Hash: 8892903191024ADFDF15DFA8C884BAEBBB1BF19304F284099E805AB291CB759D65CF61
                                Function 00256868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0025686D
                                  • Part of subcall function 00256848: FindClose.KERNELBASE(00000000,?,00256880), ref: 00256853
                                • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 002568A5
                                • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 002568DE
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: Find$FileFirst$CloseH_prolog
                                • String ID:
                                • API String ID: 3371352514-0
                                • Opcode ID: db763dd71c99f3eb8c6de82945e1e5f79e76683894705b40bfee220cba0c6684
                                • Instruction ID: 3f91c05a7d123d9927121a2499bb3dda22a99a5e6e15be92d0d677d0f967ef1c
                                • Opcode Fuzzy Hash: db763dd71c99f3eb8c6de82945e1e5f79e76683894705b40bfee220cba0c6684
                                • Instruction Fuzzy Hash: 2911D03152020ADBCB10EFA4C85A6FEB779EF50326F604229ED6057191DB718EADDF44
                                Function 0028A013 Relevance: 60.2, APIs: 15, Strings: 19, Instructions: 690COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 28a013-28a01a 1 28a37a-28a544 call 2904d2 call 251524 call 2904d2 call 251524 call 251e0c 0->1 2 28a020-28a02d call 261ac8 0->2 64 28a551 1->64 65 28a546-28a54f call 28b0fa 1->65 8 28a22e-28a235 2->8 9 28a033-28a03a 2->9 13 28a23b-28a24d call 28b4f6 8->13 14 28a367-28a375 call 28b55f 8->14 11 28a03c-28a042 9->11 12 28a054-28a089 call 2892d3 9->12 11->12 16 28a044-28a04f call 2530ea 11->16 28 28a099 12->28 29 28a08b-28a091 12->29 25 28a259-28a2fb call 277ebb call 2527bb call 2526dd call 273d70 call 28ad99 call 2527bb 13->25 26 28a24f-28a253 13->26 30 28ac23-28ac2a 14->30 16->12 94 28a2fd 25->94 95 28a303-28a362 call 28b6ab call 282db9 call 251e40 * 2 call 28bff8 25->95 26->25 34 28a09d-28a0de call 252fec call 28b369 28->34 29->28 33 28a093-28a097 29->33 35 28ac3a-28ac66 call 28b96d call 251e40 call 273247 30->35 36 28ac2c-28ac33 30->36 33->34 55 28a0ea-28a0fa 34->55 56 28a0e0-28a0e4 34->56 69 28ac68-28ac6a 35->69 70 28ac6e-28acb5 call 251e40 call 2511c2 call 28be0c call 282db9 35->70 36->35 41 28ac35 36->41 46 28ac35 call 28b988 41->46 46->35 60 28a0fc-28a102 55->60 61 28a10d 55->61 56->55 60->61 67 28a104-28a10b 60->67 68 28a114-28a19e call 252fec call 277ebb call 28ad99 61->68 66 28a553-28a55c 64->66 65->66 73 28a55e-28a560 66->73 74 28a564-28a5c1 call 252fec call 28b277 66->74 67->68 104 28a1a2 call 27f8e0 68->104 69->70 73->74 97 28a5cd-28a652 call 28ad06 call 28bf3e call 263a29 call 252e04 call 274345 74->97 98 28a5c3-28a5c7 74->98 94->95 95->30 136 28a654-28a671 call 27375c call 28b96d 97->136 137 28a676-28a6c8 call 272096 97->137 98->97 108 28a1a7-28a1b1 104->108 112 28a1c0-28a1c9 108->112 113 28a1b3-28a1bb call 28c7d7 108->113 114 28a1cb 112->114 115 28a1d1-28a229 call 28b6ab call 282db9 call 251e40 call 28bfa4 call 28940b 112->115 113->112 114->115 115->30 136->137 143 28a6cd-28a6d6 137->143 146 28a6d8-28a6dd call 28c7d7 143->146 147 28a6e2-28a6e5 143->147 146->147 150 28a72e-28a73a 147->150 151 28a6e7-28a6ee 147->151 152 28a73c-28a74a call 251fa0 150->152 153 28a79e-28a7aa 150->153 154 28a6f0-28a71d call 251fa0 fputs call 251fa0 call 251fb3 call 251fa0 151->154 155 28a722-28a725 151->155 170 28a74c-28a753 152->170 171 28a755-28a799 fputs call 252201 call 251fa0 fputs call 252201 call 251fa0 152->171 157 28a7d9-28a7e5 153->157 158 28a7ac-28a7b2 153->158 154->155 155->150 159 28a727 155->159 164 28a818-28a81a 157->164 165 28a7e7-28a7ed 157->165 158->157 162 28a7b4-28a7d4 fputs call 252201 call 251fa0 158->162 159->150 162->157 167 28a899-28a8a5 164->167 168 28a81c-28a82b 164->168 165->167 172 28a7f3-28a813 fputs call 252201 call 251fa0 165->172 173 28a8e9-28a8ed 167->173 174 28a8a7-28a8ad 167->174 176 28a82d-28a84c fputs call 252201 call 251fa0 168->176 177 28a851-28a85d 168->177 170->153 170->171 171->153 172->164 183 28a8ef 173->183 188 28a8f6-28a8f8 173->188 174->183 184 28a8af-28a8c2 call 251fa0 174->184 176->177 177->167 187 28a85f-28a872 call 251fa0 177->187 183->188 184->183 207 28a8c4-28a8e4 fputs call 252201 call 251fa0 184->207 187->167 209 28a874-28a894 fputs call 252201 call 251fa0 187->209 196 28a8fe-28a90a 188->196 197 28aaaf-28aaeb call 2743b3 call 251e40 call 28c104 call 28ad82 188->197 204 28a910-28a91f 196->204 205 28aa73-28aa89 call 251fa0 196->205 246 28ac0b-28ac1a call 282db9 197->246 247 28aaf1-28aaf7 197->247 204->205 211 28a925-28a929 204->211 205->197 222 28aa8b-28aaaa fputs call 252201 call 251fa0 205->222 207->173 209->167 211->197 217 28a92f-28a93d 211->217 218 28a96a-28a971 217->218 219 28a93f-28a964 fputs call 252201 call 251fa0 217->219 227 28a98f-28a9a8 fputs call 252201 218->227 228 28a973-28a97a 218->228 219->218 222->197 241 28a9ad-28a9bd call 251fa0 227->241 228->227 234 28a97c-28a982 228->234 234->227 239 28a984-28a98d 234->239 239->227 244 28aa06-28aa1f fputs call 252201 239->244 241->244 252 28a9bf-28aa01 fputs call 252201 call 251fa0 fputs call 252201 call 251fa0 241->252 251 28aa24-28aa29 call 251fa0 244->251 246->30 258 28ac1e call 282db9 246->258 247->246 259 28aa2e-28aa4b fputs call 252201 251->259 252->244 258->30 263 28aa50-28aa5b call 251fa0 259->263 263->197 269 28aa5d-28aa71 call 251fa0 call 28710e 263->269 269->197
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$ExceptionThrow
                                • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&1$p&1$N
                                • API String ID: 3665150552-3538584741
                                • Opcode ID: f2a25d27dee8649c491c55d7c5881fd50dda21edd57a6f5bbda55f16b3578925
                                • Instruction ID: f089c84264fe39e958ecf6df4cb817e4d107d929de691f90a02ef1e3b25b2912
                                • Opcode Fuzzy Hash: f2a25d27dee8649c491c55d7c5881fd50dda21edd57a6f5bbda55f16b3578925
                                • Instruction Fuzzy Hash: 8C52AB34921259DFDF26EBA4C895BEDBBB5AF44300F04409AE449A32D1DF706EA8CF15
                                Function 0028A42C Relevance: 60.0, APIs: 15, Strings: 19, Instructions: 503COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 274 28a42c-28a433 275 28a449-28a4df call 28545d call 252e04 call 271858 call 251e40 274->275 276 28a435-28a444 fputs call 251fa0 274->276 286 28a4ee-28a4f1 275->286 287 28a4e1-28a4e9 call 28c7d7 275->287 276->275 289 28a50e-28a520 call 28c73e 286->289 290 28a4f3-28a4fa 286->290 287->286 295 28ac0b-28ac1a call 282db9 289->295 296 28a526-28a544 call 251e0c 289->296 290->289 291 28a4fc-28a509 call 2857fb 290->291 291->289 301 28ac23-28ac2a 295->301 302 28ac1e call 282db9 295->302 304 28a551 296->304 305 28a546-28a54f call 28b0fa 296->305 306 28ac3a-28ac66 call 28b96d call 251e40 call 273247 301->306 307 28ac2c-28ac33 301->307 302->301 308 28a553-28a55c 304->308 305->308 325 28ac68-28ac6a 306->325 326 28ac6e-28acb5 call 251e40 call 2511c2 call 28be0c call 282db9 306->326 307->306 311 28ac35 call 28b988 307->311 312 28a55e-28a560 308->312 313 28a564-28a5c1 call 252fec call 28b277 308->313 311->306 312->313 327 28a5cd-28a652 call 28ad06 call 28bf3e call 263a29 call 252e04 call 274345 313->327 328 28a5c3-28a5c7 313->328 325->326 348 28a654-28a671 call 27375c call 28b96d 327->348 349 28a676-28a6d6 call 272096 327->349 328->327 348->349 355 28a6d8-28a6dd call 28c7d7 349->355 356 28a6e2-28a6e5 349->356 355->356 358 28a72e-28a73a 356->358 359 28a6e7-28a6ee 356->359 360 28a73c-28a74a call 251fa0 358->360 361 28a79e-28a7aa 358->361 362 28a6f0-28a71d call 251fa0 fputs call 251fa0 call 251fb3 call 251fa0 359->362 363 28a722-28a725 359->363 378 28a74c-28a753 360->378 379 28a755-28a799 fputs call 252201 call 251fa0 fputs call 252201 call 251fa0 360->379 365 28a7d9-28a7e5 361->365 366 28a7ac-28a7b2 361->366 362->363 363->358 367 28a727 363->367 372 28a818-28a81a 365->372 373 28a7e7-28a7ed 365->373 366->365 370 28a7b4-28a7d4 fputs call 252201 call 251fa0 366->370 367->358 370->365 375 28a899-28a8a5 372->375 376 28a81c-28a82b 372->376 373->375 380 28a7f3-28a813 fputs call 252201 call 251fa0 373->380 381 28a8e9-28a8ed 375->381 382 28a8a7-28a8ad 375->382 384 28a82d-28a84c fputs call 252201 call 251fa0 376->384 385 28a851-28a85d 376->385 378->361 378->379 379->361 380->372 391 28a8ef 381->391 396 28a8f6-28a8f8 381->396 382->391 392 28a8af-28a8c2 call 251fa0 382->392 384->385 385->375 395 28a85f-28a872 call 251fa0 385->395 391->396 392->391 415 28a8c4-28a8e4 fputs call 252201 call 251fa0 392->415 395->375 417 28a874-28a894 fputs call 252201 call 251fa0 395->417 404 28a8fe-28a90a 396->404 405 28aaaf-28aaeb call 2743b3 call 251e40 call 28c104 call 28ad82 396->405 412 28a910-28a91f 404->412 413 28aa73-28aa89 call 251fa0 404->413 405->295 454 28aaf1-28aaf7 405->454 412->413 419 28a925-28a929 412->419 413->405 430 28aa8b-28aaaa fputs call 252201 call 251fa0 413->430 415->381 417->375 419->405 425 28a92f-28a93d 419->425 426 28a96a-28a971 425->426 427 28a93f-28a964 fputs call 252201 call 251fa0 425->427 435 28a98f-28a9a8 fputs call 252201 426->435 436 28a973-28a97a 426->436 427->426 430->405 449 28a9ad-28a9bd call 251fa0 435->449 436->435 442 28a97c-28a982 436->442 442->435 447 28a984-28a98d 442->447 447->435 452 28aa06-28aa4b fputs call 252201 call 251fa0 fputs call 252201 447->452 449->452 458 28a9bf-28aa01 fputs call 252201 call 251fa0 fputs call 252201 call 251fa0 449->458 467 28aa50-28aa5b call 251fa0 452->467 454->295 458->452 467->405 473 28aa5d-28aa71 call 251fa0 call 28710e 467->473 473->405
                                APIs
                                • fputs.MSVCRT(Scanning the drive for archives:), ref: 0028A43E
                                  • Part of subcall function 00251FA0: fputc.MSVCRT ref: 00251FA7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputcfputs
                                • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&1$p&1$!"$N
                                • API String ID: 269475090-3126563371
                                • Opcode ID: c24518c07951c21021c9916377282a52be7143178fa3f10867e7635b4a3be435
                                • Instruction ID: cee603e7cf37834dced2daa417bfcb579026660ae291522a1dbd9ea4f70ac141
                                • Opcode Fuzzy Hash: c24518c07951c21021c9916377282a52be7143178fa3f10867e7635b4a3be435
                                • Instruction Fuzzy Hash: 44228C34911258DFDF2AEBA4C856BEDFBB5AF44300F14408AE449632E1DF706AA8CF15
                                Function 0028993D Relevance: 47.8, APIs: 16, Strings: 11, Instructions: 569COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 478 28993d-289950 call 28b5b1 481 289952-28995e call 251fb3 478->481 482 289963-28997e call 261f33 478->482 481->482 486 28998f-289998 482->486 487 289980-28998a 482->487 488 2899a8 486->488 489 28999a-2899a6 486->489 487->486 490 2899ab-2899b5 488->490 489->488 489->490 491 2899d5-289a04 call 251e0c call 28acb6 490->491 492 2899b7-2899cc GetStdHandle GetConsoleScreenBufferInfo 490->492 500 289a0c-289a24 call 277b48 491->500 501 289a06-289a08 491->501 492->491 493 2899ce-2899d2 492->493 493->491 503 289a29-289a48 call 28b96d call 277018 call 261aa4 500->503 501->500 510 289a4a-289a4c 503->510 511 289a7c-289aa8 call 27ddb5 503->511 513 289a4e-289a55 510->513 514 289a66-289a77 _CxxThrowException 510->514 518 289aaa-289abb _CxxThrowException 511->518 519 289ac0-289ade 511->519 513->514 516 289a57-289a64 call 261ac8 513->516 514->511 516->511 516->514 518->519 521 289b3a-289b55 519->521 522 289ae0-289b04 call 277dd7 519->522 525 289b5c-289ba4 call 251fa0 fputs call 251fa0 strlen * 2 521->525 526 289b57 521->526 529 289bfa-289c0b _CxxThrowException 522->529 530 289b0a-289b0e 522->530 540 289baa-289be4 fputs fputc 525->540 541 289e25-289e4d call 251fa0 fputs call 251fa0 525->541 526->525 533 289c10 529->533 530->529 532 289b14-289b38 call 28c077 call 251e40 530->532 532->521 532->522 536 289c12-289c25 533->536 544 289be6-289bf0 536->544 545 289c27-289c33 536->545 540->544 540->545 554 289f0c-289f34 call 251fa0 fputs call 251fa0 541->554 555 289e53 541->555 544->533 547 289bf2-289bf8 544->547 551 289c81-289cb1 call 28b67d call 252e04 545->551 552 289c35-289c3d 545->552 547->536 593 289d10-289d28 call 28b67d 551->593 594 289cb3-289cb7 551->594 556 289c6b-289c80 call 2521d8 552->556 557 289c3f-289c4a 552->557 579 289f3a 554->579 580 28ac23-28ac2a 554->580 558 289e5a-289e6f call 28b650 555->558 556->551 560 289c4c-289c52 557->560 561 289c54 557->561 572 289e7b-289e7e call 2521d8 558->572 573 289e71-289e79 558->573 566 289c56-289c69 560->566 561->566 566->556 566->557 583 289e83-289f06 call 28bde4 fputs call 251fa0 572->583 573->583 586 289f41-289f9d call 28b650 call 28b5e9 call 28bde4 fputs call 251fa0 579->586 584 28ac3a-28ac66 call 28b96d call 251e40 call 273247 580->584 585 28ac2c-28ac33 580->585 583->554 583->558 618 28ac68-28ac6a 584->618 619 28ac6e-28acb5 call 251e40 call 2511c2 call 28be0c call 282db9 584->619 585->584 589 28ac35 call 28b988 585->589 661 289f9f 586->661 589->584 620 289d2a-289d4a fputs call 2521d8 593->620 621 289d4b-289d53 593->621 600 289cb9-289cbc call 25315e 594->600 601 289cc1-289cdd call 2531e5 594->601 600->601 613 289cdf-289d00 call 253221 call 2531e5 call 251089 601->613 614 289d05-289d0e 601->614 613->614 614->593 614->594 618->619 620->621 624 289d59-289d5d 621->624 625 289dff-289e1f call 251fa0 call 251e40 621->625 631 289d6e-289d82 624->631 632 289d5f-289d6d fputs 624->632 625->540 625->541 638 289df0-289df9 631->638 639 289d84-289d88 631->639 632->631 638->624 638->625 644 289d8a-289d94 639->644 645 289d95-289d9f 639->645 644->645 651 289da1-289da3 645->651 652 289da5-289db1 645->652 651->652 658 289dd8-289dee 651->658 659 289db8 652->659 660 289db3-289db6 652->660 658->638 658->639 665 289dbb-289dce 659->665 660->665 661->580 670 289dd0-289dd3 665->670 671 289dd5 665->671 670->658 671->658
                                APIs
                                  • Part of subcall function 0028B5B1: fputs.MSVCRT ref: 0028B5CA
                                  • Part of subcall function 0028B5B1: fputs.MSVCRT ref: 0028B5E1
                                • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 002899BD
                                • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 002899C4
                                • _CxxThrowException.MSVCRT(?,003055B8), ref: 00289A77
                                • _CxxThrowException.MSVCRT(?,003055B8), ref: 00289ABB
                                  • Part of subcall function 00251FB3: __EH_prolog.LIBCMT ref: 00251FB8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                                • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$p&1$p&1$N
                                • API String ID: 377453556-2607883775
                                • Opcode ID: 978727e4b0af02b3f1934c7a231fed606189d89134d8d325878d630db588fa77
                                • Instruction ID: 949bd4e93fc25dfdd5770de7d5146c37be9697e38b78e711ea7e0ec31dcbb037
                                • Opcode Fuzzy Hash: 978727e4b0af02b3f1934c7a231fed606189d89134d8d325878d630db588fa77
                                • Instruction Fuzzy Hash: E122BB35911209DFDF15EFA4D885BEDBBB1EF48300F24405AE444AB2D2CB359AA4CF65
                                Function 00261ADE Relevance: 42.3, APIs: 16, Strings: 8, Instructions: 288COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 672 261ade-261b14 call 2efb10 call 2513f5 677 261b16-261b2d call 271d73 _CxxThrowException 672->677 678 261b32-261b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->678 677->678 680 261b9d-261b9f 678->680 681 261b8d-261b91 678->681 684 261ba0-261bcd 680->684 681->680 683 261b93-261b97 681->683 683->680 685 261b99-261b9b 683->685 686 261bcf-261bf8 call 261ea4 call 2527bb call 251e40 684->686 687 261bf9-261c12 684->687 685->684 686->687 689 261c14-261c18 687->689 690 261c20 687->690 689->690 692 261c1a-261c1e 689->692 693 261c27-261c2b 690->693 692->690 692->693 695 261c34-261c3e 693->695 696 261c2d 693->696 698 261c40-261c43 695->698 699 261c49-261c53 695->699 696->695 698->699 701 261c55-261c58 699->701 702 261c5e-261c68 699->702 701->702 703 261c73-261c79 702->703 704 261c6a-261c6d 702->704 706 261c7b-261c87 703->706 707 261cc9-261cd2 703->707 704->703 708 261c95-261ca1 call 261ed1 706->708 709 261c89-261c93 706->709 710 261cd4-261ce6 707->710 711 261cea call 261eb9 707->711 718 261ca3-261cbb call 271d73 _CxxThrowException 708->718 719 261cc0-261cc3 708->719 709->707 710->711 714 261cef-261cf8 711->714 716 261d37-261d40 714->716 717 261cfa-261d0a 714->717 723 261d46-261d52 716->723 724 261e93-261ea1 716->724 720 261dc2-261dd4 wcscmp 717->720 721 261d10 717->721 718->719 719->707 725 261d17-261d1f call 259399 720->725 727 261dda-261de6 call 261ed1 720->727 721->725 723->724 728 261d58-261d93 call 2526dd call 25280c call 253221 call 253bbf 723->728 725->716 736 261d21-261d32 call 2d6a60 call 259313 725->736 727->725 737 261dec-261e04 call 271d73 _CxxThrowException 727->737 756 261d95-261d9c 728->756 757 261d9f-261da3 728->757 736->716 744 261e09-261e0c 737->744 747 261e31-261e4a call 261f0c GetCurrentProcess SetProcessAffinityMask 744->747 748 261e0e 744->748 761 261e83-261e92 call 253172 call 251e40 747->761 762 261e4c-261e82 GetLastError call 253221 call 2558a9 call 2531e5 call 251e40 747->762 751 261e14-261e2c call 271d73 _CxxThrowException 748->751 752 261e10-261e12 748->752 751->747 752->747 752->751 756->757 757->744 760 261da5-261dbd call 271d73 _CxxThrowException 757->760 760->720 761->724 762->761
                                APIs
                                • __EH_prolog.LIBCMT ref: 00261AE3
                                  • Part of subcall function 002513F5: __EH_prolog.LIBCMT ref: 002513FA
                                • _CxxThrowException.MSVCRT(?,00306010), ref: 00261B2D
                                • _fileno.MSVCRT ref: 00261B3E
                                • _isatty.MSVCRT ref: 00261B47
                                • _fileno.MSVCRT ref: 00261B5D
                                • _isatty.MSVCRT ref: 00261B60
                                • _fileno.MSVCRT ref: 00261B73
                                • _CxxThrowException.MSVCRT(?,00306010), ref: 00261CBB
                                • _CxxThrowException.MSVCRT(?,00306010), ref: 00261DBD
                                • wcscmp.MSVCRT ref: 00261DCA
                                • _CxxThrowException.MSVCRT(?,00306010), ref: 00261E04
                                • _isatty.MSVCRT ref: 00261B76
                                  • Part of subcall function 00271D73: __EH_prolog.LIBCMT ref: 00271D78
                                • _CxxThrowException.MSVCRT(?,00306010), ref: 00261E2C
                                • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00261E3B
                                • SetProcessAffinityMask.KERNEL32(00000000), ref: 00261E42
                                • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00261E4C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                                • String ID: : ERROR : $@46v$SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                                • API String ID: 1826148334-3064912335
                                • Opcode ID: 03826ceac8c3e24539cc371b359b6e46b6b32822393051bf72d54c827dcf5ba0
                                • Instruction ID: bb8c13c780029a04d5e0037eb0b29d2ff5ed7ee43f27f65faf69666eb67798ad
                                • Opcode Fuzzy Hash: 03826ceac8c3e24539cc371b359b6e46b6b32822393051bf72d54c827dcf5ba0
                                • Instruction Fuzzy Hash: C0C1D231910249EFDB11DFB8C889BEDBBF4AF09354F188469E48597292C774A9B4CF11
