Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup64v7.3.9.exe

Overview

General Information

Sample name:Setup64v7.3.9.exe
Analysis ID:1580842
MD5:adbae5ff217253f04132277916d5af08
SHA1:148a186f26caa8fc6298ea9bf6641add1cfa2160
SHA256:9a10f85e8932ecec7724c573c91f32b086af49d0c6f1fc9e219328473ef31c67
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Adds a directory exclusion to Windows Defender
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Setup64v7.3.9.exe (PID: 6136 cmdline: "C:\Users\user\Desktop\Setup64v7.3.9.exe" MD5: ADBAE5FF217253F04132277916D5AF08)
    • Setup64v7.3.9.tmp (PID: 1088 cmdline: "C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp" /SL5="$10460,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" MD5: 9C495CFE45360DE58A589F398974999F)
      • powershell.exe (PID: 320 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 6392 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • Setup64v7.3.9.exe (PID: 4984 cmdline: "C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENT MD5: ADBAE5FF217253F04132277916D5AF08)
        • Setup64v7.3.9.tmp (PID: 6396 cmdline: "C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp" /SL5="$20486,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENT MD5: 9C495CFE45360DE58A589F398974999F)
          • 7zr.exe (PID: 1292 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 2516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 4440 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 4440 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 2300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • cmd.exe (PID: 1292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 6200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2820 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4196 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1272 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6204 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5552 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6108 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6208 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5732 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1576 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2568 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6592 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5732 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2584 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5620 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3228 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6596 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5968 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1784 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3356 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5604 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5508 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4196 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6108 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1784 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 940 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1412 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5836 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1520 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1088 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2504 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6108 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1016 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1784 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5552 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6388 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1576 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1892 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5996 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5968 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 320 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4092 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2232 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5820 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5552 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4160 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp" /SL5="$10460,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp, ParentProcessId: 1088, ParentProcessName: Setup64v7.3.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 320, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7060, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 2820, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp" /SL5="$10460,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp, ParentProcessId: 1088, ParentProcessName: Setup64v7.3.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 320, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7060, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 2820, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp" /SL5="$10460,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp, ParentProcessId: 1088, ParentProcessName: Setup64v7.3.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 320, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsv.vbcVirustotal: Detection: 11%Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NK16J.tmp\bv2p0UUx502h.tmpJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\is-5CIPV.tmp\bv2p0UUx502h.tmpJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows NT\hrsv.vbcJoe Sandbox ML: detected
Source: Setup64v7.3.9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Setup64v7.3.9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2172247541.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2172369425.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B46868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00B46868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B47496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00B47496
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0A
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0H
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0I
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0X
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/CPS0
Source: Setup64v7.3.9.tmp, 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Setup64v7.3.9.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Setup64v7.3.9.exe, 00000000.00000003.2055068177.0000000002D60000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.exe, 00000000.00000003.2055597035.000000007EF4B000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.tmp, 00000002.00000000.2057962622.0000000000311000.00000020.00000001.01000000.00000004.sdmp, Setup64v7.3.9.tmp, 00000007.00000000.2126559227.000000000073D000.00000020.00000001.01000000.00000008.sdmp, Setup64v7.3.9.tmp.0.dr, Setup64v7.3.9.tmp.6.drString found in binary or memory: https://www.innosetup.com/
Source: Setup64v7.3.9.exe, 00000000.00000003.2055068177.0000000002D60000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.exe, 00000000.00000003.2055597035.000000007EF4B000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.tmp, 00000002.00000000.2057962622.0000000000311000.00000020.00000001.01000000.00000004.sdmp, Setup64v7.3.9.tmp, 00000007.00000000.2126559227.000000000073D000.00000020.00000001.01000000.00000008.sdmp, Setup64v7.3.9.tmp.0.dr, Setup64v7.3.9.tmp.6.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess information set: 01 00 00 00 Jump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B482FB: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,10_2_00B482FB
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C780D507_2_6C780D50
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C754D437_2_6C754D43
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A2D907_2_6C7A2D90
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C786E807_2_6C786E80
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C75EF117_2_6C75EF11
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7948C87_2_6C7948C8
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C77289F7_2_6C77289F
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7869F07_2_6C7869F0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C77CA507_2_6C77CA50
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C77AAD07_2_6C77AAD0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C77EAA07_2_6C77EAA0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C72240A7_2_6C72240A
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C74C5EC7_2_6C74C5EC
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C78C5C07_2_6C78C5C0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7786507_2_6C778650
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C79C6407_2_6C79C640
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7866E07_2_6C7866E0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A67007_2_6C7A6700
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A07C07_2_6C7A07C0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C78C0507_2_6C78C050
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7200927_2_6C720092
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7841F07_2_6C7841F0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C78A2807_2_6C78A280
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C78A3807_2_6C78A380
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C733CE07_2_6C733CE0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C783D107_2_6C783D10
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A1DE07_2_6C7A1DE0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C78BEF07_2_6C78BEF0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C757EEF7_2_6C757EEF
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C71FEC97_2_6C71FEC9
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C705EA17_2_6C705EA1
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A18707_2_6C7A1870
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7938207_2_6C793820
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C77B8107_2_6C77B810
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7998D07_2_6C7998D0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7518967_2_6C751896
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7059727_2_6C705972
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7959507_2_6C795950
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7979307_2_6C797930
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A791A7_2_6C7A791A
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7839007_2_6C783900