                                Function 00288012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 777 288012-288032 call 2efb10 780 288038-28806c fputs call 288341 777->780 781 288285 777->781 785 2880c8-2880cd 780->785 786 28806e-288071 780->786 782 288287-288295 781->782 787 2880cf-2880d4 785->787 788 2880d6-2880df 785->788 789 28808b-28808d 786->789 790 288073-288089 fputs call 251fa0 786->790 791 2880e2-288110 call 288341 call 288622 787->791 788->791 793 28808f-288094 789->793 794 288096-28809f 789->794 790->785 805 28811e-28812f call 288565 791->805 806 288112-288119 call 28831f 791->806 797 2880a2-2880c7 call 252e47 call 2885c6 call 251e40 793->797 794->797 797->785 805->782 812 288135-28813f 805->812 806->805 813 28814d-28815b 812->813 814 288141-288148 call 2882bb 812->814 813->782 817 288161-288164 813->817 814->813 818 2881b6-2881c0 817->818 819 288166-288186 817->819 820 288276-28827f 818->820 821 2881c6-2881e1 fputs 818->821 824 288298-28829d 819->824 825 28818c-288196 call 288565 819->825 820->780 820->781 821->820 826 2881e7-2881fb 821->826 827 2882b1-2882b9 SysFreeString 824->827 831 28819b-28819d 825->831 829 2881fd-28821f 826->829 830 288273 826->830 827->782 834 28829f-2882a1 829->834 835 288221-288245 829->835 830->820 831->824 832 2881a3-2881b4 SysFreeString 831->832 832->818 832->819 836 2882ae 834->836 838 2882a3-2882ab call 25965d 835->838 839 288247-288271 call 2884a7 call 25965d SysFreeString 835->839 836->827 838->836 839->829 839->830
                                APIs
                                • __EH_prolog.LIBCMT ref: 00288017
                                • fputs.MSVCRT ref: 0028804D
                                  • Part of subcall function 00288341: __EH_prolog.LIBCMT ref: 00288346
                                  • Part of subcall function 00288341: fputs.MSVCRT ref: 0028835B
                                  • Part of subcall function 00288341: fputs.MSVCRT ref: 00288364
                                • fputs.MSVCRT ref: 0028807A
                                  • Part of subcall function 00251FA0: fputc.MSVCRT ref: 00251FA7
                                  • Part of subcall function 0025965D: VariantClear.OLEAUT32(?), ref: 0025967F
                                • SysFreeString.OLEAUT32(00000000), ref: 002881AA
                                • fputs.MSVCRT ref: 002881CD
                                • SysFreeString.OLEAUT32(00000000), ref: 00288267
                                • SysFreeString.OLEAUT32(00000000), ref: 002882B1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                • API String ID: 2889736305-3797937567
                                • Opcode ID: 903645767a31435980ea4bbf3c6fb5812b3caf964d53d14273f8b9e9d2be113b
                                • Instruction ID: 9a694ef4145f88caef1eaf5ec55af5552e52accefca1f1c20acdca7cf819381e
                                • Opcode Fuzzy Hash: 903645767a31435980ea4bbf3c6fb5812b3caf964d53d14273f8b9e9d2be113b
                                • Instruction Fuzzy Hash: F4919D35A21209EFDB14EFA4CD85AAEB7B5FF48350F604129E902E72D1DB70AD25CB50
                                Function 00286766 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 135COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 846 286766-286792 call 2efb10 EnterCriticalSection 849 2867af-2867b7 846->849 850 286794-286799 call 28c7d7 846->850 852 2867b9 call 251f91 849->852 853 2867be-2867c3 849->853 854 28679e-2867ac 850->854 852->853 856 2867c9-2867d5 853->856 857 286892-2868a8 853->857 854->849 858 286817-28682f 856->858 859 2867d7-2867dd 856->859 860 2868ae-2868b4 857->860 861 286941 857->861 864 286831-286842 call 251fa0 858->864 865 286873-28687b 858->865 859->858 862 2867df-2867eb 859->862 860->861 863 2868ba-2868c2 860->863 866 286943-28695a 861->866 869 2867ed 862->869 870 2867f3-286801 862->870 868 286933-28693f call 28c5cd 863->868 871 2868c4-2868e6 call 251fa0 fputs 863->871 864->865 879 286844-28686c fputs call 252201 864->879 867 286881-286887 865->867 865->868 867->868 874 28688d 867->874 868->866 869->870 870->865 876 286803-286815 fputs 870->876 887 2868e8-2868f9 fputs 871->887 888 2868fb-286917 call 264f2a call 251fb3 call 251e40 871->888 880 28692e call 251f91 874->880 882 28686e call 251fa0 876->882 879->882 880->868 882->865 891 28691c-286928 call 251fa0 887->891 888->891 891->880
                                APIs
                                • __EH_prolog.LIBCMT ref: 0028676B
                                • EnterCriticalSection.KERNEL32(00312938), ref: 00286781
                                • fputs.MSVCRT ref: 0028680B
                                • LeaveCriticalSection.KERNEL32(00312938), ref: 00286944
                                  • Part of subcall function 0028C7D7: fputs.MSVCRT ref: 0028C840
                                • fputs.MSVCRT ref: 00286851
                                  • Part of subcall function 00252201: fputs.MSVCRT ref: 0025221E
                                • fputs.MSVCRT ref: 002868D9
                                • fputs.MSVCRT ref: 002868F6
                                  • Part of subcall function 00251FA0: fputc.MSVCRT ref: 00251FA7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                • String ID: v$8)1$8)1$Sub items Errors:
                                • API String ID: 2670240366-3116536169
                                • Opcode ID: 5b7623b48ff4944b55def04d6e57b6e00054a2a6e1a7774ad7e84aa33f286bcd
                                • Instruction ID: 9ba0b32156970d53019b4b77a8e7e7a9486da5ca95f7fd4f6c1259a5458a9f79
                                • Opcode Fuzzy Hash: 5b7623b48ff4944b55def04d6e57b6e00054a2a6e1a7774ad7e84aa33f286bcd
                                • Instruction Fuzzy Hash: 2D51BE35512601CFCB25AF64D998AAAB7E2FF84310F54442EE59A876A1CB307C78CF54
                                Function 00286359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 898 286359-286373 call 2efb10 901 28639e-2863af call 285a4d 898->901 902 286375-286385 call 28c7d7 898->902 908 2865ee-2865f1 901->908 909 2863b5-2863cd 901->909 902->901 907 286387-28639b 902->907 907->901 910 2865f3-2865fb 908->910 911 286624-28663c 908->911 912 2863cf 909->912 913 2863d2-2863d4 909->913 914 2866ea call 28c5cd 910->914 915 286601-286607 call 288012 910->915 916 28663e call 251f91 911->916 917 286643-28664b 911->917 912->913 918 2863df-2863e7 913->918 919 2863d6-2863d9 913->919 929 2866ef-2866fd 914->929 930 28660c-28660e 915->930 916->917 917->914 924 286651-28668f fputs call 25211a call 251fa0 call 288685 917->924 925 2863e9-2863f2 call 251fa0 918->925 926 286411-286413 918->926 919->918 923 2864b1-2864bc call 286700 919->923 947 2864be-2864c1 923->947 948 2864c7-2864cf 923->948 924->929 983 286691-286697 924->983 925->926 943 2863f4-28640c call 25210c call 251fa0 925->943 931 286442-286446 926->931 932 286415-28641d 926->932 930->929 936 286614-28661f call 251fa0 930->936 940 286448-286450 931->940 941 286497-28649f 931->941 937 28642a-28643b 932->937 938 28641f-286425 call 286134 932->938 936->914 937->931 938->937 949 28647f-286490 940->949 950 286452-28647a fputs call 251fa0 call 251fb3 call 251fa0 940->950 941->923 944 2864a1-2864ac call 251fa0 call 251f91 941->944 943->926 944->923 947->948 955 2865a2-2865a6 947->955 956 2864f9-2864fb 948->956 957 2864d1-2864da call 251fa0 948->957 949->941 950->949 964 2865a8-2865b6 955->964 965 2865da-2865e6 955->965 961 28652a-28652e 956->961 962 2864fd-286505 956->962 957->956 980 2864dc-2864f4 call 25210c call 251fa0 957->980 976 28657f-286587 961->976 977 286530-286538 961->977 973 286512-286523 962->973 974 286507-28650d call 286134 962->974 978 2865b8-2865ca call 286244 964->978 979 2865d3 964->979 965->909 970 2865ec 965->970 970->908 973->961 974->973 976->955 982 286589-286595 call 251fa0 976->982 985 28653a-286562 fputs call 251fa0 call 251fb3 call 251fa0 977->985 986 286567-286578 977->986 978->979 1001 2865cc-2865ce call 251f91 978->1001 979->965 980->956 982->955 1003 286597-28659d call 251f91 982->1003 991 286699-28669f 983->991 992 2866df-2866e5 call 251f91 983->992 985->986 986->976 998 2866a1-2866b1 fputs 991->998 999 2866b3-2866ce call 264f2a call 251fb3 call 251e40 991->999 992->914 1004 2866d3-2866da call 251fa0 998->1004 999->1004 1001->979 1003->955 1004->992
                                APIs
                                • __EH_prolog.LIBCMT ref: 0028635E
                                • fputs.MSVCRT ref: 0028645F
                                  • Part of subcall function 0028C7D7: fputs.MSVCRT ref: 0028C840
                                • fputs.MSVCRT ref: 00286547
                                • fputs.MSVCRT ref: 0028665F
                                • fputs.MSVCRT ref: 002866AE
                                  • Part of subcall function 00251F91: fflush.MSVCRT ref: 00251F93
                                  • Part of subcall function 00251FB3: __EH_prolog.LIBCMT ref: 00251FB8
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog$fflushfree
                                • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                • API String ID: 1750297421-1898165966
                                • Opcode ID: 8c7396d626bb0ed977e51193d5d419471b57f8e6ba3626a5487d2c8a5b4e7885
                                • Instruction ID: 461e6e265aabffe449fa35aff88d4e713a371087059c4e5a0397f6d590bf97da
                                • Opcode Fuzzy Hash: 8c7396d626bb0ed977e51193d5d419471b57f8e6ba3626a5487d2c8a5b4e7885
                                • Instruction Fuzzy Hash: ABB18C346227068FDB24FF60C9A9BAAB7E1BF44305F04442DE95A476D2CB74B868CF54
                                Function 00259C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1016 259c8f-259cc2 GetModuleHandleA GetProcAddress 1017 259cc4-259ccc GlobalMemoryStatusEx 1016->1017 1018 259cef-259d06 GlobalMemoryStatus 1016->1018 1017->1018 1019 259cce-259cd7 1017->1019 1020 259d08 1018->1020 1021 259d0b-259d0d 1018->1021 1023 259ce5 1019->1023 1024 259cd9 1019->1024 1020->1021 1022 259d11-259d15 1021->1022 1027 259ce8-259ced 1023->1027 1025 259ce0-259ce3 1024->1025 1026 259cdb-259cde 1024->1026 1025->1027 1026->1023 1026->1025 1027->1022
                                APIs
                                • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00259CB3
                                • GetProcAddress.KERNEL32(00000000), ref: 00259CBA
                                • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00259CC8
                                • GlobalMemoryStatus.KERNEL32(?), ref: 00259CFA
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                                • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                • API String ID: 180289352-802862622
                                • Opcode ID: 16f392d06d5bb50f84ecd624cda96ea440abb7803142c0fd189735a22444b4a4
                                • Instruction ID: c2f65dd7b89f79cbd88c4866c6cf39e65e019c8c0dfdd64f1439cd3261b6247f
                                • Opcode Fuzzy Hash: 16f392d06d5bb50f84ecd624cda96ea440abb7803142c0fd189735a22444b4a4
                                • Instruction Fuzzy Hash: ED115B7092020DDBDF20DF94D989BADB7F8BB08346F200419D846A7240D778A898CB58
                                Function 0029F1B2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1028 29f1b2-29f1ce call 2efb10 call 261168 1032 29f1d3-29f1d5 1028->1032 1033 29f1db-29f1e4 call 29f3e4 1032->1033 1034 29f36a-29f378 1032->1034 1037 29f1ed-29f1f2 1033->1037 1038 29f1e6-29f1e8 1033->1038 1039 29f203-29f21a 1037->1039 1040 29f1f4-29f1f9 1037->1040 1038->1034 1043 29f21c-29f22c _CxxThrowException 1039->1043 1044 29f231-29f248 memcpy 1039->1044 1040->1039 1041 29f1fb-29f1fe 1040->1041 1041->1034 1043->1044 1045 29f24c-29f257 1044->1045 1046 29f259 1045->1046 1047 29f25c-29f25e 1045->1047 1046->1047 1048 29f281-29f299 1047->1048 1049 29f260-29f26f 1047->1049 1057 29f29b-29f2a0 1048->1057 1058 29f311-29f313 1048->1058 1050 29f279-29f27b 1049->1050 1051 29f271 1049->1051 1050->1048 1052 29f315-29f318 1050->1052 1054 29f273-29f275 1051->1054 1055 29f277 1051->1055 1056 29f357-29f368 1052->1056 1054->1050 1054->1055 1055->1050 1056->1034 1057->1052 1059 29f2a2-29f2b5 call 29f37b 1057->1059 1058->1056 1063 29f2f0-29f30c memmove 1059->1063 1064 29f2b7-29f2cf call 2ee1a0 1059->1064 1063->1045 1067 29f31a-29f355 memcpy 1064->1067 1068 29f2d1-29f2eb call 29f37b 1064->1068 1067->1056 1068->1064 1072 29f2ed 1068->1072 1072->1063
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: C0$C0
                                • API String ID: 3519838083-1431206244
                                • Opcode ID: d0eccf36ec4a5186db75784cfe8641681f8174b846d788c5c0d951262321c7f7
                                • Instruction ID: 5abb0476e65f3d5a04ce9fafdb49fc92c1b7578f649ba41eafc844e9c566778c
                                • Opcode Fuzzy Hash: d0eccf36ec4a5186db75784cfe8641681f8174b846d788c5c0d951262321c7f7
                                • Instruction Fuzzy Hash: 5751A07AE203069FDF90DFA4C980BBEB3B5FF88354F148469E905EB241D774A9158B60
                                Function 002EFF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                                • String ID:
                                • API String ID: 4012487245-0
                                • Opcode ID: 48d20b7b5a055008a522f058700db20c8f2a3366871ea07434648054760906aa
                                • Instruction ID: 63676e843bb6bda71e6871597c21a7a1a201b9f4463176799ab358fd192b9cec
                                • Opcode Fuzzy Hash: 48d20b7b5a055008a522f058700db20c8f2a3366871ea07434648054760906aa
                                • Instruction Fuzzy Hash: 42213A75900208EFCB069FA4DC49BEABB78FB0D760F104229F525A22E1CB745460CF20
                                Function 002EFFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                                • String ID:
                                • API String ID: 279829931-0
                                • Opcode ID: 6be089af7438f1160f0605c7943991412a01cbd70a081e97762f6b7aa6018b51
                                • Instruction ID: 07cb3544bb477fb894af447e0785c31f89bb0a8183abbe0bcd54f17708c7ecca
                                • Opcode Fuzzy Hash: 6be089af7438f1160f0605c7943991412a01cbd70a081e97762f6b7aa6018b51
                                • Instruction Fuzzy Hash: C501E97691020CEFDB09ABE0DC89DFEB779FB0C350B104129F605A22A2DB759560CF20
                                Function 00271858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • __EH_prolog.LIBCMT ref: 0027185D
                                  • Part of subcall function 0027021A: __EH_prolog.LIBCMT ref: 0027021F
                                  • Part of subcall function 0027062E: __EH_prolog.LIBCMT ref: 00270633
                                • _CxxThrowException.MSVCRT(?,00306010), ref: 00271961
                                  • Part of subcall function 00271AA5: __EH_prolog.LIBCMT ref: 00271AAA
                                Strings
                                • Duplicate archive path:, xrefs: 00271A8D
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrow
                                • String ID: Duplicate archive path:
                                • API String ID: 2366012087-4000988232
                                • Opcode ID: 2e1c0660a72f3380a9877a9895fa662e792318c1316fa23dd810d19a44b6ac09
                                • Instruction ID: 41ca46bea0133d36382e196f5be95f41e8c5107dc37b0ba95ae7d95de8c16081
                                • Opcode Fuzzy Hash: 2e1c0660a72f3380a9877a9895fa662e792318c1316fa23dd810d19a44b6ac09
                                • Instruction Fuzzy Hash: BE81A031D11159DFCF15EFA8D492ADDBBB5AF08310F1080A9E91673292DB30AE29CF60
                                Function 00256C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1563 256c72-256c8e call 2efb10 1566 256c96-256c9e 1563->1566 1567 256c90-256c94 1563->1567 1568 256ca6-256cae 1566->1568 1569 256ca0-256ca4 1566->1569 1567->1566 1570 256cd3-256cdc call 258664 1567->1570 1568->1570 1571 256cb0-256cb5 1568->1571 1569->1568 1569->1570 1576 256d87-256d92 call 2588c6 1570->1576 1577 256ce2-256d02 call 2567f0 call 252f88 call 2587df 1570->1577 1571->1570 1573 256cb7-256cce call 2567f0 call 252f88 1571->1573 1589 25715d-25715f 1573->1589 1584 256f4c-256f62 call 2587fa 1576->1584 1585 256d98-256d9e 1576->1585 1600 256d04-256d09 1577->1600 1601 256d4a-256d61 call 257b41 1577->1601 1598 256f64-256f66 1584->1598 1599 256f67-256f74 call 2585e2 1584->1599 1585->1584 1588 256da4-256dc7 call 252e47 * 2 1585->1588 1612 256dd4-256dda 1588->1612 1613 256dc9-256dcf 1588->1613 1593 257118-257126 1589->1593 1598->1599 1608 256f76-256f7c 1599->1608 1609 256fd1-256fd8 1599->1609 1600->1601 1604 256d0b-256d38 call 259252 1600->1604 1616 256d67-256d6b 1601->1616 1617 256d63-256d65 1601->1617 1604->1601 1627 256d3a-256d45 1604->1627 1608->1609 1614 256f7e-256f8a call 256bf5 1608->1614 1620 256fe4-256feb 1609->1620 1621 256fda-256fde 1609->1621 1618 256df1-256df9 call 253221 1612->1618 1619 256ddc-256def call 252407 1612->1619 1613->1612 1623 2570e5-2570ea call 256868 1614->1623 1642 256f90-256f93 1614->1642 1629 256d6d-256d75 1616->1629 1630 256d78 1616->1630 1628 256d7a-256d82 call 25764c 1617->1628 1632 256dfe-256e0b call 2587df 1618->1632 1619->1618 1619->1632 1624 25701d-257024 call 258782 1620->1624 1625 256fed-256ff7 call 256bf5 1620->1625 1621->1620 1621->1623 1644 2570ef-2570f3 1623->1644 1624->1623 1649 25702a-257035 1624->1649 1625->1623 1647 256ffd-257000 1625->1647 1627->1589 1645 257116 1628->1645 1629->1630 1630->1628 1653 256e43-256e50 call 256c72 1632->1653 1654 256e0d-256e10 1632->1654 1642->1623 1648 256f99-256fb6 call 2567f0 call 252f88 1642->1648 1650 2570f5-2570f7 1644->1650 1651 25710c 1644->1651 1645->1593 1647->1623 1655 257006-25701b call 2567f0 1647->1655 1684 256fc2-256fc5 call 25717b 1648->1684 1685 256fb8-256fbd 1648->1685 1649->1623 1657 25703b-257044 call 258578 1649->1657 1650->1651 1658 2570f9-257102 1650->1658 1652 25710e-257111 call 256848 1651->1652 1652->1645 1674 256e56 1653->1674 1675 256f3a-256f4b call 251e40 * 2 1653->1675 1660 256e12-256e15 1654->1660 1661 256e1e-256e36 call 2567f0 1654->1661 1676 256fca-256fcc 1655->1676 1657->1623 1679 25704a-257054 call 25717b 1657->1679 1658->1651 1666 257104-257107 call 25717b 1658->1666 1660->1653 1667 256e17-256e1c 1660->1667 1681 256e58-256e7e call 252f1c call 252e04 1661->1681 1683 256e38-256e41 call 252fec 1661->1683 1666->1651 1667->1653 1667->1661 1674->1681 1675->1584 1676->1652 1691 257064-257097 call 252e47 call 251089 * 2 call 256868 1679->1691 1692 257056-25705f call 252f88 1679->1692 1701 256e83-256e99 call 256bb5 1681->1701 1683->1681 1684->1676 1685->1684 1725 2570bf-2570cc call 256bf5 1691->1725 1726 257099-2570af wcscmp 1691->1726 1703 257155-257158 call 256848 1692->1703 1709 256ecf-256ed1 1701->1709 1710 256e9b-256e9f 1701->1710 1703->1589 1712 256f09-256f35 call 251e40 * 2 call 256848 call 251e40 * 2 1709->1712 1713 256ec7-256ec9 SetLastError 1710->1713 1714 256ea1-256eae call 2522bf 1710->1714 1712->1645 1713->1709 1723 256eb0-256ec5 call 251e40 call 252e04 1714->1723 1724 256ed3-256ed9 1714->1724 1723->1701 1728 256eec-256f07 call 2531e5 1724->1728 1729 256edb-256ee0 1724->1729 1740 2570ce-2570d1 1725->1740 1741 257129-257133 call 2567f0 1725->1741 1732 2570b1-2570b6 1726->1732 1733 2570bb 1726->1733 1728->1712 1729->1728 1736 256ee2-256ee8 1729->1736 1734 257147-257154 call 252f88 call 251e40 1732->1734 1733->1725 1734->1703 1736->1728 1748 2570d3-2570d6 1740->1748 1749 2570d8-2570e4 call 251e40 1740->1749 1758 257135-257138 1741->1758 1759 25713a 1741->1759 1748->1741 1748->1749 1749->1623 1762 257141-257144 1758->1762 1759->1762 1762->1734
                                APIs
                                • __EH_prolog.LIBCMT ref: 00256C77
                                • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00256EC9
                                  • Part of subcall function 00256C72: wcscmp.MSVCRT ref: 002570A5
                                  • Part of subcall function 00256BF5: __EH_prolog.LIBCMT ref: 00256BFA
                                  • Part of subcall function 00256BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00256C1A
                                  • Part of subcall function 00256BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00256C49
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                • String ID: :$DATA
                                • API String ID: 3316598575-2587938151
                                • Opcode ID: 83bdb0ff4b0d725e14ead49a2fe22394d4530145e59e420601739a38242627ef
                                • Instruction ID: 98415e656447dc4ea1b91e5bddeb86922a29b58a495502abb7ddc4733ae43116
                                • Opcode Fuzzy Hash: 83bdb0ff4b0d725e14ead49a2fe22394d4530145e59e420601739a38242627ef
                                • Instruction Fuzzy Hash: D7E1373092020ADACF21EFA4D889BEDB7B1AF15316F508519EC46672D1DB70697DCF18
                                Function 00266FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00266FCA
                                  • Part of subcall function 00266E71: __EH_prolog.LIBCMT ref: 00266E76
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                                • API String ID: 3519838083-394804653
                                • Opcode ID: 7e4d915a1d8af0c60349eefd290d1677680e9b2dce30b0f08f8d9cbece9758e4
                                • Instruction ID: 49572ffc973a10c7c38766fdd676825896e03d08ce861062c2bb3ed1e7e945ce
                                • Opcode Fuzzy Hash: 7e4d915a1d8af0c60349eefd290d1677680e9b2dce30b0f08f8d9cbece9758e4
                                • Instruction Fuzzy Hash: E141E8329282459BCF21DFA494906FEFBF5AF59344F5444AED086A3201C6706EE5CB61
                                Function 002884A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: =
                                • API String ID: 2614055831-2525689732
                                • Opcode ID: f27425ed70f24bcf8f806b08df42a1bcca577bab50b98764f7aa522f9cb16ff1
                                • Instruction ID: 57e6751fc8437ce17831c23208fe773ef011709b46885c411f536a8fc5770c08
                                • Opcode Fuzzy Hash: f27425ed70f24bcf8f806b08df42a1bcca577bab50b98764f7aa522f9cb16ff1
                                • Instruction Fuzzy Hash: 60216D32925108EACF06EB94D953BEDBBB5EF48310F20406AE80172191DFB56E68CF95
                                Function 0029BDB5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0029BDBA
                                  • Part of subcall function 0029BE69: __EH_prolog.LIBCMT ref: 0029BE6E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: /$0/$D/
                                • API String ID: 3519838083-1281808218
                                • Opcode ID: 5109525dd5962dc1bf800bd208c05453953bf3bf76f891402d99096dcfbbef2f
                                • Instruction ID: a018a9ddfb8fabd830b46cdfec1a58df384350aad36756382b44ec538eef1d21
                                • Opcode Fuzzy Hash: 5109525dd5962dc1bf800bd208c05453953bf3bf76f891402d99096dcfbbef2f
                                • Instruction Fuzzy Hash: D41116B4911744CFC722CF6AC198696FBE4BF18344F50C96ED0AA87752C7B0A918CF60
                                Function 00288341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00288346
                                • fputs.MSVCRT ref: 0028835B
                                • fputs.MSVCRT ref: 00288364
                                  • Part of subcall function 002883BF: __EH_prolog.LIBCMT ref: 002883C4
                                  • Part of subcall function 002883BF: fputs.MSVCRT ref: 00288401
                                  • Part of subcall function 002883BF: fputs.MSVCRT ref: 00288437
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: =
                                • API String ID: 2614055831-2525689732
                                • Opcode ID: aded6285ca7a23d4bd5f831b63a1564288fbd3b9c58009f86e092e9012085a8e
                                • Instruction ID: 0264d3ad2f30dcb910edd57cbc1af25b5077646243854affac0ab355c4616a38
                                • Opcode Fuzzy Hash: aded6285ca7a23d4bd5f831b63a1564288fbd3b9c58009f86e092e9012085a8e
                                • Instruction Fuzzy Hash: 5901A231A20008ABCB06BBA4D812BEEBB75AF84750F00402AF801622E1CF745A79DFD5
                                Function 002E7DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,0026AB57), ref: 002E7DAA
                                • GetLastError.KERNEL32(?,00000000,0026AB57), ref: 002E7DBB
                                • CloseHandle.KERNELBASE(00000000,?,00000000,0026AB57), ref: 002E7DCF
                                • GetLastError.KERNEL32(?,00000000,0026AB57), ref: 002E7DD9
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLast$CloseHandleObjectSingleWait
                                • String ID:
                                • API String ID: 1796208289-0
                                • Opcode ID: 888eff1c377534b2ed6bcfb0fd59b4d9c05d2e8ec411e39a6c4ae63ccc4e5ba8
                                • Instruction ID: c5e4b79106512ab477c55bde98ca12c3f0f14fa9eefa26a775f1dfbdbd484bb6
                                • Opcode Fuzzy Hash: 888eff1c377534b2ed6bcfb0fd59b4d9c05d2e8ec411e39a6c4ae63ccc4e5ba8
                                • Instruction Fuzzy Hash: 3CF05E7176828347EB205EBFAC88B76669CAF513B4B700779E420D21D4DB60CC218620
                                Function 00285883 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(00312938), ref: 0028588B
                                • LeaveCriticalSection.KERNEL32(00312938), ref: 002858BC
                                  • Part of subcall function 0028C911: GetTickCount.KERNEL32 ref: 0028C926
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$CountEnterLeaveTick
                                • String ID: v$8)1
                                • API String ID: 1056156058-1564783448
                                • Opcode ID: 36807fca8eb73c0e95d486558cded3397b3c1df9e0006c6974a0cbc32b98e342
                                • Instruction ID: 3a7cb5bbf5e25f3afdcac2c4a1f0278837f49aacd480f4367a71f1b0df1f674c
                                • Opcode Fuzzy Hash: 36807fca8eb73c0e95d486558cded3397b3c1df9e0006c6974a0cbc32b98e342
                                • Instruction Fuzzy Hash: 15E0ED79516210DFC304EF18E908E9A77A5AF98311F15057EF405973A1CB349859CB71
                                Function 00272096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0027209B
                                  • Part of subcall function 0025757D: GetLastError.KERNEL32(0025D14C), ref: 0025757D
                                  • Part of subcall function 00272C6C: __EH_prolog.LIBCMT ref: 00272C71
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ErrorLastfree
                                • String ID: Cannot find archive file$The item is a directory
                                • API String ID: 683690243-1569138187
                                • Opcode ID: b3e9d7307c8eee88a40b479db09cf234baefa7cae87767d2c660ad3ba3ed3efa
                                • Instruction ID: 1bfcbb687f7f4b0a196648b755b079aac24189340d29f21a3b995a51af2165cc
                                • Opcode Fuzzy Hash: b3e9d7307c8eee88a40b479db09cf234baefa7cae87767d2c660ad3ba3ed3efa
                                • Instruction Fuzzy Hash: 0B726770D10259DFCB25DFA8C885BDDBBB5BF48300F24809AE859A7252C7709EA9CF51
                                Function 0028C911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CountTickfputs
                                • String ID: .
                                • API String ID: 290905099-4150638102
                                • Opcode ID: 64576acf92a1159e8509fb11e3043d742c3fe16a4303d09ec0d2e93917fefc3c
                                • Instruction ID: 8e0d49fa614c75d0a9a4c3ff5e0fd71ff08b8861ee4cf5110e8182aa26fc43d9
                                • Opcode Fuzzy Hash: 64576acf92a1159e8509fb11e3043d742c3fe16a4303d09ec0d2e93917fefc3c
                                • Instruction Fuzzy Hash: A3718A34621B05DFCB25EF64C581AAAB3F6BF81304F20485DE48797A81DB70B869CF25
                                Function 002908B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00259C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00259CB3
                                  • Part of subcall function 00259C8F: GetProcAddress.KERNEL32(00000000), ref: 00259CBA
                                  • Part of subcall function 00259C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00259CC8
                                • __aulldiv.LIBCMT ref: 0029093F
                                • __aulldiv.LIBCMT ref: 0029094B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                • String ID: 3333
                                • API String ID: 3520896023-2924271548
                                • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                • Instruction ID: 0ade26c23a86a9e1f6492eef7db4fd70d8c01d58cc80ea672dfe581400a6bf0e
                                • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                • Instruction Fuzzy Hash: C221BAB19107486FF730DF6A8881A5FBAFDEB84B10F14892FB185D3241D670AD548B65
                                Function 0027A7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                • memset.MSVCRT ref: 0027AEBA
                                • memset.MSVCRT ref: 0027AECD
                                  • Part of subcall function 002904D2: _CxxThrowException.MSVCRT(?,00304A58), ref: 002904F8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: memset$ExceptionThrowfree
                                • String ID: Split
                                • API String ID: 1404239998-1882502421
                                • Opcode ID: d7b7b21448d96026847a6450a87a7fa145242948eb238577260fda58f8a7acbd
                                • Instruction ID: 4afe63ac3c5e12da41ab72a4c38558d365ab9ed6c4aee373ff3b65040fa53517
                                • Opcode Fuzzy Hash: d7b7b21448d96026847a6450a87a7fa145242948eb238577260fda58f8a7acbd
                                • Instruction Fuzzy Hash: C6428D30A10249DFDF25DFA4C885BEDB7B1BF49314F148099E449A7251CB71AEA5CF12
                                Function 0025759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0025759F
                                  • Part of subcall function 0025764C: CloseHandle.KERNELBASE(00000000,?,002575AF,00000002,?,00000000,00000000), ref: 00257657
                                • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 002575E5
                                • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00257626
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CreateFile$CloseH_prologHandle
                                • String ID:
                                • API String ID: 449569272-0
                                • Opcode ID: e60020645ffc676d1a9b1c51af45fe57798e3aea9c7b3f4fdac1a8b307234fb9
                                • Instruction ID: cf6dd99e624aac6c2f0ec0737b87bd1e630a08f466b7ed0dc5ac0bb6ad5434ee
                                • Opcode Fuzzy Hash: e60020645ffc676d1a9b1c51af45fe57798e3aea9c7b3f4fdac1a8b307234fb9
                                • Instruction Fuzzy Hash: 16118C7281020AEFCF11AFA8D8418AEBB7AFF54365B108529FD60621A1C7719D79DB50
                                Function 002883BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00288437
                                • fputs.MSVCRT ref: 00288401
                                  • Part of subcall function 00251FB3: __EH_prolog.LIBCMT ref: 00251FB8
                                • __EH_prolog.LIBCMT ref: 002883C4
                                  • Part of subcall function 00251FA0: fputc.MSVCRT ref: 00251FA7
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfputs$fputc
                                • String ID:
                                • API String ID: 678540050-0
                                • Opcode ID: 1a26b1d373ef2a51322926e0f4c4606c28b10b07d90737f02d13cdb870720ddf
                                • Instruction ID: b1537e85d93382d7c1ac78d9400db461598cdbb344159fb8d16b2e026780a7b8
                                • Opcode Fuzzy Hash: 1a26b1d373ef2a51322926e0f4c4606c28b10b07d90737f02d13cdb870720ddf
                                • Instruction Fuzzy Hash: 3111C631A242199BCB09B7A0D813AAEBB75DF84791F400029F901936E1CF751939CFD8
                                Function 00257731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,002577DB,?,?,00000000,?,00257832,?), ref: 00257773
                                • GetLastError.KERNEL32(?,002577DB,?,?,00000000,?,00257832,?,?,?,?,00000000), ref: 00257780
                                • SetLastError.KERNEL32(00000000,?,?,002577DB,?,?,00000000,?,00257832,?,?,?,?,00000000), ref: 00257797
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLast$FilePointer
                                • String ID:
                                • API String ID: 1156039329-0
                                • Opcode ID: 101a69070ce23c4a67ee1f0860c78789c79e26a4889d88a5bce7c72cc9922db6
                                • Instruction ID: 5f4aa76d080fafc7f947364ca160795e531cd68d6f7626cfde2d60782c43bcfb
                                • Opcode Fuzzy Hash: 101a69070ce23c4a67ee1f0860c78789c79e26a4889d88a5bce7c72cc9922db6
                                • Instruction Fuzzy Hash: D811EF3022030AAFEF118F68EC49BAE77E5AF08361F108429FC1687291D7B09D24DB64
                                Function 00255A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00255A91
                                • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00255AB7
                                • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00255AEC
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: AttributesFile$H_prolog
                                • String ID:
                                • API String ID: 3790360811-0
                                • Opcode ID: 35a8531e5ae14125b842decddfd18d4f9e4d5ef00fcc3c4bb80dc378d0635774
                                • Instruction ID: 09794269c1a729c13f41a8f6c0aa3ccb42dbdf352648c9437082351bc624d174
                                • Opcode Fuzzy Hash: 35a8531e5ae14125b842decddfd18d4f9e4d5ef00fcc3c4bb80dc378d0635774
                                • Instruction Fuzzy Hash: 6101F932D2022697CF05AF9098916BEB775FF44351F144426EC1163161CB754C39DA54
                                Function 00265BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00265BEF
                                  • Part of subcall function 002654C0: __EH_prolog.LIBCMT ref: 002654C5
                                  • Part of subcall function 00265630: __EH_prolog.LIBCMT ref: 00265635
                                  • Part of subcall function 002736EA: __EH_prolog.LIBCMT ref: 002736EF
                                  • Part of subcall function 002657C1: __EH_prolog.LIBCMT ref: 002657C6
                                  • Part of subcall function 002658BE: __EH_prolog.LIBCMT ref: 002658C3
                                Strings
                                • Cannot seek to begin of file, xrefs: 0026610F
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Cannot seek to begin of file
                                • API String ID: 3519838083-2298593816
                                • Opcode ID: 2e747e9176e65f517b970d990e9a1be8e241ffb0bfccdbb42280224fe690a91b
                                • Instruction ID: b0b09ee8ad466ac16c428ce173757f5888a67e9c940b98fa88cc9371a132347d
                                • Opcode Fuzzy Hash: 2e747e9176e65f517b970d990e9a1be8e241ffb0bfccdbb42280224fe690a91b
                                • Instruction Fuzzy Hash: 5D121331924646DFDF25DFA4C489BEEBBF5AF05304F14006DE84A57292CB70AAE8CB51
                                Function 00294E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00294E8F
                                  • Part of subcall function 0025965D: VariantClear.OLEAUT32(?), ref: 0025967F
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ClearH_prologVariantfree
                                • String ID: file
                                • API String ID: 904627215-2359244304
                                • Opcode ID: 3180744a9e2498f664c44ea80540a1b27198e3b1e313690069c48ba6b229ece4
                                • Instruction ID: 3d7dd9564c584e13c1573564dbda7b87246c4d9fa686845b5df9e18b68dcde53
                                • Opcode Fuzzy Hash: 3180744a9e2498f664c44ea80540a1b27198e3b1e313690069c48ba6b229ece4
                                • Instruction Fuzzy Hash: E012A830A10219DFCF16EFA4C982BDDBBB5BF48345F204068E805A7292DB719E69CF54
                                Function 00272CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00272CE0
                                  • Part of subcall function 00255E10: __EH_prolog.LIBCMT ref: 00255E15
                                  • Part of subcall function 002641EC: _CxxThrowException.MSVCRT(?,00304A58), ref: 0026421A
                                  • Part of subcall function 0025965D: VariantClear.OLEAUT32(?), ref: 0025967F
                                Strings
                                • Cannot create output directory, xrefs: 00273070
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ClearExceptionThrowVariant
                                • String ID: Cannot create output directory
                                • API String ID: 814188403-1181934277
                                • Opcode ID: 152ded992b88ebcd6e6f686b37cb20ca195d829db6c22b68f484c07927044132
                                • Instruction ID: d0a32f2a3253c61d1f61ff3282d58676c3da3729dc36a9bd09a6e324cc58af07
                                • Opcode Fuzzy Hash: 152ded992b88ebcd6e6f686b37cb20ca195d829db6c22b68f484c07927044132
                                • Instruction Fuzzy Hash: 6CF1B43092028ADFCF25EFA4C891AEDBBB5BF19304F14809DE84967251D730AE69DF51
                                Function 0028C7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0028C840
                                  • Part of subcall function 002525CB: _CxxThrowException.MSVCRT(?,00304A58), ref: 002525ED
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrowfputs
                                • String ID:
                                • API String ID: 1334390793-399585960
                                • Opcode ID: 519aa97e5cde6582f9666050702ac914148fa14b6ba6f9ffd130c90ecaa60238
                                • Instruction ID: cc1c93dea0b68dc5e2c57bff6e1c216d42d98b0deb43f4a3a7853118063087f1
                                • Opcode Fuzzy Hash: 519aa97e5cde6582f9666050702ac914148fa14b6ba6f9ffd130c90ecaa60238
                                • Instruction Fuzzy Hash: F11101716147049FDB26DF58C8C1BAAFBE6EF4A304F14846EE1868B280C7B1BC14CB60
                                Function 00286086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: Open
                                • API String ID: 1795875747-71445658
                                • Opcode ID: 0c0017cd0497ff284a4c2561ed7a7f15e16171f18981b2e414a7f24c927d21e1
                                • Instruction ID: ab84b583dea6101faba2ff0826c195d87b32d4bcd2d2862b32006c7e30af0751
                                • Opcode Fuzzy Hash: 0c0017cd0497ff284a4c2561ed7a7f15e16171f18981b2e414a7f24c927d21e1
                                • Instruction Fuzzy Hash: A811A0361127049FC760EF34E999ADABBA5EF14310F50842EE59A83292DB31B828CF54
                                Function 002658BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002658C3