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A39997_2_6C7A3999
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C75DA527_2_6C75DA52
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A7A007_2_6C7A7A00
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C791AA07_2_6C791AA0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C71DB667_2_6C71DB66
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C79BBC07_2_6C79BBC0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C70DBCA7_2_6C70DBCA
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C777B907_2_6C777B90
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C78B4D07_2_6C78B4D0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7654AC7_2_6C7654AC
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7914897_2_6C791489
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C76F5217_2_6C76F521
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7955207_2_6C795520
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7815D07_2_6C7815D0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7895807_2_6C789580
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C77F5807_2_6C77F580
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C79B6007_2_6C79B600
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A16C07_2_6C7A16C0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7697F37_2_6C7697F3
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A37C07_2_6C7A37C0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7097CF7_2_6C7097CF
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7937A07_2_6C7937A0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C77D0207_2_6C77D020
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C78B0E07_2_6C78B0E0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7952007_2_6C795200
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7992A07_2_6C7992A0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7907507_2_6C790750
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C793AF07_2_6C793AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B881EC10_2_00B881EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC81C010_2_00BC81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB425010_2_00BB4250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD824010_2_00BD8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BDC3C010_2_00BDC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD04C810_2_00BD04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB865010_2_00BB8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBC95010_2_00BBC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B9094310_2_00B90943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB8C2010_2_00BB8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD4EA010_2_00BD4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD0E0010_2_00BD0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BA10AC10_2_00BA10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCD08910_2_00BCD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC518010_2_00BC5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBD1D010_2_00BBD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD91C010_2_00BD91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD112010_2_00BD1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BDD2C010_2_00BDD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BA53F310_2_00BA53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B453CF10_2_00B453CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B8D49610_2_00B8D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD54D010_2_00BD54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BDD47010_2_00BDD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4157210_2_00B41572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD155010_2_00BD1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCD6A010_2_00BCD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B9965210_2_00B99652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B497CA10_2_00B497CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B5976610_2_00B59766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BDD9E010_2_00BDD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B41AA110_2_00B41AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC5E8010_2_00BC5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC5F8010_2_00BC5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B5E00A10_2_00B5E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC22E010_2_00BC22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BE230010_2_00BE2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BAE49F10_2_00BAE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC25F010_2_00BC25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBA6A010_2_00BBA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB66D010_2_00BB66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BDE99010_2_00BDE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC2A8010_2_00BC2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B9AB1110_2_00B9AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC6CE010_2_00BC6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC70D010_2_00BC70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBB18010_2_00BBB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BAB12110_2_00BAB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD720010_2_00BD7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCF3A010_2_00BCF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6B3E410_2_00B6B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BDF3C010_2_00BDF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCF42010_2_00BCF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB741010_2_00BB7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BDF59910_2_00BDF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD353010_2_00BD3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BE351A10_2_00BE351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBF50010_2_00BBF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BE360110_2_00BE3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB379010_2_00BB3790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD77C010_2_00BD77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6F8E010_2_00B6F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBF91010_2_00BBF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC7AF010_2_00BC7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B93AEF10_2_00B93AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B5BAC910_2_00B5BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B5BC9210_2_00B5BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC7C5010_2_00BC7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBFDF010_2_00BBFDF0
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\7zr.exe BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsv.vbc 02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: String function: 6C7A3F10 appears 728 times
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: String function: 6C706240 appears 53 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00B41E40 appears 171 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00B428E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00BDFB10 appears 723 times
Source: Setup64v7.3.9.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup64v7.3.9.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup64v7.3.9.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: Setup64v7.3.9.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: Setup64v7.3.9.exeStatic PE information: Number of sections : 11 > 10
Source: Setup64v7.3.9.exe, 00000000.00000003.2055597035.000000007F23B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamebv2p0UUx502h.exe vs Setup64v7.3.9.exe
Source: Setup64v7.3.9.exe, 00000000.00000000.2052525284.0000000000EE9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNamebv2p0UUx502h.exe vs Setup64v7.3.9.exe
Source: Setup64v7.3.9.exe, 00000000.00000003.2055068177.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamebv2p0UUx502h.exe vs Setup64v7.3.9.exe
Source: Setup64v7.3.9.exeBinary or memory string: OriginalFileNamebv2p0UUx502h.exe vs Setup64v7.3.9.exe
Source: Setup64v7.3.9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.13.drBinary string: \Device\TfSysMon
Source: tProtect.dll.13.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal80.evad.winEXE@126/31@0/0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B49313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00B49313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B53D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00B53D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B49252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00B49252
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpFile created: C:\Program Files (x86)\Windows NT\is-O1KU2.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1412:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5552:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6208:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4708:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6188:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5596:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6008:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:940:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2516:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:528:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2284:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5508:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2220:120:WilError_03
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmpJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: Setup64v7.3.9.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeFile read: C:\Users\user\Desktop\Setup64v7.3.9.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Setup64v7.3.9.exe "C:\Users\user\Desktop\Setup64v7.3.9.exe"
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp "C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp" /SL5="$10460,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe"
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess created: C:\Users\user\Desktop\Setup64v7.3.9.exe "C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENT
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp "C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp" /SL5="$20486,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp "C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp" /SL5="$10460,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess created: C:\Users\user\Desktop\Setup64v7.3.9.exe "C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp "C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp" /SL5="$20486,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Setup64v7.3.9.exeStatic file information: File size 11954989 > 1048576