                                  • Part of subcall function 00256C72: __EH_prolog.LIBCMT ref: 00256C77
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: 7d73d1218381ef85eeb1020773c83a8ab454670101303c4ffbece2df4817d144
                                • Instruction ID: 938c252daac34b2aad3ca26b9e05260153d4c5c4584d41b6c8aa99ae2b4b15ad
                                • Opcode Fuzzy Hash: 7d73d1218381ef85eeb1020773c83a8ab454670101303c4ffbece2df4817d144
                                • Instruction Fuzzy Hash: A291D631930526DFCF21DFA4D882AEEBBB2EF44354F144069F842A7251DB715DA8CBA4
                                Function 002A06AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002A06B3
                                • _CxxThrowException.MSVCRT(?,0030D480), ref: 002A08F2
                                  • Part of subcall function 00251E0C: malloc.MSVCRT ref: 00251E1F
                                  • Part of subcall function 00251E0C: _CxxThrowException.MSVCRT(?,00304B28), ref: 00251E39
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrow$H_prologmalloc
                                • String ID:
                                • API String ID: 3044594480-0
                                • Opcode ID: 21ca9eaab84fd406b6ea1207725aa52d3e9720be7212ea416760b63d15dbd14c
                                • Instruction ID: a10cd6489352bc5d1c58ff7a385e635a5cdfe2bee7d642b40d9d70854bf74af4
                                • Opcode Fuzzy Hash: 21ca9eaab84fd406b6ea1207725aa52d3e9720be7212ea416760b63d15dbd14c
                                • Instruction Fuzzy Hash: B1915D71D10249DFCF21DFA8C891AEEBBB5BF49304F144099E849A7252CB70AE64CF65
                                Function 00267190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 38b4bbf159c50b4df7ec9bf71d9888ecdbc8951782bb01dbab4db262ae29ba61
                                • Instruction ID: 1026e5b6109daf86e790fd4fe371a44ce5599cf2dc063d63020bc89236cb34dc
                                • Opcode Fuzzy Hash: 38b4bbf159c50b4df7ec9bf71d9888ecdbc8951782bb01dbab4db262ae29ba61
                                • Instruction Fuzzy Hash: 6E519170518B81AFDB25DF74D4A0AEABBF1BF45308F14889EE4DA4B201C730A9A4DB50
                                Function 00277B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00277B4D
                                • memcpy.MSVCRT(00000000,003127DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 00277C65
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prologmemcpy
                                • String ID:
                                • API String ID: 2991061955-0
                                • Opcode ID: e1c83152b76cccfa3f233c6c31beda2c65c2014355a7b2004d2fde63a792c41e
                                • Instruction ID: b2b1a818989309245960a873097b8bcbf84e2c7ebaed43b594f9fbe2d9b1aa0a
                                • Opcode Fuzzy Hash: e1c83152b76cccfa3f233c6c31beda2c65c2014355a7b2004d2fde63a792c41e
                                • Instruction Fuzzy Hash: B5418130924219DBCF21EFA4C951AEEB7F4BF08304F10841DE846A7292DB70AE29CF55
                                Function 002A1511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002A1516
                                  • Part of subcall function 002A10D3: __EH_prolog.LIBCMT ref: 002A10D8
                                • _CxxThrowException.MSVCRT(?,0030D480), ref: 002A1561
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrow
                                • String ID:
                                • API String ID: 2366012087-0
                                • Opcode ID: eb7d125de276e918056cf97f42f8af916e1fdb129f1776bfcae1af0172cd5e0b
                                • Instruction ID: 683c03c7405a2ac38b3dc0c053803fb648e67211cc918c2a8506478cf60cf0d5
                                • Opcode Fuzzy Hash: eb7d125de276e918056cf97f42f8af916e1fdb129f1776bfcae1af0172cd5e0b
                                • Instruction Fuzzy Hash: 0701F232920289AFDF128F94C815BEE7FB8EF86364F44405AF4055A111C7B6A9719BA0
                                Function 002857FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00285800
                                • fputs.MSVCRT ref: 00285830
                                  • Part of subcall function 00251FA0: fputc.MSVCRT ref: 00251FA7
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfputcfputsfree
                                • String ID:
                                • API String ID: 195749403-0
                                • Opcode ID: a0cc8152881dc85a9059853e5b6a323a71bf31f9e67de8551aa19c0247a5d5a3
                                • Instruction ID: 20615bf97477158cff4f7f60f05b712620857a602d75094f434fac260b7705b3
                                • Opcode Fuzzy Hash: a0cc8152881dc85a9059853e5b6a323a71bf31f9e67de8551aa19c0247a5d5a3
                                • Instruction Fuzzy Hash: EEF05E32921518DBCB16BF94E5067EEBBB5EF04351F10442AE901A25E1CB7469B9CF88
                                Function 0025950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocStringLen.OLEAUT32(?,?), ref: 0025952C
                                • _CxxThrowException.MSVCRT(?,003055B8), ref: 0025954A
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: AllocExceptionStringThrow
                                • String ID:
                                • API String ID: 3773818493-0
                                • Opcode ID: 603e1a14202932dcd906026763989e12d08d6e2dfe636cc3234ddb79da7be7f3
                                • Instruction ID: f2e3402f59a97a2d8b4eaf2a5e92d4e443899f0fd4293d91fb77d8284f71e55a
                                • Opcode Fuzzy Hash: 603e1a14202932dcd906026763989e12d08d6e2dfe636cc3234ddb79da7be7f3
                                • Instruction Fuzzy Hash: 37F06D72660308ABD710EFA8D949D97BBECEF09390780843AF909CB210E770E854CB94
                                Function 0028B5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID:
                                • API String ID: 1185151155-0
                                • Opcode ID: fe7d65a70e8196aa66f989971bb19f8936a0084b3f390c138163f0bef98b6112
                                • Instruction ID: dca53dd8be9937887e0a993d6d090049b21907d06512929bc6c79ab8ff69bcdc
                                • Opcode Fuzzy Hash: fe7d65a70e8196aa66f989971bb19f8936a0084b3f390c138163f0bef98b6112
                                • Instruction Fuzzy Hash: A2E08C7B21A2106FD61B2B89BC419552799DB89362725002FEA40932A0AF673C395FA8
                                Function 002E7E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLast_beginthreadex
                                • String ID:
                                • API String ID: 4034172046-0
                                • Opcode ID: da2132c7b2ae460cfced51ae87646819f9eb32806cadb6221365475fb1be90f8
                                • Instruction ID: fa3298fb724bc444a911c88bb7f5ff65acbb6454f6ce6bad15b5e07564da14dd
                                • Opcode Fuzzy Hash: da2132c7b2ae460cfced51ae87646819f9eb32806cadb6221365475fb1be90f8
                                • Instruction Fuzzy Hash: 7BE0C2B22982826BF3109F61DC06F77729CEBA0B40F94847DFA49C61C0EA60CD10C7B5
                                Function 00259C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(?,?,00259C6E), ref: 00259C52
                                • GetProcessAffinityMask.KERNEL32(00000000), ref: 00259C59
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: Process$AffinityCurrentMask
                                • String ID:
                                • API String ID: 1231390398-0
                                • Opcode ID: 970afd0c71491b94a5659bcfa39e27af42f3cb2d2dc6f83fce7f25b9b83ec66e
                                • Instruction ID: d3bc661e64d87830c348c7fd300d65cd3c307d0a040cc793394fd1c893e2eeb6
                                • Opcode Fuzzy Hash: 970afd0c71491b94a5659bcfa39e27af42f3cb2d2dc6f83fce7f25b9b83ec66e
                                • Instruction Fuzzy Hash: 27B092B2400108EBCE009BA0EE0CC263B2CAA042513204668B10AC2010CE36C04ECB60
                                Function 0025B668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                                Download Yara Rule
                                APIs
                                • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 0025B843
                                • GetLastError.KERNEL32 ref: 0025B8AA
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLastmemcpy
                                • String ID:
                                • API String ID: 2523627151-0
                                • Opcode ID: b1975afa68c84f15690416f281dfb8320d4ece707473fa28c6ef687fc40682fb
                                • Instruction ID: 41628f55fb3b17b4df25de1c3944ed921ad46e2bf01fd4a08c6313d5eab9f354
                                • Opcode Fuzzy Hash: b1975afa68c84f15690416f281dfb8320d4ece707473fa28c6ef687fc40682fb
                                • Instruction Fuzzy Hash: 66818E35620706CFDB66CE25C984A6AB3FABF88316F14592DDC4687A40D730F869CF58
                                Function 00251E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 2436765578-0
                                • Opcode ID: 3e236fce5d88f527ab9a18280841cff7c4ddfd17c87de87f4d66707394c7b678
                                • Instruction ID: c843350bdade918f63c5726800d270c45604485e48fb8499be90d937296c072c
                                • Opcode Fuzzy Hash: 3e236fce5d88f527ab9a18280841cff7c4ddfd17c87de87f4d66707394c7b678
                                • Instruction Fuzzy Hash: 3EE0C23005024CAACF106FA0E8157D93F685F003AAF40D025FD0C9E141C270C7F4CB44
                                Function 0029B05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: b829f997ae3ccaf51a36de706cdcd1e8aa6cee31dab203d8004ea6d740a39a8b
                                • Instruction ID: 9538f20e7153c705b637f66e10b7a88aae6559c2045ba8826d1945625a473da3
                                • Opcode Fuzzy Hash: b829f997ae3ccaf51a36de706cdcd1e8aa6cee31dab203d8004ea6d740a39a8b
                                • Instruction Fuzzy Hash: 2752B23091424ADFDF12CFA8D698BADBBB5AF49304F18409DE805AB291C771DE55CF21
                                Function 00266305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: a3a5f363ee4f4ac46e6e6907aed09704dd1801dc39b22a3eb0a3b0282e19f2c6
                                • Instruction ID: 888783d0c85b60b2295a0c2c75e18d610a252bbcdc96e5aaf13117ebcdd9165f
                                • Opcode Fuzzy Hash: a3a5f363ee4f4ac46e6e6907aed09704dd1801dc39b22a3eb0a3b0282e19f2c6
                                • Instruction Fuzzy Hash: B7F1CF70524786DFCF31CF64C498AAABBE1BF14304F54486EE49A9B251DB30BDA8CB51
                                Function 002A10D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 6f8b14e9d0dc7213d2a7166fd59d1cdc68fa877feaa926c8753b1c77f04d4a3a
                                • Instruction ID: 337de79ae02765a2cb36491b4886ea5ec87356d17d4054dbe34bd76b3d4bbc78
                                • Opcode Fuzzy Hash: 6f8b14e9d0dc7213d2a7166fd59d1cdc68fa877feaa926c8753b1c77f04d4a3a
                                • Instruction Fuzzy Hash: C2D19B70A10746EFDF24CFA8C880BEEBBB1BF0A310F10456DE95597651DB75A864CB90
                                Function 0029CF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0029CF96
                                  • Part of subcall function 002A1511: __EH_prolog.LIBCMT ref: 002A1516
                                  • Part of subcall function 002A1511: _CxxThrowException.MSVCRT(?,0030D480), ref: 002A1561
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrow
                                • String ID:
                                • API String ID: 2366012087-0
                                • Opcode ID: 55fa20a2442841a818dd4ff051e3153c5eb7cdb491c6ce9fd7ef3014e6d2bcc5
                                • Instruction ID: 115835e233c7a1d70c69d9e631a9f8634bbe244cd5c6fabb811c556b7c017502
                                • Opcode Fuzzy Hash: 55fa20a2442841a818dd4ff051e3153c5eb7cdb491c6ce9fd7ef3014e6d2bcc5
                                • Instruction Fuzzy Hash: 39516B7191028ADFCF11CFA8C8C8BAEBBB4AF49304F1444AEE45AD7242C7759E55DB21
                                Function 0028F784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: ff5e7b2c817741a2e488cd580c6926295122811005f84afc5f4e83fab5cf2853
                                • Instruction ID: 5243b8e6efc6131c6179bbcb1c6cdef115e419b5e447aee2ae796efd198ba449
                                • Opcode Fuzzy Hash: ff5e7b2c817741a2e488cd580c6926295122811005f84afc5f4e83fab5cf2853
                                • Instruction Fuzzy Hash: B6517D78A21706CFCB54DF64C5909BAFBB2FF89300B10896DD5529B790D331A925CF90
                                Function 0029AD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: f4b38741edeac84e30bb040b3eb64b27e14cc52a7f13100096a41d18833fb1d7
                                • Instruction ID: a807b81e296de0238a3d333b7624544381e1bbd25b5fc7cfb8f1d342a63c3375
                                • Opcode Fuzzy Hash: f4b38741edeac84e30bb040b3eb64b27e14cc52a7f13100096a41d18833fb1d7
                                • Instruction Fuzzy Hash: A641AE70A20746EFDF24CF64C484B6ABBE0BF44310F148A6DD89697A91C370ED91CB91
                                Function 00264250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00264255
                                  • Part of subcall function 0026440B: __EH_prolog.LIBCMT ref: 00264410
                                  • Part of subcall function 00251E0C: malloc.MSVCRT ref: 00251E1F
                                  • Part of subcall function 00251E0C: _CxxThrowException.MSVCRT(?,00304B28), ref: 00251E39
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 3744649731-0
                                • Opcode ID: de2807df582027fefa227694af9fafdfec5717a6f9e83ab0d69e1f51c6aaac83
                                • Instruction ID: f1f71171e9c383a0050a2a6f7c8ffb23eee80b35e01dc39e46528289451ac734
                                • Opcode Fuzzy Hash: de2807df582027fefa227694af9fafdfec5717a6f9e83ab0d69e1f51c6aaac83
                                • Instruction Fuzzy Hash: 775116B0811788CFC325DF69C18469AFBF4BF19304F5088AEC59A97752D7B0A658CF61
                                Function 0027D0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0027D0E6
                                  • Part of subcall function 00251E0C: malloc.MSVCRT ref: 00251E1F
                                  • Part of subcall function 00251E0C: _CxxThrowException.MSVCRT(?,00304B28), ref: 00251E39
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionH_prologThrowmalloc
                                • String ID:
                                • API String ID: 3978722251-0
                                • Opcode ID: 6a8f6f01da00aaa77dd33ed875c452da3f3b6b1b5cf6b5217931447a50ada52d
                                • Instruction ID: 63d9e2ac513e0fbd0031c663cfa1e522be9951637f31bc7ed4915a2ada67d640
                                • Opcode Fuzzy Hash: 6a8f6f01da00aaa77dd33ed875c452da3f3b6b1b5cf6b5217931447a50ada52d
                                • Instruction Fuzzy Hash: 5C41D671A20215DFCB10DFA8C984BAEBBF4BF45310F24859DE849E7281CBB09D14CB90
                                Function 00267FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00267FCA
                                  • Part of subcall function 0025950D: SysAllocStringLen.OLEAUT32(?,?), ref: 0025952C
                                  • Part of subcall function 0025950D: _CxxThrowException.MSVCRT(?,003055B8), ref: 0025954A
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: AllocExceptionH_prologStringThrow
                                • String ID:
                                • API String ID: 1940201546-0
                                • Opcode ID: d6a76932dcc63a4c976df47e1ac1093041a73ef055873dbd9ca9362355a8c603
                                • Instruction ID: e95afb751836134beb420305d7875de83eefbb0e0d7ba79462266c8ac8ca3320
                                • Opcode Fuzzy Hash: d6a76932dcc63a4c976df47e1ac1093041a73ef055873dbd9ca9362355a8c603
                                • Instruction Fuzzy Hash: FE31C37283014ACACF14AFA4C9519FE7774FF28305F404A29E812B7162EF719AACCB55
                                Function 0028ADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0028ADBC
                                  • Part of subcall function 0028AD29: __EH_prolog.LIBCMT ref: 0028AD2E
                                  • Part of subcall function 0028AF2D: __EH_prolog.LIBCMT ref: 0028AF32
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 47b7f6879555b3e4f8f3b7345689aa1949ae6a66319d050a9ab4a2f750f0a0c9
                                • Instruction ID: d00a0b2a56f89cf3668c9504102792cff79b9f6e908d8a711419ee4043d1d190
                                • Opcode Fuzzy Hash: 47b7f6879555b3e4f8f3b7345689aa1949ae6a66319d050a9ab4a2f750f0a0c9
                                • Instruction Fuzzy Hash: 4E41EB7144ABC0CED326DF7881656C6FFE06F36200F84899EC4EA43652D670A60CCB6A
                                Function 0027062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 10fa5b71591ffe789f2afd890e4c71cc6166f5afa1b15c8b94f08c0924d45bab
                                • Instruction ID: 48e81f3ec2eec8251eb7921bff9d9286fa42d97f1b574efa084b3e094fdac47e
                                • Opcode Fuzzy Hash: 10fa5b71591ffe789f2afd890e4c71cc6166f5afa1b15c8b94f08c0924d45bab
                                • Instruction Fuzzy Hash: FE312C70D10219DFCB14EF95C8A18AEBBB8FF84364B10C11DE51A67241C7309D64CFA0
                                Function 002798F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002798F7
                                  • Part of subcall function 00279987: __EH_prolog.LIBCMT ref: 0027998C
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 9aa19ef1205b7dc78893a44d3e97ed039ba16af5c09977ce559095c8e234d46b
                                • Instruction ID: 585531ae10634593271b22cb8b90c65d245f7bf51caae9ef08a0b9f58069bb3e
                                • Opcode Fuzzy Hash: 9aa19ef1205b7dc78893a44d3e97ed039ba16af5c09977ce559095c8e234d46b
                                • Instruction Fuzzy Hash: A2117F35610346DFEB14CF59C884FAAB3A9FF89350F14895CE95AD7291CB31E860CB20
                                Function 0027021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0027021F
                                  • Part of subcall function 00263D66: __EH_prolog.LIBCMT ref: 00263D6B
                                  • Part of subcall function 00263D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,76368E30), ref: 00263D7D
                                  • Part of subcall function 00263D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,76368E30), ref: 00263D94
                                  • Part of subcall function 00263D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00263DB6
                                  • Part of subcall function 00263D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,76368E30), ref: 00263DCB
                                  • Part of subcall function 00263D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,76368E30), ref: 00263DD5
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID:
                                • API String ID: 1532160333-0
                                • Opcode ID: fcdd8183fa0266a732a2c9b82db2e555f9f9ab9bf0fe3ad416cbca2e9c12b468
                                • Instruction ID: 9970262b18dfecffacd59d7928353875dd5bf1c19c6567ededd7ee809edebbcd
                                • Opcode Fuzzy Hash: fcdd8183fa0266a732a2c9b82db2e555f9f9ab9bf0fe3ad416cbca2e9c12b468
                                • Instruction Fuzzy Hash: 2B214AB1846B90CFC321CF6B86D0686FFF4BB19604B94996EC1DA83B12C370A548CF55
                                Function 00271C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00271C74
                                  • Part of subcall function 00256C72: __EH_prolog.LIBCMT ref: 00256C77
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 543431c59223cb971115c60d87b7caf11b349f68cc4f9ed9f9159f136fa58253
                                • Instruction ID: 372372c3f77132e7e70e972fd8a476bc32161c57e34dcc8a8036c1bb3d911eee
                                • Opcode Fuzzy Hash: 543431c59223cb971115c60d87b7caf11b349f68cc4f9ed9f9159f136fa58253
                                • Instruction Fuzzy Hash: 8411CE319202048BCF16FBD8C852BEDBB79AF09356F00406DEC0623182CB715E3DCA98
                                Function 00267E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00267E5F
                                  • Part of subcall function 00256C72: __EH_prolog.LIBCMT ref: 00256C77
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                  • Part of subcall function 0025757D: GetLastError.KERNEL32(0025D14C), ref: 0025757D
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ErrorLastfree
                                • String ID:
                                • API String ID: 683690243-0
                                • Opcode ID: 711df9e592fc6e55e7b7ff2dcdbb8885e168747ed1563fe683a6b8248d4a0a71
                                • Instruction ID: aefdbc274eb5ff2cfb57adc81767d5c92105dd68ba1251989b9cd5181e4c7f15
                                • Opcode Fuzzy Hash: 711df9e592fc6e55e7b7ff2dcdbb8885e168747ed1563fe683a6b8248d4a0a71
                                • Instruction Fuzzy Hash: ED010432A603009FC721EF74D4A29DFBBB1EF45350B00462EE88753692CB70696CCE54
                                Function 0029BF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0029BF91
                                  • Part of subcall function 0029D144: __EH_prolog.LIBCMT ref: 0029D149
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: 547c3ce2d0d9abd6e0f9f8f73259c1848c1b05fdee6e5f5a392fc6598bfa5a62
                                • Instruction ID: e2fd38eebacced7ce327547b266c733177fbcc6bb180b07b712b86311b40a2f8
                                • Opcode Fuzzy Hash: 547c3ce2d0d9abd6e0f9f8f73259c1848c1b05fdee6e5f5a392fc6598bfa5a62
                                • Instruction Fuzzy Hash: 4E117371421715DFCB25EF64C916BCABBF4BF04344F10462DE4AA93592DBB06928CF44
                                Function 00257AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                Download Yara Rule
                                APIs
                                • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00251AD1,00000000,00000002,00000002,?,00257B3E,?,00000000), ref: 00257AFD
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: FileTime
                                • String ID:
                                • API String ID: 1425588814-0
                                • Opcode ID: 42653c18bc49b3cc49a549b163d52a1f8976bf4a2bb3f979427860775ff6ddd0
                                • Instruction ID: dd342495ad470aafb34639d88b49bdb6094af12a5813dd359d43f03987c6f361
                                • Opcode Fuzzy Hash: 42653c18bc49b3cc49a549b163d52a1f8976bf4a2bb3f979427860775ff6ddd0
                                • Instruction Fuzzy Hash: FA01A230154249BFDF268F54DC09BEE3FA9AB05360F148249BCA6522E1C6709E74DB54
                                Function 0028ACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0028C0B8
                                  • Part of subcall function 00277193: __EH_prolog.LIBCMT ref: 00277198
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: fb5f3bedf6d455bc203fe22ecbf9bf2485541cc93b53d06f0747aa2e19689bfb
                                • Instruction ID: 3c5c6851dbb2e9757f5f3c6504f6c6c1bf0914adc75c094d24d955e65537bb97
                                • Opcode Fuzzy Hash: fb5f3bedf6d455bc203fe22ecbf9bf2485541cc93b53d06f0747aa2e19689bfb
                                • Instruction Fuzzy Hash: 9CF0B476931212DBD726AF89D8527AEF3A9EF547A0F20012FE50197641CBF19C308BA4
                                Function 0029035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00290364
                                  • Part of subcall function 002901C4: __EH_prolog.LIBCMT ref: 002901C9
                                  • Part of subcall function 00290143: __EH_prolog.LIBCMT ref: 00290148
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                  • Part of subcall function 002903D8: __EH_prolog.LIBCMT ref: 002903DD
                                  • Part of subcall function 0029004A: __EH_prolog.LIBCMT ref: 0029004F
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: b66a766c1251243315321f26f6fd3bc00531810f0365443665d20548d746fc9b
                                • Instruction ID: 01f8f41c91e98055b171cfaa9033a9d9df51da0eea3ff5a928879aa81937dda1
                                • Opcode Fuzzy Hash: b66a766c1251243315321f26f6fd3bc00531810f0365443665d20548d746fc9b
                                • Instruction Fuzzy Hash: CFF0F431924B54DFCB1AEB68C46239DBBE4AF04314F10469DF456632D2CBB46B248B48
                                Function 00288565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: ccc3fdf32e66f56c6a87ad33621352cdf3c3e254a3ded022c5c526fd2389e576
                                • Instruction ID: b9631ac46d2baab735d3e3e76ee6b85168f83afb51262af64219cb615e3cfecd
                                • Opcode Fuzzy Hash: ccc3fdf32e66f56c6a87ad33621352cdf3c3e254a3ded022c5c526fd2389e576
                                • Instruction Fuzzy Hash: FDF0C232E2101AEBCB00EF98D8408EFBB74FF88790B50806AF415E7250CB348A25CB90
                                Function 00295505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0029550A
                                  • Part of subcall function 00294E8A: __EH_prolog.LIBCMT ref: 00294E8F
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: f5f56dea52003fbe51d0c784cb3a79d21d3c668bf824fe5e81ae1cede347572b
                                • Instruction ID: 3f05956caa38a2b8c9f7552c35ff3c237f51d27b95a020842a97250eaa4592f5
                                • Opcode Fuzzy Hash: f5f56dea52003fbe51d0c784cb3a79d21d3c668bf824fe5e81ae1cede347572b
                                • Instruction Fuzzy Hash: FFF06576620515EBCF069F48D811A9EBBB9FF84364F114529F40557241DB71DD218BA0
                                Function 00279987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: a4e8aa41249f571fc6f870ea5c046b989ff99682ce1709ed63f17b24f97b3a8e
                                • Instruction ID: 26117418ad83a7fd18a16f8507cc9e867cb0cab6446dc795023d186455df1501
                                • Opcode Fuzzy Hash: a4e8aa41249f571fc6f870ea5c046b989ff99682ce1709ed63f17b24f97b3a8e
                                • Instruction Fuzzy Hash: 0FE09271A20208EFC700EF98D855F9EB7B8FF48354F10841EF00AD7201C7749910CA60
                                Function 00295E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00295E30
                                  • Part of subcall function 002908B6: __aulldiv.LIBCMT ref: 0029093F
                                  • Part of subcall function 0026DFC9: __EH_prolog.LIBCMT ref: 0026DFCE
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$__aulldiv
                                • String ID:
                                • API String ID: 604474441-0
                                • Opcode ID: 49786af9167cef3392d26214fa9ff54c2d10285afeb51137cae03fc6247080fb
                                • Instruction ID: a261f0ef63cfd81748b24e8ff7756c17546e3fbb26487ab4d2551b45d4d040fb
                                • Opcode Fuzzy Hash: 49786af9167cef3392d26214fa9ff54c2d10285afeb51137cae03fc6247080fb
                                • Instruction Fuzzy Hash: 26E039B0E20764DFCB55EBA8914129EB6E4BF08700F00486EA042D3B41DAB4A9108F90
                                Function 00298ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00298ED6
                                  • Part of subcall function 00299267: __EH_prolog.LIBCMT ref: 0029926C
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 85278afb26b19f3431af3b9ec16891994b1deda7951662bb7f9bb1b391089d4d
                                • Instruction ID: 43ade0775044fa2dad5b131591345a52039fb24cc106be3a0b786d7cd8d3f071
                                • Opcode Fuzzy Hash: 85278afb26b19f3431af3b9ec16891994b1deda7951662bb7f9bb1b391089d4d
                                • Instruction Fuzzy Hash: D9E09271D305649ACB0DEB68D522BEDB7A8EF04704F40065DA40392582CBB46A14CB91
                                Function 00257C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00257C8B
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: FileWrite
                                • String ID:
                                • API String ID: 3934441357-0
                                • Opcode ID: f8a4ca490b6614802268f589aab07d2c6bccb754032f4d60e30ec30e5266ec41
                                • Instruction ID: 34fcc3f06622d05562d7ec59e439262d80fb6a9fe5deb94054ba043311ed90d3
                                • Opcode Fuzzy Hash: f8a4ca490b6614802268f589aab07d2c6bccb754032f4d60e30ec30e5266ec41
                                • Instruction Fuzzy Hash: 4AE09A35600209FBCF00CFA1D800B8E7BB9EB09355F20C02AF8089A260C339DA20EF04
                                Function 0029BE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0029BE6E
                                  • Part of subcall function 00295E2B: __EH_prolog.LIBCMT ref: 00295E30
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 5abf7bbfc68188aac6bcc51c53dcb92b0132c707fdb2bfc5b21bbc9dfe1ea667
                                • Instruction ID: b3007c4bc497396bb7f0d071edd52574b87fb33eef19aa93e883ffe47e04d1d5
                                • Opcode Fuzzy Hash: 5abf7bbfc68188aac6bcc51c53dcb92b0132c707fdb2bfc5b21bbc9dfe1ea667
                                • Instruction Fuzzy Hash: 0FE09272A34A608BDB15EB24C015BDDF7A8BB04308F00846EE096D3282CFB46A14CBA1
                                Function 00252201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID:
                                • API String ID: 1795875747-0
                                • Opcode ID: 8c82530c343c158ac3376babe54bf07f71d18da58aaeb6bbce803a7c0ff7c145
                                • Instruction ID: cbed17385bd712d1bdaa6a499b5538368f3e983c32fe1dad35470c3e417e92a1
                                • Opcode Fuzzy Hash: 8c82530c343c158ac3376babe54bf07f71d18da58aaeb6bbce803a7c0ff7c145
                                • Instruction Fuzzy Hash: 40D0123250411DABDF156B94EC49CDD77BCEF08254714442AF945E2150EAB5E524CB94
                                Function 0028F745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0028F74A
                                  • Part of subcall function 0028F784: __EH_prolog.LIBCMT ref: 0028F789
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 5706cdb5d9bf725756bdc83a00eb85ab6047861c302458667e52827e647115e3
                                • Instruction ID: 6c060a4e991c98f9d54390d1344b6deb739c7baa485cc21f1b43f58dca5d8a23
                                • Opcode Fuzzy Hash: 5706cdb5d9bf725756bdc83a00eb85ab6047861c302458667e52827e647115e3
                                • Instruction Fuzzy Hash: 3AD01275A61244BFE7149B45D912BAEF778EB45798F10052EF00161241C3B559108AA4
                                Function 00257B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                Download Yara Rule
                                APIs
                                • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,0025785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00257B65
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: 6ed2b59866e26c39419341fec98a1e525c21fa6fd1c6373349c34389d4d827c3
                                • Instruction ID: a87fb732bb2c4bfc379d8f510d61bd768f36d72138c21a7e541f13f88f9087a0
                                • Opcode Fuzzy Hash: 6ed2b59866e26c39419341fec98a1e525c21fa6fd1c6373349c34389d4d827c3
                                • Instruction Fuzzy Hash: 1EE0EC75200208FBDF01CF90CD05F8E7BB9AB49754F208058E90596160C375AA64EB50
                                Function 002A80AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002A80AF
                                  • Part of subcall function 00251E0C: malloc.MSVCRT ref: 00251E1F
                                  • Part of subcall function 00251E0C: _CxxThrowException.MSVCRT(?,00304B28), ref: 00251E39
                                  • Part of subcall function 0029BDB5: __EH_prolog.LIBCMT ref: 0029BDBA
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 3744649731-0
                                • Opcode ID: 04c6b0e26718872725398f7481b486667172737cba99c71cae8649d91a1da8c1
                                • Instruction ID: ea3ed81d32ea610c7736146f1992277d232bee5d180bffe5a9b9810ed1eaa134
                                • Opcode Fuzzy Hash: 04c6b0e26718872725398f7481b486667172737cba99c71cae8649d91a1da8c1
                                • Instruction Fuzzy Hash: C5D05E71F21205AFCF49EFB4A52276EB2E0AB88344F00497DA416E3781EF708920CA24
                                Function 00256848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                • FindClose.KERNELBASE(00000000,?,00256880), ref: 00256853
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CloseFind
                                • String ID:
                                • API String ID: 1863332320-0
                                • Opcode ID: 94ffb9edcdba28a6c3cda5894f026a325dbacc2e7ebf903d0d5fab5b72f3be09
                                • Instruction ID: 0d0ff4fb589f097f414d6818944f4eab45327417c3926465653281238d3c58c2
                                • Opcode Fuzzy Hash: 94ffb9edcdba28a6c3cda5894f026a325dbacc2e7ebf903d0d5fab5b72f3be09
                                • Instruction Fuzzy Hash: 9BD01231114222468E645E3D784C9D633D86E163753710759F4B5C31E1D7709C9B9654
                                Function 00252010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID:
                                • API String ID: 1795875747-0
                                • Opcode ID: 0539fef15a475232d5b0a54867d27a05ca91ae0c7ddac53c08d0e9d44e6ec52e
                                • Instruction ID: b62b11eeb5e736490d102a61da5ad997538d05cc8f966369263aa5fd606d13a6
                                • Opcode Fuzzy Hash: 0539fef15a475232d5b0a54867d27a05ca91ae0c7ddac53c08d0e9d44e6ec52e
                                • Instruction Fuzzy Hash: 29D0C93601C251AF96296F05FD09C8BBBA5FFE5371721082FF480921A09B626839DAA4
                                Function 00251FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputc
                                • String ID:
                                • API String ID: 1992160199-0
                                • Opcode ID: b8f1f5afda90195a24bfe4e694d8852bb45826149707541f9cf4b88ee3385a8d
                                • Instruction ID: 6465a73ab0b6b5083ae6412a26d8e072448bf2302b2fc4b4a84e0c7b151e56d7
                                • Opcode Fuzzy Hash: b8f1f5afda90195a24bfe4e694d8852bb45826149707541f9cf4b88ee3385a8d
                                • Instruction Fuzzy Hash: 2DB092323082209BE6181A9CBC0AAD16794DB09772B21006BF548C21909AD12C918A95
                                Function 00257C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                Download Yara Rule
                                APIs
                                • SetFileTime.KERNELBASE(?,?,?,?,00257C65,00000000,00000000,?,0025F238,?,?,?,?), ref: 00257C49
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: FileTime
                                • String ID:
                                • API String ID: 1425588814-0
                                • Opcode ID: 105cdc23ebcbc7cc926612d65de9ea8123cc1e9b09676b61ae22bf1cfa26018d
                                • Instruction ID: 7cce4b231833735622f2a4c302fd4e04182b0c30f9008a825dbf20ef6e0fa24a
                                • Opcode Fuzzy Hash: 105cdc23ebcbc7cc926612d65de9ea8123cc1e9b09676b61ae22bf1cfa26018d
                                • Instruction Fuzzy Hash: F2C04C36198105FF8F020F70DD08C1ABBA2ABA5721F10C918F159C4070C7328034EB02
                                Function 00257D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                                Download Yara Rule
                                APIs
                                • SetEndOfFile.KERNELBASE(?,00257D81,?,?,?), ref: 00257D3E
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: File
                                • String ID:
                                • API String ID: 749574446-0
                                • Opcode ID: 871c760b66a13e0b95f46969d463be01126acb6c1abcfcc0d65374cc70bf6ca3
                                • Instruction ID: 1bc63de53d6d20102d8a4940d28439e9763a94a77d607be9c7b6232d39dfcaf3
                                • Opcode Fuzzy Hash: 871c760b66a13e0b95f46969d463be01126acb6c1abcfcc0d65374cc70bf6ca3
                                • Instruction Fuzzy Hash: E2A001702A511E8A8E111B34E9098253AA1AA5265676026B4A006CA4B5DA224429AA01
                                Function 0025C4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: memmove
                                • String ID:
                                • API String ID: 2162964266-0
                                • Opcode ID: f380736794a3f15eba27ed2441ca7f034f46e7c70a84562a2d4986e277c8e7ca
                                • Instruction ID: 6d168ce05e704e97d480fe32dd2028ea664fc151590f53c557cdfaa00d8d8538
                                • Opcode Fuzzy Hash: f380736794a3f15eba27ed2441ca7f034f46e7c70a84562a2d4986e277c8e7ca
                                • Instruction Fuzzy Hash: 57816E71D2434A9FCF14CFA8C4C4AADBBB5EF88315F248469D911B7241E770AA98CF58
                                Function 00263E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(00000000,00000000,00263D8D,?,00000000,?,?,00000000,00000000,76368E30), ref: 00263E12
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: 883ff2e8109e1d5b678ff606070e642442284be91e16329476741699f9771180
                                • Instruction ID: f416e7823b77957af169f3728f2e27a30e6867e7873c55177bd64e64aa7c3ffd
                                • Opcode Fuzzy Hash: 883ff2e8109e1d5b678ff606070e642442284be91e16329476741699f9771180
                                • Instruction Fuzzy Hash: 0CD0123152421247DB709E2CF8447D273DD6F20771B15445AF880DB144E765CCE29A60
                                Function 002D6BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID:
                                • API String ID: 2803490479-0
                                • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                • Instruction ID: 6d7eacdc18cc5ec743309ed66f374e625abfa85fe40e7aeee4559ea1715611c7
                                • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                • Instruction Fuzzy Hash: 8CD0A76122210601CF4849314C0D71A30851B4030EB19447BA812DA381E714CA3A8144
                                Function 0025764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(00000000,?,002575AF,00000002,?,00000000,00000000), ref: 00257657
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: 5fb61ae5dd130dee9823ea1db0c9544f8d1e60bde181f57ad1690eeb5bbb0bf8
                                • Instruction ID: d3994c11b181e2725c70018904359f12add351b033f950454771ab2c0a6ee8ef
                                • Opcode Fuzzy Hash: 5fb61ae5dd130dee9823ea1db0c9544f8d1e60bde181f57ad1690eeb5bbb0bf8
                                • Instruction Fuzzy Hash: C9D01231198623468A641E3C78499D233DC5A127753710759F4B4D32E5D3708C978654
                                Function 002D6B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000), ref: 002D6B31
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: d0ef3477da17038468c6f0f1a9de6ce95ddfbd48366c61c4b08a4f2a5122f533
                                • Instruction ID: f96d179feff22fcb40b1cbc752995a7d6f31f00d361956bfbdf979635452b72c