Source: Setup64v7.3.9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2172247541.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2172369425.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00BC57D0
Source: bv2p0UUx502h.tmp.2.drStatic PE information: real checksum: 0x0 should be: 0x649dd2
Source: Setup64v7.3.9.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x32a8f0
Source: hrsv.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x649dd2
Source: Setup64v7.3.9.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x32a8f0
Source: bv2p0UUx502h.tmp.7.drStatic PE information: real checksum: 0x0 should be: 0x649dd2
Source: tProtect.dll.13.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: Setup64v7.3.9.exeStatic PE information: section name: .didata
Source: Setup64v7.3.9.tmp.0.drStatic PE information: section name: .didata
Source: bv2p0UUx502h.tmp.2.drStatic PE information: section name: .00cfg
Source: bv2p0UUx502h.tmp.2.drStatic PE information: section name: .voltbl
Source: bv2p0UUx502h.tmp.2.drStatic PE information: section name: .XkS
Source: Setup64v7.3.9.tmp.6.drStatic PE information: section name: .didata
Source: 7zr.exe.7.drStatic PE information: section name: .sxdata
Source: bv2p0UUx502h.tmp.7.drStatic PE information: section name: .00cfg
Source: bv2p0UUx502h.tmp.7.drStatic PE information: section name: .voltbl
Source: bv2p0UUx502h.tmp.7.drStatic PE information: section name: .XkS
Source: hrsv.vbc.7.drStatic PE information: section name: .00cfg
Source: hrsv.vbc.7.drStatic PE information: section name: .voltbl
Source: hrsv.vbc.7.drStatic PE information: section name: .XkS
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7089F4 push 004AC35Ch; ret 7_2_6C708A0E
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A4290 push eax; ret 7_2_6C7A42BE
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A3F10 push eax; ret 7_2_6C7A3F2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B445F4 push 00BEC35Ch; ret 10_2_00B4460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BDFB10 push eax; ret 10_2_00BDFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BDFE90 push eax; ret 10_2_00BDFEBE
Source: bv2p0UUx502h.tmp.2.drStatic PE information: section name: .text entropy: 6.902892302303514
Source: bv2p0UUx502h.tmp.7.drStatic PE information: section name: .text entropy: 6.902892302303514
Source: hrsv.vbc.7.drStatic PE information: section name: .text entropy: 6.902892302303514
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5CIPV.tmp\bv2p0UUx502h.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NK16J.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NK16J.tmp\bv2p0UUx502h.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5CIPV.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpFile created: C:\Program Files (x86)\Windows NT\hrsv.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpFile created: C:\Program Files (x86)\Windows NT\hrsv.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup64v7.3.9.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6610Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3209Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpWindow / User API: threadDelayed 609Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpWindow / User API: threadDelayed 605Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpWindow / User API: threadDelayed 555Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5CIPV.tmp\bv2p0UUx502h.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NK16J.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NK16J.tmp\bv2p0UUx502h.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsv.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5CIPV.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5652Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B46868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00B46868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B47496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00B47496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B49C60 GetSystemInfo,10_2_00B49C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: Setup64v7.3.9.tmp, 00000002.00000002.2137139898.0000000000E1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\R]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00BC57D0
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C6E7676 mov eax, dword ptr fs:[00000030h]7_2_6C6E7676
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.13.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmpProcess created: C:\Users\user\Desktop\Setup64v7.3.9.exe "C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmpCode function: 7_2_6C7A4720 cpuid 7_2_6C7A4720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4AB2A GetSystemTimeAsFileTime,10_2_00B4AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BE0090 GetVersion,10_2_00BE0090
Source: Setup64v7.3.9.tmp, 00000007.00000002.2297554773.0000000001010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r\MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory321
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS231
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580842 Sample: Setup64v7.3.9.exe Startdate: 26/12/2024 Architecture: WINDOWS Score: 80 103 Multi AV Scanner detection for dropped file 2->103 105 Found driver which could be used to inject code into processes 2->105 107 Machine Learning detection for dropped file 2->107 109 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->109 11 Setup64v7.3.9.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 28 other processes 2->18 process3 file4 101 C:\Users\user\AppData\...\Setup64v7.3.9.tmp, PE32 11->101 dropped 20 Setup64v7.3.9.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 conhost.exe 14->26         started        28 sc.exe 1 16->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 sc.exe 1 18->34         started        36 24 other processes 18->36 process5 file6 87 C:\Users\user\AppData\...\bv2p0UUx502h.tmp, PE32 20->87 dropped 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->89 dropped 111 Adds a directory exclusion to Windows Defender 20->111 38 Setup64v7.3.9.exe 2 20->38         started        41 powershell.exe 23 20->41         started        44 conhost.exe 24->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        56 23 other processes 36->56 signatures7 process8 file9 91 C:\Users\user\AppData\...\Setup64v7.3.9.tmp, PE32 38->91 dropped 58 Setup64v7.3.9.tmp 4 15 38->58         started        113 Loading BitLocker PowerShell Module 41->113 62 conhost.exe 41->62         started        64 WmiPrvSE.exe 41->64         started        signatures10 process11 file12 93 C:\Users\user\AppData\...\bv2p0UUx502h.tmp, PE32 58->93 dropped 95 C:\Program Files (x86)\Windows NT\hrsv.vbc, PE32 58->95 dropped 97 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 58->97 dropped 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 58->99 dropped 115 Query firmware table information (likely to detect VMs) 58->115 117 Protects its processes via BreakOnTermination flag 58->117 119 Hides threads from debuggers 58->119 66 7zr.exe 2 58->66         started        69 cmd.exe 58->69         started        71 7zr.exe 7 58->71         started        73 cmd.exe 58->73         started        signatures13 process14 file15 85 C:\Program Files (x86)\...\tProtect.dll, PE32+ 66->85 dropped 75 conhost.exe 66->75         started        77 sc.exe 69->77         started        79 conhost.exe 71->79         started        81 sc.exe 1 73->81         started        process16 process17 83 conhost.exe 77->83         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Setup64v7.3.9.exe6%VirustotalBrowse
Setup64v7.3.9.exe3%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-NK16J.tmp\bv2p0UUx502h.tmp100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\is-5CIPV.tmp\bv2p0UUx502h.tmp100%Joe Sandbox ML
C:\Program Files (x86)\Windows NT\hrsv.vbc100%Joe Sandbox ML
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsv.vbc11%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp3%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-5CIPV.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NK16J.tmp\_isetup\_setup64.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUSetup64v7.3.9.exefalse
    		high
    https://www.remobjects.com/psSetup64v7.3.9.exe, 00000000.00000003.2055068177.0000000002D60000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.exe, 00000000.00000003.2055597035.000000007EF4B000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.tmp, 00000002.00000000.2057962622.0000000000311000.00000020.00000001.01000000.00000004.sdmp, Setup64v7.3.9.tmp, 00000007.00000000.2126559227.000000000073D000.00000020.00000001.01000000.00000008.sdmp, Setup64v7.3.9.tmp.0.dr, Setup64v7.3.9.tmp.6.drfalse
      		high
      https://www.innosetup.com/Setup64v7.3.9.exe, 00000000.00000003.2055068177.0000000002D60000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.exe, 00000000.00000003.2055597035.000000007EF4B000.00000004.00001000.00020000.00000000.sdmp, Setup64v7.3.9.tmp, 00000002.00000000.2057962622.0000000000311000.00000020.00000001.01000000.00000004.sdmp, Setup64v7.3.9.tmp, 00000007.00000000.2126559227.000000000073D000.00000020.00000001.01000000.00000008.sdmp, Setup64v7.3.9.tmp.0.dr, Setup64v7.3.9.tmp.6.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580842
        Start date and time:2024-12-26 11:18:44 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 53s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:108
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:Setup64v7.3.9.exe
        Detection:MAL
        Classification:mal80.evad.winEXE@126/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 59%
        • Number of executed functions: 95
        • Number of non-executed functions: 178
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exeSetup64v4.1.9.exeGet hashmaliciousUnknownBrowse
          Setup64v4.1.9.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeGet hashmaliciousUnknownBrowse
                yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                  yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                          C:\Program Files (x86)\Windows NT\hrsv.vbcSetup64v4.1.9.exeGet hashmaliciousUnknownBrowse
                            Setup64v4.1.9.exeGet hashmaliciousUnknownBrowse