                                • Opcode Fuzzy Hash: d0ef3477da17038468c6f0f1a9de6ce95ddfbd48366c61c4b08a4f2a5122f533
                                • Instruction Fuzzy Hash: 1EC08CE1A4D280DFDF0213109D447603B208B83300F0A00C5E4045B092C6041809C722
                                Function 002D69D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID:
                                • API String ID: 2803490479-0
                                • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                • Instruction ID: 7b383e3717033c2170952ec5d4a0dcb18f4d6eeb6b64da61a38926e39643a078
                                • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                • Instruction Fuzzy Hash: 69A024C75310C101DD5C11333C15457100013D03077C004FD7401C0301F715D5341405
                                Function 002D6AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID:
                                • API String ID: 2803490479-0
                                • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                • Instruction ID: a766e2a5d03f462a4111b71024198643c4c381955efe68fe5171d3ca6790d6d1
                                • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                • Instruction Fuzzy Hash: FDA012CEE2004101DD4410363C05413141222E06057D4C474740040205FA14C4242002
                                Function 002D6BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 002D6BAC
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-0
                                • Opcode ID: 2da89423265307a16b8905b302fb44da7f002b364adc40c7a8f5e6c1312594da
                                • Instruction ID: 429e1c3d366aa0e91bcbc82f9a2d58b697725e23cfcb9d960c7012ae43ff4e96
                                • Opcode Fuzzy Hash: 2da89423265307a16b8905b302fb44da7f002b364adc40c7a8f5e6c1312594da
                                • Instruction Fuzzy Hash: 95A00278680704B7ED6067307E4FF6937247780F55F3089587241691D05EE47045DA5C
                                Function 00251E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 485263181d90a13c192d4c89a1919e66d14a1eb8e2f1dd46fe98888bcab9a286
                                • Instruction ID: 80a722354ccab93c0c3b7c94ba0358ba6d89bf411b9762cc1e58a7dd6f8da56b
                                • Opcode Fuzzy Hash: 485263181d90a13c192d4c89a1919e66d14a1eb8e2f1dd46fe98888bcab9a286
                                • Instruction Fuzzy Hash: 6BA00271405105DBDA051B10FE0D49A7B61EB85677B314469F05B504718B314874FA01
                                Function 002D69F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                • Instruction ID: 288c374320897c2324f9f62f978af0a9f9fcde7e0f66f3179819696c2d199fed
                                • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                • Instruction Fuzzy Hash:
                                Function 002D6B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                • Instruction ID: e125bedca76e296c7c97e00f418915891a8a2d796167b8fc61b2aec9dab7d414
                                • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                • Instruction Fuzzy Hash:

                                Non-executed Functions

                                Function 002D57D0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32(?,003131C8,?,00000000), ref: 002D57EA
                                  • Part of subcall function 002EF050: memcpy.MSVCRT(?,?,?,00000000,?,?,?,002E8202,?,?,?,002E932B,?,?,00000000,00000000), ref: 002EF07F
                                • GetCurrentThreadId.KERNEL32 ref: 002D5803
                                  • Part of subcall function 002EF050: memcpy.MSVCRT(?,?,00000040,00000000,?,?,?,002E8202,?,?,?,002E932B,?,?,00000000,00000000), ref: 002EF09B
                                  • Part of subcall function 002EF050: memcpy.MSVCRT(?,?,?,?,?,?), ref: 002EF0D0
                                • LoadLibraryW.KERNEL32(advapi32.dll,00000004,?,00000000), ref: 002D5821
                                • GetProcAddress.KERNEL32(00000000,SystemFunction036), ref: 002D5833
                                • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 002D5865
                                • QueryPerformanceCounter.KERNEL32(?,?,00000000), ref: 002D5876
                                • GetTickCount.KERNEL32 ref: 002D588F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: memcpy$CurrentLibrary$AddressCountCounterFreeLoadPerformanceProcProcessQueryThreadTick
                                • String ID: SystemFunction036$advapi32.dll
                                • API String ID: 3940253874-1354007664
                                • Opcode ID: 661606a28f5c0171bbb8080e1f23e40325ea127e09a33278d10f0fd7e7ee8f86
                                • Instruction ID: 732420a0fd2675f342ea46078c7f6be6bc8fff621b89dde3554c28f55c700156
                                • Opcode Fuzzy Hash: 661606a28f5c0171bbb8080e1f23e40325ea127e09a33278d10f0fd7e7ee8f86
                                • Instruction Fuzzy Hash: 5A31BF302543879BD720EF20EA45B6F73A4BBC4704F50492CF685961D6EAB49A1DCBA3
                                Function 00259252 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,7591F5D0,00000002,00000000,?,?,?,?,?,?,002579D0,00251AD1,>{%,?,00000002), ref: 0025926E
                                • GetProcAddress.KERNEL32(00000000), ref: 00259275
                                • GetDiskFreeSpaceW.KERNEL32(00000002,?,?,002579D0,00251AD1,?,?,?,?,?,?,002579D0,00251AD1,>{%,?,00000002), ref: 002592C5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: AddressDiskFreeHandleModuleProcSpace
                                • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                • API String ID: 1197914913-1127948838
                                • Opcode ID: dc6ea2a1357f70ed4899567c72a8004ae3a36c892bc9bb7eaa8153c0b0a13961
                                • Instruction ID: b4655257cd6d099925a7fa41f95ff1ca47bcc5025f6a8a21051bed2ca482de71
                                • Opcode Fuzzy Hash: dc6ea2a1357f70ed4899567c72a8004ae3a36c892bc9bb7eaa8153c0b0a13961
                                • Instruction Fuzzy Hash: E62115B2910209EFDB11CFA4C945AEEBBF8FF48300F14846AE955E7251E731A965CB60
                                Function 002582FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00258300
                                • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0025834F
                                • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 0025837C
                                • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0025839B
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                                • String ID:
                                • API String ID: 1689166341-0
                                • Opcode ID: 1111244a3126a5724e0389137062f4e92e9f7ea1857349a8451f4d954b619667
                                • Instruction ID: 71e5c2341656a1e3811a235d1fba4122a370b498df2541bbdfcdbd8d575914b8
                                • Opcode Fuzzy Hash: 1111244a3126a5724e0389137062f4e92e9f7ea1857349a8451f4d954b619667
                                • Instruction Fuzzy Hash: AA21D672510108BFDF119F94DD81AEE7BB9EF48751F20007DFD05B2251CA714E28CA64
                                Function 0029D496 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 333COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0029D49B
                                  • Part of subcall function 0029EBC9: __EH_prolog.LIBCMT ref: 0029EBCE
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Copy$LZMA2
                                • API String ID: 3519838083-1006940721
                                • Opcode ID: 191375c98cbd69634e2ccb7e142cbe3b9475397641f647509dd627d2946b1097
                                • Instruction ID: 3cff587b6ff7bf3f1607523d4b68236bc52e58dd0b5f5e06220bfc2661029633
                                • Opcode Fuzzy Hash: 191375c98cbd69634e2ccb7e142cbe3b9475397641f647509dd627d2946b1097
                                • Instruction Fuzzy Hash: 4DD1DF70D202059FDF28DFA8C484BEEF7B6BF84314F15802AE405AB286CB749C61EB54
                                Function 002F0090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: Version
                                • String ID:
                                • API String ID: 1889659487-0
                                • Opcode ID: 74e8b42a3fd632ac087b7626cfbf70f387bd4766eea94b85bf6c73aebfad38a0
                                • Instruction ID: e0ade42bf79530578b5dc8abe66a29c619db3ede8ed10f0c84aee24f8bc267f1
                                • Opcode Fuzzy Hash: 74e8b42a3fd632ac087b7626cfbf70f387bd4766eea94b85bf6c73aebfad38a0
                                • Instruction Fuzzy Hash: D7D0127293140947D700762CCD4A379B765F760380FC849B8D965C1157FD79C66AC692
                                Function 002AC7ED Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 373COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: ERROR$GNU$LongLink$LongName$PAX$PAX_error$PAX_overflow$PAX_unsupported_line$POSIX$SignedChecksum$WARNING$atime$bin_mtime$bin_psize$bin_size$ctime$mtime$pax_linkpath$pax_path$pax_size
                                • API String ID: 3519838083-1011227609
                                • Opcode ID: 0589702a11fe36549a984541c9e709def29f576bc5a441e2d88c862b7a0f553b
                                • Instruction ID: 7b1e42fd567a1e8966e399fca22966d6d2b2ca4d3795d8ae6fe62b8d761e4f8c
                                • Opcode Fuzzy Hash: 0589702a11fe36549a984541c9e709def29f576bc5a441e2d88c862b7a0f553b
                                • Instruction Fuzzy Hash: 87D1D23183464ADBCB25DFA0C8559FEBBB1AF03310F34451AE096621E2DF70696ADB15
                                Function 002B07B3 Relevance: 31.9, APIs: 1, Strings: 17, Instructions: 406COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002B07B8
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                  • Part of subcall function 0025297F: memcpy.MSVCRT(?,?,?,?,?,002750A5,?,?), ref: 002529B2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfreememcpy
                                • String ID: @PathCut/_pc_$L$PaxHeader/@PaxHeader$atime$crc32/$ctime$devmajor$devminor$gid$gname$linkpath$mtime$path$root$size$uid$uname
                                • API String ID: 2037215848-4204487407
                                • Opcode ID: 4a0382486b9dd1bf6418484e3b3af33c3a93c00cc3cc1b1be983f08378feadfb
                                • Instruction ID: 9e526f724440c335afb96382806fa4f6b7521339c5c3b66d09c5fd77d3b60d08
                                • Opcode Fuzzy Hash: 4a0382486b9dd1bf6418484e3b3af33c3a93c00cc3cc1b1be983f08378feadfb
                                • Instruction Fuzzy Hash: 9F02BE3092124ADFDB22DF54C8D0AEEFBB5BF15340F5441AAD049A7252DB30AE99CF60
                                Function 0025C085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,003048A0,00000010), ref: 0025C09E
                                • memcmp.MSVCRT(?,00300258,00000010), ref: 0025C0BB
                                • memcmp.MSVCRT(?,00300348,00000010), ref: 0025C0CE
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 2f596fde1de968482f1636a0fbef17bb82505b29f1d8d7f75fc3161cbde44832
                                • Instruction ID: 8b666a08063166319c1a6f4ad8e150bf66ea85b4335b746ace354aa9b2898d92
                                • Opcode Fuzzy Hash: 2f596fde1de968482f1636a0fbef17bb82505b29f1d8d7f75fc3161cbde44832
                                • Instruction Fuzzy Hash: 2291A572660715AFD7658E21CC41FAB33A8EF65711F208468FD4AD7241FB30AE28CB95
                                Function 002B447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                                • API String ID: 3519838083-1909666238
                                • Opcode ID: 2f28052137d283bc39babb21dbb4ebabfd1d0bc7929f0b0afa7386126f936021
                                • Instruction ID: 240ee664815471c0af9730bb6c1af71e5237af5509bb43aa388ec11dbeaa052f
                                • Opcode Fuzzy Hash: 2f28052137d283bc39babb21dbb4ebabfd1d0bc7929f0b0afa7386126f936021
                                • Instruction Fuzzy Hash: 29C1E131930686DFCB29EF64C8D5AFD7B71AB12380F5980A9E4495B163DB309E69DB00
                                Function 002B49BF Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 437COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: -Cert$:eos$AES$Central$Descriptor_ERROR$Local$StrongCrypto$ZipCrypto$p,0
                                • API String ID: 3519838083-1018968947
                                • Opcode ID: 2256783a92bfe8d42407ea3acdef6eb6c377610ffaec9b8f1e964fdddbbf9bdf
                                • Instruction ID: a0cd3fe4b4aae434f2178a60b2779fd4792af1d30d881abb947dd07cf3600574
                                • Opcode Fuzzy Hash: 2256783a92bfe8d42407ea3acdef6eb6c377610ffaec9b8f1e964fdddbbf9bdf
                                • Instruction Fuzzy Hash: FCF1F43193020A9ADF15FFA4C9D5AFEBB74AF15390F140419E842731D3DB70AAA9CB64
                                Function 0029C8B2 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 347COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $ $$ 0$.$:mem$Delta$LZMA$LZMA2$o
                                • API String ID: 3519838083-2819217950
                                • Opcode ID: 7a220f57137f37602e8194f1fb9ba511a907c9ba596a21fb164a9165e5cd90be
                                • Instruction ID: 87ddd106ad084273576b5ab6b1b27cb7c997e098151f4f3a281eefc35a8e9792
                                • Opcode Fuzzy Hash: 7a220f57137f37602e8194f1fb9ba511a907c9ba596a21fb164a9165e5cd90be
                                • Instruction Fuzzy Hash: 9BD1E131D2425E8BCF25DFA8C8947EEBBB2BF09314F34416AD855AB281C7715D25CB60
                                Function 002885C6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                                • API String ID: 1795875747-657955069
                                • Opcode ID: 8aa6c6e7c94fea17015a3cc2039e8525cb1cb7fd11d54f038a6dd3d7456b7fb8
                                • Instruction ID: 6dc1518d4cdc49ba0547a32b08de68b718c1ea55ce9ad082b72fb1aa8df5852c
                                • Opcode Fuzzy Hash: 8aa6c6e7c94fea17015a3cc2039e8525cb1cb7fd11d54f038a6dd3d7456b7fb8
                                • Instruction Fuzzy Hash: 27F0823261421D7BCA2126956D85D3EFF59DF863E1B650037FA04832D2EE6118709EA5
                                Function 00285914 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(00312938), ref: 0028591F
                                • fputs.MSVCRT ref: 0028595E
                                • fputs.MSVCRT ref: 00285983
                                • LeaveCriticalSection.KERNEL32(00312938), ref: 00285A1F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSectionfputs$EnterLeave
                                • String ID: v$8)1$Would you like to replace the existing file:$with the file from archive:
                                • API String ID: 3346953513-2645896536
                                • Opcode ID: f421782f52bfbd6bfe1efa8ad44ff0a46f1569d866ce77548b66f8c7aa8bc5e9
                                • Instruction ID: 55e630406a6abbe32c760927ea1a39156ae5839c09d904c646a6b6a94367d6d0
                                • Opcode Fuzzy Hash: f421782f52bfbd6bfe1efa8ad44ff0a46f1569d866ce77548b66f8c7aa8bc5e9
                                • Instruction Fuzzy Hash: BF31D139222A14DFDB15BF64DC81BAA77A5EF48360F110259F94A9B2E1CB70AC70CF54
                                Function 00274B5C Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 278COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00274B61
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfree
                                • String ID: -----$-----BEGIN PGP SIGNED MESSAGE$Hash: $cksum
                                • API String ID: 1978129608-4104380264
                                • Opcode ID: 334825591cf5d75ae170361918686217506a02a7c1646c7140623a0d17c12f09
                                • Instruction ID: 02392bbe52534b06c7b69096bd9dd12007f6d417af20630cb6dd947091fbd4cd
                                • Opcode Fuzzy Hash: 334825591cf5d75ae170361918686217506a02a7c1646c7140623a0d17c12f09
                                • Instruction Fuzzy Hash: 04B1F831824249DFCF22EFA4C481BEDBBB1BF19314F14809DE94967182C7B19E69CB65
                                Function 00251265 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 137COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
                                • API String ID: 3519838083-2104980125
                                • Opcode ID: 9890ab3f518a5cdcd4d42ad2533e05b4c5585f4b48516ae462a422d232a9f677
                                • Instruction ID: a1b89ec18a598bb06f728f2605e43fe6fa8b8051d97b4b23328c0bed04825e94
                                • Opcode Fuzzy Hash: 9890ab3f518a5cdcd4d42ad2533e05b4c5585f4b48516ae462a422d232a9f677
                                • Instruction Fuzzy Hash: 2651E03062025BEBCF14DF58C491BADBBB1EF11346F14819AEC159B581D770EA79CB84
                                Function 0028D824 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0028D829
                                • EnterCriticalSection.KERNEL32(00312960,?,00000001,?,?,0028DBB0,?,0000006F,0000006F,?,?,00000000), ref: 0028D83D
                                • fputs.MSVCRT ref: 0028D88E
                                • LeaveCriticalSection.KERNEL32(00312960,?,00000001,?,?,0028DBB0,?,0000006F,0000006F,?,?,00000000), ref: 0028D95F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterH_prologLeavefputs
                                • String ID: v$`)1
                                • API String ID: 2174113412-1072417872
                                • Opcode ID: caaae5de4b93b6ce18b8432de84084488d0b31a54371b60e37ea37d9ffd540a6
                                • Instruction ID: 1ea03de0c4bffbc54654dab37d6df58341d49c7a3ceff9df1df3e7b0255e61a2
                                • Opcode Fuzzy Hash: caaae5de4b93b6ce18b8432de84084488d0b31a54371b60e37ea37d9ffd540a6
                                • Instruction Fuzzy Hash: E041A035621386DFCF25AF64C490BAEBBA2FF45301F04482EE49A972D1CB316829CF51
                                Function 002D8AC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: exit$CriticalSection$EnterLeave
                                • String ID: v
                                • API String ID: 43521-3261393531
                                • Opcode ID: e7ea7d2e81548ec189468d5e60ec5823fe4ec62d42af95b51eef4a19f34dfa46
                                • Instruction ID: 3ec3743ebcbeae2d7aa104a2c2e4cf15e4f1c7716266b7a5d395ea0512dcd89a
                                • Opcode Fuzzy Hash: e7ea7d2e81548ec189468d5e60ec5823fe4ec62d42af95b51eef4a19f34dfa46
                                • Instruction Fuzzy Hash: 781109715507418FD770EFA2D981AA6F7F1BF44704B804A2FE18642A81DB70BA5ACF91
                                Function 0028CC07 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0028CCC2
                                  • Part of subcall function 0028C7D7: fputs.MSVCRT ref: 0028C840
                                • fputs.MSVCRT ref: 0028CE43
                                  • Part of subcall function 00251F91: fflush.MSVCRT ref: 00251F93
                                • fputs.MSVCRT ref: 0028CD75
                                  • Part of subcall function 00251FA0: fputc.MSVCRT ref: 00251FA7
                                  • Part of subcall function 00251FB3: __EH_prolog.LIBCMT ref: 00251FB8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prologfflushfputc
                                • String ID: ERRORS:$WARNINGS:
                                • API String ID: 1876658717-3472301450
                                • Opcode ID: f0091c0f14fdc86e281992c40167b989e1949b124638cf3e76ea56ac9fbe6f78