                              Created / dropped Files

                              C:\Program Files (x86)\Windows NT\7zr.exe

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):831200
                              Entropy (8bit):6.671005303304742
                              Encrypted:false
                              SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                              MD5:84DC4B92D860E8AEA55D12B1E87EA108
                              SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                              SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                              SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              • Antivirus: Virustotal, Detection: 0%, Browse
                              Joe Sandbox View:
                              • Filename: Setup64v4.1.9.exe, Detection: malicious, Browse
                              • Filename: Setup64v4.1.9.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, Detection: malicious, Browse
                              • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                              • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                              C:\Program Files (x86)\Windows NT\file.dat (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):2748481
                              Entropy (8bit):7.9999407756814565
                              Encrypted:true
                              SSDEEP:49152:WClqzJh23Oi0M7LaKlJJfsxzRZks+DSEzCGg0IeRGOERTRE4CNmlL5yPY:WJh7i0MfTbkxos+xzC7Z4GxRes0Y
                              MD5:0D830652BC6E70E8C2D902B458006FD0
                              SHA1:3B00872D407B0C964F7314745360A4AA87C3A8A1
                              SHA-256:014D57B62167CB0D84BE39D1D82F283FB06C6864BB7E9ECF2FA180B859A09B3F
                              SHA-512:CA6B029DAF07790BE41CAC1A48746E065EE075B735677337075ABCEFED568B87FC1466D0BC46A5230E09164ED318C4E03A869C7D07DBDB34C1B49E1CE64BA10E
                              Malicious:false
                              Preview:.@S.....y...................'n.._..t8@Mp./c.i.,.+SF..7DL)_.~[{%.ea....}@....o.#.;......3E..1...,....Q.....{-.....{.6..w.v.R.'-.P.......n./..3..x.G.;.......Q....8...v..u..^.aQ. 0ce....&?S.Q.%~Q..J...7z.3wHU.^".f..4.5P.*...d{z..@..S.^j.>...&..^g...vr..4.J7Cp..&l....%N..3.w...D:HmZ....s.....G.w....K.~.X...7..o_B..~. #.b...u..ncM.rbX.0..}.u.L....+....5.....Wy......X..\...$v.o..'...h.O.Z..A.j.;1.....bI.<....R.+....qK...)..~..!8....9.`i'A.}...,..W.!4.t..k\x...a......p. .*......X.!{ .F....QI)....b..].g.cNu[....k0..H...;.../E.31]......-.S&.>.D].7_.E...pDk.U4....p.}T..........sgA@Rso..(..L.W......(..x...a]9. e...AS.n...(. .:...s.....j.O\..# .s.9.C.......d.0$...w~..whw..Q....3&....g....I...r......^..=@UQ$0=.-..b....~.@cuKm.R).u.6=.......h8....8.j..O.!.)..b..q....4.Cky.L^..e.....1.c........|..`..S.`c.wc.zh...B.o..s...#Y.V.x...... N.W...........s......3...3q..w....j.'.....:!.=(z-.u......;..d..#.aIhS...t..........4..<U......[.0=b..8...#.W..t.~v.

                              C:\Program Files (x86)\Windows NT\hrsv.vbc

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6553088
                              Entropy (8bit):7.647769337217841
                              Encrypted:false
                              SSDEEP:196608:90JmOiIkT/p5gtxNvL/6amzp5+/2nfD3:fjghjCZm2f
                              MD5:7660CD2408FA83CD090E58097DF443EA
                              SHA1:927B4D4213058490E4A5F0E8F917F492A7B9816F
                              SHA-256:02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
                              SHA-512:A93AE155006D47B59D34358B202B04EBB14E9BD62F64E4FB8FFD80102836B2BCA92382A7CA8559105EC4F66587918A498C59F510CF3FB2DE94B96FC83AA8A849
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Virustotal, Detection: 11%, Browse
                              Joe Sandbox View:
                              • Filename: Setup64v4.1.9.exe, Detection: malicious, Browse
                              • Filename: Setup64v4.1.9.exe, Detection: malicious, Browse
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....lg...........!.....:...........u........................................d...........@.........................t.......a...(....0d......................@d..:...................................................................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...`....P.......0..............@....00cfg.......0......................@..@.tls.........@......................@....voltbl.F....P...........................XkS....`.G..`....G................. ..`.rsrc........0d.......c.............@..@.reloc...:...@d..<....c.............@..B................................................................................................................................................................................................................................................................................

                              C:\Program Files (x86)\Windows NT\is-O1KU2.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):2748481
                              Entropy (8bit):7.9999407756814565
                              Encrypted:true
                              SSDEEP:49152:WClqzJh23Oi0M7LaKlJJfsxzRZks+DSEzCGg0IeRGOERTRE4CNmlL5yPY:WJh7i0MfTbkxos+xzC7Z4GxRes0Y
                              MD5:0D830652BC6E70E8C2D902B458006FD0
                              SHA1:3B00872D407B0C964F7314745360A4AA87C3A8A1
                              SHA-256:014D57B62167CB0D84BE39D1D82F283FB06C6864BB7E9ECF2FA180B859A09B3F
                              SHA-512:CA6B029DAF07790BE41CAC1A48746E065EE075B735677337075ABCEFED568B87FC1466D0BC46A5230E09164ED318C4E03A869C7D07DBDB34C1B49E1CE64BA10E
                              Malicious:false
                              Preview:.@S.....y...................'n.._..t8@Mp./c.i.,.+SF..7DL)_.~[{%.ea....}@....o.#.;......3E..1...,....Q.....{-.....{.6..w.v.R.'-.P.......n./..3..x.G.;.......Q....8...v..u..^.aQ. 0ce....&?S.Q.%~Q..J...7z.3wHU.^".f..4.5P.*...d{z..@..S.^j.>...&..^g...vr..4.J7Cp..&l....%N..3.w...D:HmZ....s.....G.w....K.~.X...7..o_B..~. #.b...u..ncM.rbX.0..}.u.L....+....5.....Wy......X..\...$v.o..'...h.O.Z..A.j.;1.....bI.<....R.+....qK...)..~..!8....9.`i'A.}...,..W.!4.t..k\x...a......p. .*......X.!{ .F....QI)....b..].g.cNu[....k0..H...;.../E.31]......-.S&.>.D].7_.E...pDk.U4....p.}T..........sgA@Rso..(..L.W......(..x...a]9. e...AS.n...(. .:...s.....j.O\..# .s.9.C.......d.0$...w~..whw..Q....3&....g....I...r......^..=@UQ$0=.-..b....~.@cuKm.R).u.6=.......h8....8.j..O.!.)..b..q....4.Cky.L^..e.....1.c........|..`..S.`c.wc.zh...B.o..s...#Y.V.x...... N.W...........s......3...3q..w....j.'.....:!.=(z-.u......;..d..#.aIhS...t..........4..<U......[.0=b..8...#.W..t.~v.

                              C:\Program Files (x86)\Windows NT\locale.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56530
                              Entropy (8bit):7.996815400902768
                              Encrypted:true
                              SSDEEP:768:0R3QA3V+WC+UzY723gGLMWAtbzPUwZjTebZWztwg0aV2MFlWEnAYyJuMvj1Jv+Wx:0D+KUsiQ/bUCPeWzqY2MndAYcurbGL
                              MD5:C97C44555B7F975D023CC65DCDDF68EB
                              SHA1:43609D490DD922B0CBF63F7CFE505AFF639C5F36
                              SHA-256:F4468B85D282F7C8583F9009E30CE20BA3FC3C377C768A21A22E27D2675EFD5F
                              SHA-512:B72BF2AFB2FD51DF0B283E76DD286130BF36204A7C1A7CCE6C169E2674AC133CC8EE423931F57A69D66BF66B583697469D33534321FEA6663C75DBD45CE434B8
                              Malicious:false
                              Preview:.@S....R.Y.| .................:....<..2..A..o.(.H3\.....}.gYw...l..8 .|..X.8D}.7?....n.....2.E....:?.k..9k.....-.>P.x?.[.........Xl....L.&..-..tN....X)@....<B..Z...5..k....q..gk/...t.%Y.U^..{+.\<#$...;.M...T?4Q..n&3.F.W..&..&zX.........O..8...R...>...0...$.......(z...(t.XI./'.....rv.M..P.......pPbOu.h.>..nw..r.*.2....{....Y.b..V..r...........C....*m.ZC...m}..`.Y/..P.9.c..XY......W,.k...bUw.W.UE..M..$.l..x..j..8.@.._J..,>.g!..?..-UD....o.2.....@.ln...MD t....kV.+....KO.&.v.A....(..%..5[..z..=y$r....k[.<....a...U`.t..0.?]...j....GM.#.:..~n....N.p....g..~L...<..... ......a4AT.i...K..^.....!./{...3.......k...Z.?... qOn.5......9.........|......^..x....q.Y...)..n...N..;.1...e..t.XIFB.L.....2.Xc...T..b.....NpZ...%..&.......U....i.{.[..+.....on...dr.uCg..uc#S...\.|]..Ws._..J.3@.Vb..^.H.n...YIe7....t.._...o_.........mk....C."O..2./..)C.dD.>...A......=..2.i.u..*..Dv(..d ..`.}..bJ.,.....t.^..W.n..y.....{O0.....3..UO.* .(V..\.....v..^y.id.......U1.D

                              C:\Program Files (x86)\Windows NT\locale.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56530
                              Entropy (8bit):7.9968154009027685
                              Encrypted:true
                              SSDEEP:1536:BpyRU4PDAHrmUsCTXnUbW7UbePTQk9ZkPw:BpcxPD8r+CrUbxeB9mPw
                              MD5:7A4C36F3B9161F3AB7F9D2402A7C02E4
                              SHA1:82DB74C6EEE5290FB9FEB5F79A3DAD1CB0D65C2F
                              SHA-256:FF78C6499B160AC490E07EDBFCCE1B7BE01D6E8D714BA1DEFAB62A71C7A0565E
                              SHA-512:EE38F7102E594C1CD8147543F19DB992596E537E4BCCECBDB95CCDED6DC6F56BB5395ED4697E7A0C83463D29BD4D1852F1AF7D41E18D2F9A60C8E69837820DA0
                              Malicious:false
                              Preview:7z..'....[.h........2.......5G[ .ZJ.,.R/n..a..(+. .u...YM.$k.....%OX...t....U.....$..[)2..xR!Y.z....Eo\....V%.@k....C.h....s>.V.Q.....T?......^.B...m.q..&gjZQ...5..z:..M..xmQ.....J...%.O......t.....PR..s.D'Vh....:O...0.....$........E.hZ....b.I.REO...N.[..gk.u_....~.0...N.....=.Y.XO...T..T.9=+.S.....`.Q.k ..>Q.'v.v..ee>.pgg3.t...q{.b.P.{..V"..Y.sn`}.u../D7Sv....'..l`..^.,.A...t&..!...I..kk.....O....7..z.2xC.7..-.#.o.#....1..HW......j..U.&......m..-71.....#.......hD..O._.$.x)Q.lQ......X..Q......Fe."....0....^.0..}.Q.....q....>.:..M....r..h.aD..._I....f......F.%d....!.4.'...C..?...^.v...O.%y.Y Rp.l.=DO.-C.^1q..5I.8.h........HG...n..}K{,.)!..Ni...{<u.$.sFD.~..67.2WY...no;..6......z.+>h.T.^..{'Z\.E2..4......+.n.,7.hj.|...y..Q[4..y....q.37.rq..}N...I...k....-.........z...3.....7s.....{......(Zn.'v..9.&."...%7.E1!.[..-h.S5.W.[.U.;.c~.r..6.7*..Jn'...B..(.-.yc.Sz.......nh.Y.E@..K.A{......)...Yx.d.........O.E...r..4....y6.^..X|..b......KQ.y2.....