                                • Instruction ID: 1f93fa1cfa8d843c5bd3e28a5c5fb30671061bb7fd928d386ab620da76d36116
                                • Opcode Fuzzy Hash: f0091c0f14fdc86e281992c40167b989e1949b124638cf3e76ea56ac9fbe6f78
                                • Instruction Fuzzy Hash: CC717538622706DBDB14BF61C595BAAB7A2EF44301F14843DE85A476E1CB30AC74CF61
                                Function 002AC44E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002AC453
                                  • Part of subcall function 002AC1DF: __EH_prolog.LIBCMT ref: 002AC1E4
                                  • Part of subcall function 002AC543: __EH_prolog.LIBCMT ref: 002AC548
                                  • Part of subcall function 00251E0C: malloc.MSVCRT ref: 00251E1F
                                  • Part of subcall function 00251E0C: _CxxThrowException.MSVCRT(?,00304B28), ref: 00251E39
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrowmalloc
                                • String ID: ((0$<(0$L(0$\(0
                                • API String ID: 3744649731-2803694930
                                • Opcode ID: 39b59105c16326629000aa692272bf2142bff131f76255044df73df00b455845
                                • Instruction ID: 5d4d4a1b6ac0084d2f9ee72b30cae6e0190635f17b6b7c66e42a1d2555bc2add
                                • Opcode Fuzzy Hash: 39b59105c16326629000aa692272bf2142bff131f76255044df73df00b455845
                                • Instruction Fuzzy Hash: 072189B4921B44CFCB21DF6AC45866BFBF4AF50304F20891ED09A97B51CBB0AA188F50
                                Function 0028D2DD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: Archive size: $Files read from disk$Volumes:
                                • API String ID: 2614055831-73833580
                                • Opcode ID: d547b8159e644b4aab9e20c7ec3f06d241f3f7cf04c4259a96a50e05bb1c4974
                                • Instruction ID: c653db1230e8dcfde46129b2235f449e6258b541de2b428d64b0e7d43eb7d2a6
                                • Opcode Fuzzy Hash: d547b8159e644b4aab9e20c7ec3f06d241f3f7cf04c4259a96a50e05bb1c4974
                                • Instruction Fuzzy Hash: F6217C7582060ADBCB19FFA0C856BEEBBB5BF55300F004429A906624E1DF7079ADCF91
                                Function 002846CF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002846D4
                                • EnterCriticalSection.KERNEL32(00312918), ref: 002846E8
                                • CompareFileTime.KERNEL32(?,?), ref: 00284712
                                • LeaveCriticalSection.KERNEL32(00312918), ref: 0028476A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$CompareEnterFileH_prologLeaveTime
                                • String ID: v
                                • API String ID: 3800395459-3261393531
                                • Opcode ID: 23434f99934ddb79a51898ddab9d6ca745176468a1102292256d28e8290e608b
                                • Instruction ID: 5a71c022ac09c3805afb7b654ece75c1b1b5a7bb8760568447f35970557627e5
                                • Opcode Fuzzy Hash: 23434f99934ddb79a51898ddab9d6ca745176468a1102292256d28e8290e608b
                                • Instruction Fuzzy Hash: F321DE75510606AFDB20EF24D588BAAFBB4FF45348F10802DE85A87651D770E968CB90
                                Function 0028463D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00284642
                                • EnterCriticalSection.KERNEL32(00312918), ref: 00284656
                                • LeaveCriticalSection.KERNEL32(00312918), ref: 00284685
                                • LeaveCriticalSection.KERNEL32(00312918), ref: 002846C5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$Leave$EnterH_prolog
                                • String ID: v
                                • API String ID: 2532973370-3261393531
                                • Opcode ID: 879cf876ee4ea7de0d4bae41b62ee9a166e0e94f4daa1bb292215fc5db90eb12
                                • Instruction ID: acec64bf47609f9be58ce67b777cf03b52f9f0030a9f8f1abfd209371144afe3
                                • Opcode Fuzzy Hash: 879cf876ee4ea7de0d4bae41b62ee9a166e0e94f4daa1bb292215fc5db90eb12
                                • Instruction Fuzzy Hash: 33119E79A10216AFC714EF15D88896EB7A8FF8A720B20823DE40ACB740D774EC15CB90
                                Function 0028D406 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0028D40B
                                • fputs.MSVCRT ref: 0028D42E
                                  • Part of subcall function 00251FB3: __EH_prolog.LIBCMT ref: 00251FB8
                                • fputs.MSVCRT ref: 0028D46A
                                  • Part of subcall function 00251FA0: fputc.MSVCRT ref: 00251FA7
                                  • Part of subcall function 00251E40: free.MSVCRT ref: 00251E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfputs$fputcfree
                                • String ID: : $Write SFX:
                                • API String ID: 1941438168-2530961540
                                • Opcode ID: e159322e315041f689e674db5d32b92517a9239f5e51ad4793a0cd84977b1ad5
                                • Instruction ID: 4f2be4ccfcf82615a4d3218c659b456b6cc9379e5aeaab23bcb1b7bbd34cb78d
                                • Opcode Fuzzy Hash: e159322e315041f689e674db5d32b92517a9239f5e51ad4793a0cd84977b1ad5
                                • Instruction Fuzzy Hash: 17015E326142099BCB05ABA4EC02B9EB7B6EF44350F10442AE905A21E1DF716979DF54
                                Function 0028D082 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0028D087
                                • EnterCriticalSection.KERNEL32(00312960), ref: 0028D09A
                                  • Part of subcall function 0028CF20: __EH_prolog.LIBCMT ref: 0028CF25
                                  • Part of subcall function 0028CF20: fputs.MSVCRT ref: 0028CF92
                                • LeaveCriticalSection.KERNEL32(00312960,?,?,00000001), ref: 0028D0D6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalH_prologSection$EnterLeavefputs
                                • String ID: v$`)1
                                • API String ID: 347903205-1072417872
                                • Opcode ID: 1b853f826a3d059dc881989b72d48768f1f32a0e29a9dc14855e130e55aa7729
                                • Instruction ID: 5309efc70a8d0840c4b1238c640f081d9265b5c654ccd2075c3a95167b32d123
                                • Opcode Fuzzy Hash: 1b853f826a3d059dc881989b72d48768f1f32a0e29a9dc14855e130e55aa7729
                                • Instruction Fuzzy Hash: 8EF06236610108FFDB099F54DC19FDDBB75FF48314F00812AF51596191CBB5AA65CBA0
                                Function 0028D7B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0028D7BD
                                • EnterCriticalSection.KERNEL32(00312960), ref: 0028D7D0
                                • LeaveCriticalSection.KERNEL32(00312960), ref: 0028D804
                                  • Part of subcall function 0028C911: GetTickCount.KERNEL32 ref: 0028C926
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$CountEnterH_prologLeaveTick
                                • String ID: v$`)1
                                • API String ID: 2547919631-1072417872
                                • Opcode ID: f5afa91ecb70a7f8d7f5196ecfbce49b5b899668982c913ec794be7641d6a65e
                                • Instruction ID: cee42c880d5194ab634324f9f8120fcf723826d51481f27a2234e30a0fabff68
                                • Opcode Fuzzy Hash: f5afa91ecb70a7f8d7f5196ecfbce49b5b899668982c913ec794be7641d6a65e
                                • Instruction Fuzzy Hash: E9F0C239621204EFD704EF18C908B99F7E4EF45350F14803AE400D3390DBB4D925CBA0
                                Function 0028D0EF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0028D0F4
                                • EnterCriticalSection.KERNEL32(00312960), ref: 0028D108
                                  • Part of subcall function 0028CF20: __EH_prolog.LIBCMT ref: 0028CF25
                                  • Part of subcall function 0028CF20: fputs.MSVCRT ref: 0028CF92
                                • LeaveCriticalSection.KERNEL32(00312960,?,?,00000000), ref: 0028D133
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalH_prologSection$EnterLeavefputs
                                • String ID: v$`)1
                                • API String ID: 347903205-1072417872
                                • Opcode ID: dcf100af2656c655692f67569d8d8640d9fae2bf7d618d1466a3e486e5d25484
                                • Instruction ID: b8046465c2d22d52c00584fd2d9368c92d14d1ba390397b60efb4d5e43c57765
                                • Opcode Fuzzy Hash: dcf100af2656c655692f67569d8d8640d9fae2bf7d618d1466a3e486e5d25484
                                • Instruction Fuzzy Hash: 8AF0273AB60104BFD7016B08DD09BAEB779EFC5360F20403EF905E3280C7B89D2586A4
                                Function 0028CFF4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0028CFF9
                                • EnterCriticalSection.KERNEL32(00312960,?,?,?,00286A2C,?,?), ref: 0028D00C
                                  • Part of subcall function 0028CF20: __EH_prolog.LIBCMT ref: 0028CF25
                                  • Part of subcall function 0028CF20: fputs.MSVCRT ref: 0028CF92
                                • LeaveCriticalSection.KERNEL32(00312960,?,?,00000001,?,?,?,?,?,00286A2C,?,?), ref: 0028D037
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalH_prologSection$EnterLeavefputs
                                • String ID: v$`)1
                                • API String ID: 347903205-1072417872
                                • Opcode ID: 8073d012cc469863ed4901ae996f04f196e4df6d9991a5b8e50be0e527cb4c8a
                                • Instruction ID: 60a00ad78e4a66b7a38e8a572f5e6a1a3242a4cd522f5633389a8e50f33ed2e1
                                • Opcode Fuzzy Hash: 8073d012cc469863ed4901ae996f04f196e4df6d9991a5b8e50be0e527cb4c8a
                                • Instruction Fuzzy Hash: DAF08236620018FFCB05AF54DD09FEEBB79FF48364F00802AF50596151CBB56A25CB90
                                Function 0028D760 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0028D765
                                • EnterCriticalSection.KERNEL32(00312960), ref: 0028D778
                                • LeaveCriticalSection.KERNEL32(00312960), ref: 0028D7A0
                                  • Part of subcall function 0028C911: GetTickCount.KERNEL32 ref: 0028C926
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$CountEnterH_prologLeaveTick
                                • String ID: v$`)1
                                • API String ID: 2547919631-1072417872
                                • Opcode ID: da1a7166183500ab138d8a9abd9a90d858bd1ee0430bb491cfb6f651cfc3a741
                                • Instruction ID: 846ff45477fad6672a9307c649fb0ffcf10cc81e170dcb541ddf37d6ca1f58f9
                                • Opcode Fuzzy Hash: da1a7166183500ab138d8a9abd9a90d858bd1ee0430bb491cfb6f651cfc3a741
                                • Instruction Fuzzy Hash: 53F0BE35A10605EFC705EF28D408BA9F3B4FF08320F00452AE405D3240CBB4AA64CBA0
                                Function 002ED290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetVersion.KERNEL32(0028C2E1), ref: 002ED290
                                • GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 002ED2A6
                                • GetProcAddress.KERNEL32(00000000), ref: 002ED2AD
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProcVersion
                                • String ID: SetDefaultDllDirectories$kernel32.dll
                                • API String ID: 3310240892-2102062458
                                • Opcode ID: ff81c6359ba533ec0ba0d3c5fe026e8eb1781d1de0494c24a310e64fffefd80f
                                • Instruction ID: 059870795727595225c0a5ca7e44925c0f2d672f1113dac239395c471834fa2f
                                • Opcode Fuzzy Hash: ff81c6359ba533ec0ba0d3c5fe026e8eb1781d1de0494c24a310e64fffefd80f
                                • Instruction Fuzzy Hash: A4C0127029220EA7F6106BB5BF1EB7A251A5700BD3FA14020FE05D00E1DEA8C571C531
                                Function 00269194 Relevance: 8.0, APIs: 5, Instructions: 477COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00269199
                                • memcpy.MSVCRT(?,?,?,?,00000000,?,?), ref: 0026921D
                                • memcpy.MSVCRT(?,?,?,?,?,?,00000000,?,?), ref: 0026933B
                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 0026934F
                                • memset.MSVCRT ref: 0026955C
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: memcpy$H_prologmemset
                                • String ID:
                                • API String ID: 2371260246-0
                                • Opcode ID: dad767fdf9deb379f9a0a03730d8915129a533ecbd5be7cff6a8802bb84fefff
                                • Instruction ID: 8cb734d7a94a84e234e54578c68bfee054c3c6c4c7265c9605253dd52e996c27
                                • Opcode Fuzzy Hash: dad767fdf9deb379f9a0a03730d8915129a533ecbd5be7cff6a8802bb84fefff
                                • Instruction Fuzzy Hash: 96127F71A10346DFCB20CFA4C984AAEB7F9AF45300F24486DE55ADB291DB71ADD5CB20
                                Function 00254B36 Relevance: 7.7, APIs: 5, Instructions: 234COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: wcscmp$ExceptionH_prologThrow
                                • String ID:
                                • API String ID: 2750596395-0
                                • Opcode ID: 8f115a72b48d8a58d65e5e93707bc255ee5de804bbf52fbeaf2d08ad7e323f1a
                                • Instruction ID: 8593b8e0c6990bfd154796eb4dcf7f38de1a6af1f781751a438adb1a3c7e423c
                                • Opcode Fuzzy Hash: 8f115a72b48d8a58d65e5e93707bc255ee5de804bbf52fbeaf2d08ad7e323f1a
                                • Instruction Fuzzy Hash: 0091DF31D21249DFCF15EFA8C855AEDFBB0BF5531AF14805AE80167291CB309AA9CF58
                                Function 002B03D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 002B03F5
                                • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 002B0490
                                • memset.MSVCRT ref: 002B0618
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: memset$memcpy
                                • String ID: $@
                                • API String ID: 368790112-1077428164
                                • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                • Instruction ID: 6e389f835a7b76edc4adefd90e0fd2b2e677cad390451ea014448bc97d107a83
                                • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                • Instruction Fuzzy Hash: 8291F130910309AFEB22DF24C8C1BDBB7B5BF54384F048559E59A57592DB70BAA8CF90
                                Function 002D9220 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 115COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 002E7D80: WaitForSingleObject.KERNEL32(?,000000FF,0026AFD6,?), ref: 002E7D83
                                  • Part of subcall function 002E7D80: GetLastError.KERNEL32(?,000000FF,0026AFD6,?), ref: 002E7D8E
                                • EnterCriticalSection.KERNEL32(?), ref: 002D926B
                                • EnterCriticalSection.KERNEL32(?), ref: 002D9274
                                • LeaveCriticalSection.KERNEL32(?), ref: 002D9296
                                • LeaveCriticalSection.KERNEL32(?), ref: 002D9299
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleWait
                                • String ID: v
                                • API String ID: 2116739831-3261393531
                                • Opcode ID: c68399e8116304db4acc4f73bc6423c94f90924376f11e51e26a1e6d1a106b51
                                • Instruction ID: 34f4a5bb9d110113caee2a692d3b585cdcb6828dc0eed741e5ca0fb8c4d27915
                                • Opcode Fuzzy Hash: c68399e8116304db4acc4f73bc6423c94f90924376f11e51e26a1e6d1a106b51
                                • Instruction Fuzzy Hash: 3A416D31610B0AAFC718DF74C994AAAF3E5FF48310F10462EE5AA43640DB75B9A5CF90
                                Function 002644C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,003048A0,00000010), ref: 002644DB
                                • memcmp.MSVCRT(?,00300128,00000010), ref: 002644EE
                                • memcmp.MSVCRT(?,00300228,00000010), ref: 0026450B
                                • memcmp.MSVCRT(?,00300248,00000010), ref: 00264528
                                • memcmp.MSVCRT(?,003001C8,00000010), ref: 00264545
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: cf15f64495f1d00c8c15fc2334bcc7e9ec668addd1427af8bb6306df9f9f15a7
                                • Instruction ID: f7ab5f531acb6416ceb97b72d4a9448ddac772b8a1fc0b3256ba1c3f5ff87a0c
                                • Opcode Fuzzy Hash: cf15f64495f1d00c8c15fc2334bcc7e9ec668addd1427af8bb6306df9f9f15a7
                                • Instruction Fuzzy Hash: 832107727602096BE719EE10CC82FBE33AC9B617A0F508035FD468B281FB61DD608691
                                Function 002789BC Relevance: 7.6, APIs: 6, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,003048A0,00000010), ref: 002789D5
                                • memcmp.MSVCRT(?,00300258,00000010), ref: 002789F2
                                • memcmp.MSVCRT(?,00300328,00000010), ref: 00278A05
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 8454f730abaf2c38831a813f3ff0c34cbbd44e85bfa034f1d3b62771e6b4f9c2
                                • Instruction ID: 5dbe07ff4c4933be9e80424e074fc069fc029819201b246ae3147e7316f5cd18
                                • Opcode Fuzzy Hash: 8454f730abaf2c38831a813f3ff0c34cbbd44e85bfa034f1d3b62771e6b4f9c2
                                • Instruction Fuzzy Hash: C121D7726A02056BE7058E11CC96FBE33AC9B51354F10C53AFE099B241FA71DD209791
                                Function 0029C414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: !$LZMA2:$LZMA:
                                • API String ID: 3519838083-3332058968
                                • Opcode ID: b326adee0a290e24926b0b2459fd6902ae02f98f05047f1348a4010434b0f750
                                • Instruction ID: 2b5093af7e7908bf18066d1411dc122ea4ceb9ba8bb72ea32457a879836abc9a
                                • Opcode Fuzzy Hash: b326adee0a290e24926b0b2459fd6902ae02f98f05047f1348a4010434b0f750
                                • Instruction Fuzzy Hash: 1C61007092014AEEDF25CF64C599BFD7BB5AF45340F7540B9E806671A2CB70AEA4CB40
                                Function 0028D490 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID: : Removing files after including to archive$Removing
                                • API String ID: 1185151155-1218467041
                                • Opcode ID: 6637e16c32e7a755477b06b13e93e4a64523c012aa0b0cdfb1581a98e4561910
                                • Instruction ID: 112ebc49fbd367dc0be58a355f4b7582a451028c81cee87ba34c47e354788e79
                                • Opcode Fuzzy Hash: 6637e16c32e7a755477b06b13e93e4a64523c012aa0b0cdfb1581a98e4561910
                                • Instruction Fuzzy Hash: 34317C36221702DFC765BF60D891BABB3A6AB45301F00482EE49A020E2DF34386DCF15
                                Function 002BD8EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002BD8F0
                                • EnterCriticalSection.KERNEL32(?), ref: 002BD904
                                • LeaveCriticalSection.KERNEL32(?), ref: 002BD994
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterH_prologLeave
                                • String ID: v
                                • API String ID: 367238759-3261393531
                                • Opcode ID: e5a198578f2c0cb007b9830e18e34f1edc97be4b6190a3e536f595f0ff68c456
                                • Instruction ID: a1d0348eb2fd68f9d6e9d36b854ec8763399275bdf4cad33d18a284cc0804fd5
                                • Opcode Fuzzy Hash: e5a198578f2c0cb007b9830e18e34f1edc97be4b6190a3e536f595f0ff68c456
                                • Instruction Fuzzy Hash: 063103B5A00B05CFCB24DF68C984AAAB7F4FF48390B04492DE88A97701E730F914CB50
                                Function 002607DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002607E0
                                • EnterCriticalSection.KERNEL32(?), ref: 002607F2
                                • LeaveCriticalSection.KERNEL32(?), ref: 0026086B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterH_prologLeave
                                • String ID: v
                                • API String ID: 367238759-3261393531
                                • Opcode ID: 5d31ce02327b16719f6fb7e8978b654cec5286c616f6fba1ddd1bad95e1b2a8d
                                • Instruction ID: 98c90a86c237cc017a7de0388a0dcb22e550515280ccc8fb539acd54f26dbb60
                                • Opcode Fuzzy Hash: 5d31ce02327b16719f6fb7e8978b654cec5286c616f6fba1ddd1bad95e1b2a8d
                                • Instruction Fuzzy Hash: 17215734A10215DFDB24CF69C58496AFBF9FF88764B15866ED84A8B321C730EC15CB90
                                Function 002606F6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002606FB
                                • EnterCriticalSection.KERNEL32(?), ref: 0026070B
                                • LeaveCriticalSection.KERNEL32(?,?), ref: 00260786
                                  • Part of subcall function 0026089E: _CxxThrowException.MSVCRT(?,00304A58), ref: 002608C4
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterExceptionH_prologLeaveThrow
                                • String ID: v
                                • API String ID: 4150843469-3261393531
                                • Opcode ID: afefd80e2101a472164637d1ee44a026accc4938d7a609fc3f5ef609cca3c9e4
                                • Instruction ID: d6e17c73f3d89f08803c49a8238e381e20700e0de75490aeb842fdece3c567a9
                                • Opcode Fuzzy Hash: afefd80e2101a472164637d1ee44a026accc4938d7a609fc3f5ef609cca3c9e4
                                • Instruction Fuzzy Hash: 19215CB1A20609DFCB24DF28D584B6ABBF0FF48354F10892EE44ACBA41D731A965CF50
                                Function 00259399 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 002593A7
                                • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 002593B7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: RtlGetVersion$ntdll.dll
                                • API String ID: 1646373207-1489217083
                                • Opcode ID: b6d796fc5149c287a903a443ecdb3e0288ba2efcc97d70797b637dfdc882be28
                                • Instruction ID: 08fc428deb450a9290f0338c96d458c81ada64296ebc333a81cac9da484e9774
                                • Opcode Fuzzy Hash: b6d796fc5149c287a903a443ecdb3e0288ba2efcc97d70797b637dfdc882be28
                                • Instruction Fuzzy Hash: 1BF06271A2021DC6DF34AF309D0A7F673E85B01746F0004A4EA09E5081DBB8DEEAC999
                                Function 00270306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 00270359
                                • GetLastError.KERNEL32(?,?,00000000,?), ref: 00270382
                                • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 002703DA
                                • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 002703F0
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ErrorFileLastSecurity
                                • String ID:
                                • API String ID: 555121230-0
                                • Opcode ID: d080ea436e9342bdcb67914ca832b9bbb1cb06dffcc1409af42203df7e6340a7
                                • Instruction ID: 4185e21bf4edcded897b391f43119f11cb1958c1794279946f768c499224053c
                                • Opcode Fuzzy Hash: d080ea436e9342bdcb67914ca832b9bbb1cb06dffcc1409af42203df7e6340a7
                                • Instruction Fuzzy Hash: 06318E7091020AEFDB10DFA4C8C4BAEBBB5FF44344F108999E45AE7250D770AE55DB60
                                Function 0028D6F7 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prologfputcfree
                                • String ID:
                                • API String ID: 3247574066-0
                                • Opcode ID: f3234c294f7d2e17371e97a427dc122b5d6c9732b2824673235b4d165334fea0
                                • Instruction ID: e2baf9e97edd6cd8822808d9d5e865482709f73c6674ae5784d17c85e0130a0c
                                • Opcode Fuzzy Hash: f3234c294f7d2e17371e97a427dc122b5d6c9732b2824673235b4d165334fea0
                                • Instruction Fuzzy Hash: DFF0F032D00019ABCB06BB94DC12AEEFF72EF443A0F00002AE801631A1DB710975DFC0
                                Function 002858C9 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(00312938), ref: 002858D1
                                • LeaveCriticalSection.KERNEL32(00312938), ref: 00285907
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave
                                • String ID: v$8)1
                                • API String ID: 3168844106-1564783448
                                • Opcode ID: 2e4842bb188ddad68b7e9ace54dbd3b66638fa3f2325b56be726ca551e1aab1f
                                • Instruction ID: 3875168520852bc3ec186968afdc360eb988ae05269fc3ca7573f8e99537babe
                                • Opcode Fuzzy Hash: 2e4842bb188ddad68b7e9ace54dbd3b66638fa3f2325b56be726ca551e1aab1f
                                • Instruction Fuzzy Hash: 4EF030396126109FC308EF19D448EA677A5AF99311B25807EE0058B3A1CB30DD9ACFA0
                                Function 002A88D8 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 441COMMON
                                Download Yara Rule
                                APIs
                                • wcscmp.MSVCRT ref: 002A8CC6
                                • __EH_prolog.LIBCMT ref: 002A88DD
                                  • Part of subcall function 002A8E31: __EH_prolog.LIBCMT ref: 002A8E36
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$wcscmp
                                • String ID: Can't open volume:
                                • API String ID: 3232955128-72083580
                                • Opcode ID: 1f950999bada90d303a6f61940e01a8c5bd733ef4fd807e1a06631e94c60ab0d
                                • Instruction ID: b24afcf8416a28ea5e05708d314f83191a211af15e7a79bb072b5218e69832e0
                                • Opcode Fuzzy Hash: 1f950999bada90d303a6f61940e01a8c5bd733ef4fd807e1a06631e94c60ab0d
                                • Instruction Fuzzy Hash: 0402037091024ADFCF15DFA8C484BEDBBB1AF56304F14849AE446A7292DF709E95CF21
                                Function 00279531 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00279536
                                  • Part of subcall function 0025965D: VariantClear.OLEAUT32(?), ref: 0025967F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ClearH_prologVariant
                                • String ID: Unknown error$Unknown warning
                                • API String ID: 1166855276-4291957651
                                • Opcode ID: 884867a5754ccc6c545cddf9e4308397ff1cde65623eb0015a701bbeab867c54
                                • Instruction ID: 0a042c4081a5c269bd1c82c6a3b744e680daff9be3f0d6088e25fe1c137a545b
                                • Opcode Fuzzy Hash: 884867a5754ccc6c545cddf9e4308397ff1cde65623eb0015a701bbeab867c54
                                • Instruction Fuzzy Hash: 3A8157B192070ACBCB14DFA4C4919EEF7F4BF48304F50896DE55AA7290D770AE98CB24
                                Function 00290982 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$crc
                                • API String ID: 3519838083-849529298
                                • Opcode ID: 366333a92f743eced75b7f912fde1275b54d3308a35f6ade8adb56d41ba875e3
                                • Instruction ID: dc7a0e1092b7b06c05d70da6a222967e8b225978f9e06acd2115760aaad2de4a
                                • Opcode Fuzzy Hash: 366333a92f743eced75b7f912fde1275b54d3308a35f6ade8adb56d41ba875e3
                                • Instruction Fuzzy Hash: 69519F3192020EDFCF11EF94D8D19EEB7B5AF08354F108429E81667291DB74AE69CF94
                                Function 00254DE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: wcscmp
                                • String ID: UNC
                                • API String ID: 3392835482-337201128
                                • Opcode ID: 2776bcfb139e8464a61f99e3f0d4f19fa3d6ff1a57f9c67d93975c954007627c
                                • Instruction ID: bac896f1a02dcd0fe6911b41e238780ec1343d0b643b75dd0025d8cbbb6b1546
                                • Opcode Fuzzy Hash: 2776bcfb139e8464a61f99e3f0d4f19fa3d6ff1a57f9c67d93975c954007627c
                                • Instruction Fuzzy Hash: 432183353202018FC724EF18D996D26F3D5FF4576AB248469EE468B291C631ECA9CB48
                                Function 00274F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prologstrlen
                                • String ID: sums
                                • API String ID: 1633371453-329994169
                                • Opcode ID: 8484356809d26505e200d7707002259fd3c0b55f0dc4f49e714d01e70006fad5
                                • Instruction ID: 91708e85da4bffac23af5dfbe0bb171fface0950d40ae35f614dc9daccfbfbfa
                                • Opcode Fuzzy Hash: 8484356809d26505e200d7707002259fd3c0b55f0dc4f49e714d01e70006fad5
                                • Instruction Fuzzy Hash: CE21DE31D201189BCF05FF98D592AEDF7B5AF95344F24406AE80273292CBB11E29CB96
                                Function 0028C86A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: __aulldivstrlen
                                • String ID: M
                                • API String ID: 1892184250-3664761504
                                • Opcode ID: e40119c0635b6d839feff1b5c6c5846a9c1e8e09341b1f83b9f9535c25550f02
                                • Instruction ID: d6856531946b66775f00c86592f1d0e82e3bd1ee1751c54e4eb55ca2c3067c79
                                • Opcode Fuzzy Hash: e40119c0635b6d839feff1b5c6c5846a9c1e8e09341b1f83b9f9535c25550f02
                                • Instruction Fuzzy Hash: 05113A366602449BDB25EAA5C985FAE77E99BC8310F64086EE283931C1DA31BC198734
                                Function 0029D3D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: BT2$LZMA
                                • API String ID: 3519838083-1343681682
                                • Opcode ID: a280e17a973d4c1b2739fbcf722ce5bcb816aa547797c55db5b27a6c261ceca9
                                • Instruction ID: a52622f9f0abaf97d5823e17b1b2261e06b92a7cfe2075f1ad02ce48fa8161c8
                                • Opcode Fuzzy Hash: a280e17a973d4c1b2739fbcf722ce5bcb816aa547797c55db5b27a6c261ceca9
                                • Instruction Fuzzy Hash: 35116331A70214AADB18EB64DC57FDDB770AF14B41F004069F502761D2EBB06E58CF55
                                Function 00264DFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ErrorH_prologLast
                                • String ID: :
                                • API String ID: 1057991267-3653984579
                                • Opcode ID: 2d948698f311a4dbe0934bad8104947075aefe67e69bd7b0b9b7d705c795fcd8
                                • Instruction ID: 7003d72203439597a79f157b684455f07499c4c5787a607c56c9df7ce0404213
                                • Opcode Fuzzy Hash: 2d948698f311a4dbe0934bad8104947075aefe67e69bd7b0b9b7d705c795fcd8
                                • Instruction Fuzzy Hash: 6111A536910109DBCB05FBE4D816AEEBB71AF54361F104069FD01A3291DB719E69CF94
                                Function 00288685 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Cannot open the file as archive, xrefs: 002886D0
                                • Cannot open encrypted archive. Wrong password?, xrefs: 00288698
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
                                • API String ID: 1795875747-1623556331
                                • Opcode ID: 8c5d968eedec0f2edc50d6621ca04f2737178855c570a697162971cc9bf0f158
                                • Instruction ID: b16edc2ae1104dc2369a3d84d31d3bbaf8f64af07dd6eac37db8d71dd89b7254
                                • Opcode Fuzzy Hash: 8c5d968eedec0f2edc50d6621ca04f2737178855c570a697162971cc9bf0f158
                                • Instruction Fuzzy Hash: B501F2353213008BC604A654D884A3EB3ABAFC8301F94402AF60283AD5EFB4A8318F15
                                Function 002B51D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002B51DA
                                  • Part of subcall function 00251E0C: malloc.MSVCRT ref: 00251E1F
                                  • Part of subcall function 00251E0C: _CxxThrowException.MSVCRT(?,00304B28), ref: 00251E39
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionH_prologThrowmalloc
                                • String ID: p/0$/
                                • API String ID: 3978722251-880388392
                                • Opcode ID: 4e11fe182f196a01f2965b124c170b641c04a7f213db9ac56837470636c322d4
                                • Instruction ID: 27ad534fbb70d4f49c08c75916c1beb8078aaf345d80424c2d2ed4dd0e2960ba
                                • Opcode Fuzzy Hash: 4e11fe182f196a01f2965b124c170b641c04a7f213db9ac56837470636c322d4
                                • Instruction Fuzzy Hash: 2001D4B1A217159FD724CF58D41976BF7F4EF44355F10892EE442A3680C7F4A5188B91
                                Function 002B4034 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 002B4039
                                  • Part of subcall function 002B40BA: __EH_prolog.LIBCMT ref: 002B40BF
                                  • Part of subcall function 00295E2B: __EH_prolog.LIBCMT ref: 00295E30
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: D.0$T.0
                                • API String ID: 3519838083-3633632593
                                • Opcode ID: 3f0478b304935a2281c415398098539a591bceb0c2e113ab98d4ebc1829137e7
                                • Instruction ID: 4f59281bf2bc0485a5b04ec8c26986477ae94d0b607a70bd938f5439bf7dbd09
                                • Opcode Fuzzy Hash: 3f0478b304935a2281c415398098539a591bceb0c2e113ab98d4ebc1829137e7
                                • Instruction Fuzzy Hash: 55012CB1921B148FCB25EF64C55529BFBF4AF08744F00892ED09A93781E7B0AA58CF91
                                Function 002882DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: =
                                • API String ID: 1795875747-2525689732
                                • Opcode ID: e571ac930b6b9b318d2688ab92baa2c05a9c602337c14acdcf75aeb7f011aa43
                                • Instruction ID: 2606814e4f6771dd92a7a22af60320d4f6b4a2bb9e04a517d4df7973348eaf1a
                                • Opcode Fuzzy Hash: e571ac930b6b9b318d2688ab92baa2c05a9c602337c14acdcf75aeb7f011aa43
                                • Instruction Fuzzy Hash: 53E0D835E1011997DF00B7E8AD558BF7B39EB803A47500836E910D7250EB709935CBD0
                                Function 0028C592 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID: `&1
                                • API String ID: 1185151155-630624556
                                • Opcode ID: 9e3cb42efe64eeac62f8e32a69a8af0460a163f98715e4dd7a672ed794f57340
                                • Instruction ID: d90324a485ca9a425ceca7b4cfca0d785f602062896f20e1913101a5c1f4f17d
                                • Opcode Fuzzy Hash: 9e3cb42efe64eeac62f8e32a69a8af0460a163f98715e4dd7a672ed794f57340
                                • Instruction Fuzzy Hash: 86D0C27270211017CA123BA96C4089B6318DFC4711366041AF840A7261C77569705FE0
                                Function 00289587 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00289594
                                • fputs.MSVCRT ref: 0028959D
                                  • Part of subcall function 00252201: fputs.MSVCRT ref: 0025221E
                                  • Part of subcall function 00251FA0: fputc.MSVCRT ref: 00251FA7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID: Archives
                                • API String ID: 1185151155-454332015
                                • Opcode ID: 71e3d2bf82d625918ec9894becdb8e4f78e73c78f1dcd8fe0ad931efd533dbb9
                                • Instruction ID: 4baf94776710d4c0874ee1903dfe9d982c191bd415dbd432c3f0a1a5a2a38aa7
                                • Opcode Fuzzy Hash: 71e3d2bf82d625918ec9894becdb8e4f78e73c78f1dcd8fe0ad931efd533dbb9
                                • Instruction Fuzzy Hash: E7D0C23220020467CB117BA59C05C6FBAA6EFD4310B010C1EF880821A0CA7158389F90
                                Function 0028C2AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: Unsupported Windows version$p&1
                                • API String ID: 1795875747-3299401177
                                • Opcode ID: b9cb0f65b6431c976b430d80014897ac6cedf1a58633d22c92f827c22e9418dd
                                • Instruction ID: 9205f62524e7e714a1b207890da76983774709867db505a1c3f705c2555ab32e
                                • Opcode Fuzzy Hash: b9cb0f65b6431c976b430d80014897ac6cedf1a58633d22c92f827c22e9418dd
                                • Instruction Fuzzy Hash: 20D0A977318200EFDB0A8B88F98ABE433B0E388720F20442BE002C60E0D7B960208B10
                                Function 002B41C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,003048A0,00000010), ref: 002B41D6
                                • memcmp.MSVCRT(?,00300168,00000010), ref: 002B41F1
                                • memcmp.MSVCRT(?,003001E8,00000010), ref: 002B4205
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: bc073e929e4daa64b208d0c2dfc22a12fcdb7a6d3aefd2e58c24a5f2e9f91527
                                • Instruction ID: 021eedd97d85d60eacf9f11cd9ba8f8a19d2aa9040987ae3b3066929c88b75c6
                                • Opcode Fuzzy Hash: bc073e929e4daa64b208d0c2dfc22a12fcdb7a6d3aefd2e58c24a5f2e9f91527
                                • Instruction Fuzzy Hash: 510166323A03056BD7049E15CC82FFD33A49B65790F248439FE45DB283F6B1E9609741
                                Function 0027CDD7 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,003048A0,00000010), ref: 0027CDED
                                • memcmp.MSVCRT(?,00300108,00000010), ref: 0027CE08
                                • memcmp.MSVCRT(?,00300138,00000010), ref: 0027CE1C
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2117981557.0000000000251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00250000, based on PE: true
                                • Associated: 0000000B.00000002.2117954639.0000000000250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118058314.00000000002FC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118087358.0000000000312000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000B.00000002.2118107325.000000000031B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_250000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 365bf9855a3a3cfef6ce54b4b597eaa2c3201b6f04f2c654e8c6525ac52c23fb
                                • Instruction ID: 14c9b992f9ce172740767629e180f73f01d54d6bc69b2bc43089a55c3fa6ab81
                                • Opcode Fuzzy Hash: 365bf9855a3a3cfef6ce54b4b597eaa2c3201b6f04f2c654e8c6525ac52c23fb
                                • Instruction Fuzzy Hash: C20108323A030567D7148E25CC02FAE73989B55B10F24C43DFE89DA282F6B1E5609785