                              C:\Program Files (x86)\Windows NT\locale2.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255975
                              Encrypted:true
                              SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                              MD5:CEA69F993E1CE0FB945A98BF37A66546
                              SHA1:7114365265F041DA904574D1F5876544506F89BA
                              SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                              SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                              Malicious:false
                              Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                              C:\Program Files (x86)\Windows NT\locale2.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255979
                              Encrypted:true
                              SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                              MD5:4CB8B7E557C80FC7B014133AB834A042
                              SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                              SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                              SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                              Malicious:false
                              Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                              C:\Program Files (x86)\Windows NT\locale3.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                              MD5:8622FC7228777F64A47BD6C61478ADD9
                              SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                              SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                              SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                              Malicious:false
                              Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                              C:\Program Files (x86)\Windows NT\locale3.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                              MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                              SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                              SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                              SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                              Malicious:false
                              Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                              C:\Program Files (x86)\Windows NT\locale4.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.99759370165655
                              Encrypted:true
                              SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                              MD5:950338D50B95A25F494EE74E97B7B7A9
                              SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                              SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                              SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                              Malicious:false
                              Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                              C:\Program Files (x86)\Windows NT\locale4.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.997593701656546
                              Encrypted:true
                              SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                              MD5:059BA7C31F3E227356CA5F29E4AA2508
                              SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                              SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                              SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                              Malicious:false
                              Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                              C:\Program Files (x86)\Windows NT\locale7.bin

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653607
                              Encrypted:true
                              SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                              MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                              SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                              SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                              SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                              Malicious:false
                              Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                              C:\Program Files (x86)\Windows NT\locale7.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653608
                              Encrypted:true
                              SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                              MD5:A9C8A3E00692F79E1BA9693003F85D18
                              SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                              SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                              SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                              Malicious:false
                              Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                              C:\Program Files (x86)\Windows NT\res.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):2748481
                              Entropy (8bit):7.999940775681453
                              Encrypted:true
                              SSDEEP:49152:X7j1hkabNIqw904zbr6Mql0sJGrZm86Yn/WqylS2wRm8yb/y:X7j1hYqE6Mq0/lZebfb6
                              MD5:1A9F36EF4A0B5D5B6B7FEE775862A75F
                              SHA1:9B72F332F257CA5272DD128735DA108607756D21
                              SHA-256:AEE243D9A5078C921BA08F5CD78963BA57059A3BB2B7D1B7D6A6D33887626F88
                              SHA-512:C6BEEF541A4E29D34CE76BC7B5A326CC05BD9A8D985DB492D0FA0F985F9A62576A3CC5EF9BA2B6A871D148C8DE4AA2682570B3FF9BC8B495BD9B9A95483F7C55
                              Malicious:false
                              Preview:7z..'...9.....).....A.......)..8..k^........%..@..[....a....H..T.4.....KQ.A....v..tw..?.g[.n.H.Gxs...t.....gR.d.,.f.$..X.7.z...BQhb>...-.G...v.....j..&..0...jK]n.},.r8.:..w......ElYW....i..0...E..+a..._....].N. .e.pE_...DN..<.)......N...q.+..)..D....w.w$6z...T.5...+......+g.q..l2.P.x<D..!...2.l^.U.....z.$....u.F.DN...+...Q..A.".F..b.z.`.7....)Ac.Dm.j`H..t..1].#sU...RD.s.J.C......<....{<iob.....".V.=...*...F90.. .##..<:.O.*...s.NM)......._.M6.....*.EZ8!+....d.DPZ....d..Y...J....?l..8@..u....=....w.el....OB..m~)D......Jm[@N..-.......R...{...~...u...._..\-^.. ..upx.A-.......b...m.j.B..3.o.6...CQ...{.>......5....u.:.+.GlAb....:i..;..R.[..d=(@S.f.\..yFD..,3e...n*..8.......S...X0m=.:..X.pLnH..r.........::.^M..a.H.....e....W...W..d.r...w..t....y.\...Fc..y.&)......~}.Y!..d.....DY..|c:.K?.51_...........L...z.|$[.C....q...5[''0.L.J+9p".....r.:.XH8..,z.M1.....=....o<....X...L..G.(f.j.*..{..0....y=o.1_~.2*..f.3..q...Q....$.....9...cO.q.OS.[...

                              C:\Program Files (x86)\Windows NT\tProtect.dll

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):63640
                              Entropy (8bit):6.482810107683822
                              Encrypted:false
                              SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                              MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                              SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                              SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                              SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 9%
                              • Antivirus: Virustotal, Detection: 6%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                              C:\Program Files (x86)\Windows NT\task.xml

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):3.3411690983537548
                              Encrypted:false
                              SSDEEP:48:dXKLzDlniPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y2:dXazDlniP6whldOVQOj6dKbKsz7
                              MD5:9CFD4A767D5DD4176567334333A293A0
                              SHA1:5FE7A85589762073206593FEBA92C3FCE36BDD46
                              SHA-256:CD0C911EF19EDE3A594B89B660FB8D56ECB6EF267E9DEEAFFE7AC5E5F11C0663
                              SHA-512:19E7D1AA5162EA5BD133165B314D92E177A8FBB9ADDA43ABF9C1D79C9DA8DFE08457D0C170122D3E0623724F4C0D68B3C4E696CC8C67DA2D28E5963807529F14
                              Malicious:false
                              Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkA

                              C:\Program Files (x86)\Windows NT\trash

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2498321
                              Entropy (8bit):7.999921132510384
                              Encrypted:true
                              SSDEEP:49152:AQFtsREnrRH+oFmVCvnyxkCmXtxQKq8RHqPVy2p7H2K3:5sRMRHFXvnyOCQtaKq9PVyG7H2o
                              MD5:3EE740D2A8E6336AAAFCD5F4245C7265
                              SHA1:F34C0914D873565F9113B0788D95C094439A0085
                              SHA-256:E7D5FBFD0F86019C6AFCE124458085AA3FBCE254EA7E445FDC524003ACBCB55A
                              SHA-512:C6C05ED0A917821D32A4435CB55B169AD3A5F522F0B511C9B0B058C9FA8B470A7CDA287F7D3626BBDF701D5B3ABB88F6585BEB35CBA2D26CCC081E97FAEBAD7B
                              Malicious:false
                              Preview:u4/.......Z.o2;/....i;.....2.5.~....b..v...r.W...y~..c.[.j...QL.......:.-yV.{.@?y.2..zA]T~......t.q. ....S..4,..a... 1..t..^..U...g.P.o.dL.G....P.(5.@.<.}lz$......9. zI......3...B....&.k..@dG.i..JQ0..?..x.:f..<.q...V.3R.S.Hg..m.`..0.y}.l`..?Q....p4}.....+y.U..M..9H.uP_....`C..Q.$..Rs.j\.NxO..>..Q.v..d...H..E..).k....i...?.d...v.5#.G.B0.M....{.[}.!.LU.....g............@...6x.)vJi.y...H..Ue6...C-.m:...2..4...l.Px.w.1n..s...6...}9..O.1......!...+.hs.....O).......u|.s.[..L.i..........7I9/.P...x..D...r..8..>q.3...4....G.n.1.u>FA.Y..b.c..W.#..G.2.5L.....V+...\..Py.8q9.J.L..i.....T...j&.0....Nj..'6.|.!.Qr.W.oGj._f.%.?..._.9...N]...M.....>....]..I..n-......Zo...N0.#..?.d\.4....y...Vl..m..c..X1k..b.T)R.}...f}...6.&>.. .0,8...h...m.yq.:..T.L\,........g0.!~.R.>R...d.B3.....FDV.T~..A.s.^..+9....$.~......T?.#ze..$.+.l..q..s..V..../.......!.(.......`7LP.0.......!.L..S...=..B......w~OP3.....M.3@.....&.......v|K.^........5..%2...3.+.pP

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1940658735648508
                              Encrypted:false
                              SSDEEP:3:NlllulnmWllZ:NllUmWl
                              MD5:3EBBEC2F920D055DAC842B4FF84448FA
                              SHA1:52D2AD86C481FAED6187FC7E6655C5BD646CA663
                              SHA-256:32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
                              SHA-512:163F2BECB9695851B36E3F502FA812BFBF6B88E4DCEA330A03995282E2C848A7DE6B9FDBA740E3DF536AB65390FBE3CC5F41F91505603945C0C79676B48EE5C3
                              Malicious:false
                              Preview:@...e................................................@..........

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffcqdbh1.5zi.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gelo51ga.r1x.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kpttg0x1.s4a.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbpymo5c.d40.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp

                              Download File
                              Process:C:\Users\user\Desktop\Setup64v7.3.9.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3282432
                              Entropy (8bit):6.577783239160003
                              Encrypted:false
                              SSDEEP:49152:NdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQh333Wy:DJYVM+LtVt3P/KuG2ONG9iqLRQh333V
                              MD5:9C495CFE45360DE58A589F398974999F
                              SHA1:DA5D75943481673F424F8845BCA36C2E0B4D3E0A
                              SHA-256:0C824C0E7897345F342E757AF425483E84BCC32885E3C5A29C3CC2D16F5D4CA5
                              SHA-512:A4812E77736860D83082327236EC78B59E1FACAA32AFEADE7BBAA34CB71DA3570B65EAB9B2A68FFF3029A2467D2E4ED433E36B4BE79944EFD5BBEE45FF23D093
                              Malicious:true
                              Antivirus:
                              • Antivirus: Virustotal, Detection: 3%, Browse
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..P........*.......*...@...........................2...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                              C:\Users\user\AppData\Local\Temp\is-5CIPV.tmp\_isetup\_setup64.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-5CIPV.tmp\bv2p0UUx502h.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6553088
                              Entropy (8bit):7.647769337217841
                              Encrypted:false
                              SSDEEP:196608:90JmOiIkT/p5gtxNvL/6amzp5+/2nfD3:fjghjCZm2f
                              MD5:7660CD2408FA83CD090E58097DF443EA
                              SHA1:927B4D4213058490E4A5F0E8F917F492A7B9816F
                              SHA-256:02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
                              SHA-512:A93AE155006D47B59D34358B202B04EBB14E9BD62F64E4FB8FFD80102836B2BCA92382A7CA8559105EC4F66587918A498C59F510CF3FB2DE94B96FC83AA8A849
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....lg...........!.....:...........u........................................d...........@.........................t.......a...(....0d......................@d..:...................................................................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...`....P.......0..............@....00cfg.......0......................@..@.tls.........@......................@....voltbl.F....P...........................XkS....`.G..`....G................. ..`.rsrc........0d.......c.............@..@.reloc...:...@d..<....c.............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp

                              Download File
                              Process:C:\Users\user\Desktop\Setup64v7.3.9.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3282432
                              Entropy (8bit):6.577783239160003
                              Encrypted:false
                              SSDEEP:49152:NdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQh333Wy:DJYVM+LtVt3P/KuG2ONG9iqLRQh333V
                              MD5:9C495CFE45360DE58A589F398974999F
                              SHA1:DA5D75943481673F424F8845BCA36C2E0B4D3E0A
                              SHA-256:0C824C0E7897345F342E757AF425483E84BCC32885E3C5A29C3CC2D16F5D4CA5
                              SHA-512:A4812E77736860D83082327236EC78B59E1FACAA32AFEADE7BBAA34CB71DA3570B65EAB9B2A68FFF3029A2467D2E4ED433E36B4BE79944EFD5BBEE45FF23D093
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..P........*.......*...@...........................2...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                              C:\Users\user\AppData\Local\Temp\is-NK16J.tmp\_isetup\_setup64.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-NK16J.tmp\bv2p0UUx502h.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6553088
                              Entropy (8bit):7.647769337217841
                              Encrypted:false
                              SSDEEP:196608:90JmOiIkT/p5gtxNvL/6amzp5+/2nfD3:fjghjCZm2f
                              MD5:7660CD2408FA83CD090E58097DF443EA
                              SHA1:927B4D4213058490E4A5F0E8F917F492A7B9816F
                              SHA-256:02A7CA1654FA8AE05144BB9750DC43784E00AAD587B2DEE2E3AED67AB82D0C52
                              SHA-512:A93AE155006D47B59D34358B202B04EBB14E9BD62F64E4FB8FFD80102836B2BCA92382A7CA8559105EC4F66587918A498C59F510CF3FB2DE94B96FC83AA8A849
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....lg...........!.....:...........u........................................d...........@.........................t.......a...(....0d......................@d..:...................................................................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...`....P.......0..............@....00cfg.......0......................@..@.tls.........@......................@....voltbl.F....P...........................XkS....`.G..`....G................. ..`.rsrc........0d.......c.............@..@.reloc...:...@d..<....c.............@..B................................................................................................................................................................................................................................................................................

                              \Device\ConDrv

                              Download File
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:ASCII text, with CRLF, CR line terminators
                              Category:dropped
                              Size (bytes):406
                              Entropy (8bit):5.117520345541057
                              Encrypted:false
                              SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                              MD5:9200058492BCA8F9D88B4877F842C148
                              SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                              SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                              SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                              Malicious:false
                              Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.981730188325277
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 98.45%
                              • Inno Setup installer (109748/4) 1.08%
                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              File name:Setup64v7.3.9.exe
                              File size:11'954'989 bytes
                              MD5:adbae5ff217253f04132277916d5af08
                              SHA1:148a186f26caa8fc6298ea9bf6641add1cfa2160
                              SHA256:9a10f85e8932ecec7724c573c91f32b086af49d0c6f1fc9e219328473ef31c67
                              SHA512:f1e53c7cf8c246628390325b08c50b31ff89a1e7d3f87df3309dfb562b594ff1693931db18d156c0221b9ef37d4902b1beb8809cfec5ce96fcf3711e6ee4561c
                              SSDEEP:196608:gcb0MHWvN4u2O3Rbzx0bPEGYYiNwd85zcgth546NFOwtkluL0HA3i4qIpK:gcGvNuO3Rbz0cHYmwdWzck4WOwtkEq3V
                              TLSH:C5C62323B3CBE03DF45D0B3B05B2B14494FB66226527AE66D7F484ACCF264611E3E616
                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                              File Icon

                              Icon Hash:4c4d494959190d0c

                              Static PE Info

                              General

                              Entrypoint:0x4a83bc
                              Entrypoint Section:.itext
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:1
                              File Version Major:6
                              File Version Minor:1
                              Subsystem Version Major:6
                              Subsystem Version Minor:1
                              Import Hash:40ab50289f7ef5fae60801f88d4541fc

                              Entrypoint Preview

                              Instruction
                              push ebp
                              mov ebp, esp
                              add esp, FFFFFFA4h
                              push ebx
                              push esi
                              push edi
                              xor eax, eax
                              mov dword ptr [ebp-3Ch], eax
                              mov dword ptr [ebp-40h], eax
                              mov dword ptr [ebp-5Ch], eax
                              mov dword ptr [ebp-30h], eax
                              mov dword ptr [ebp-38h], eax
                              mov dword ptr [ebp-34h], eax
                              mov dword ptr [ebp-2Ch], eax
                              mov dword ptr [ebp-28h], eax
                              mov dword ptr [ebp-14h], eax
                              mov eax, 004A2EBCh
                              call 00007FA4E92C63A5h
                              xor eax, eax
                              push ebp
                              push 004A8AC1h
                              push dword ptr fs:[eax]
                              mov dword ptr fs:[eax], esp
                              xor edx, edx
                              push ebp
                              push 004A8A7Bh
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              mov eax, dword ptr [004B0634h]
                              call 00007FA4E9357D2Bh
                              call 00007FA4E935787Eh
                              lea edx, dword ptr [ebp-14h]
                              xor eax, eax
                              call 00007FA4E9352558h
                              mov edx, dword ptr [ebp-14h]
                              mov eax, 004B41F4h
                              call 00007FA4E92C0453h
                              push 00000002h
                              push 00000000h
                              push 00000001h
                              mov ecx, dword ptr [004B41F4h]
                              mov dl, 01h
                              mov eax, dword ptr [0049CD14h]
                              call 00007FA4E9353883h
                              mov dword ptr [004B41F8h], eax
                              xor edx, edx
                              push ebp
                              push 004A8A27h
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              call 00007FA4E9357DB3h
                              mov dword ptr [004B4200h], eax
                              mov eax, dword ptr [004B4200h]
                              cmp dword ptr [eax+0Ch], 01h
                              jne 00007FA4E935EA9Ah
                              mov eax, dword ptr [004B4200h]
                              mov edx, 00000028h
                              call 00007FA4E9354178h
                              mov edx, dword ptr [004B4200h]

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x3dfc.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              .rsrc0xcb0000x3dfc0x3e00c2cbf0b5467ae1d2c1ce5d1982f3376cFalse0.2745715725806452data3.9801511105858904IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xcb4380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.05054151624548736
                              RT_STRING0xcbce00x3f8data0.3198818897637795
                              RT_STRING0xcc0d80x2dcdata0.36475409836065575
                              RT_STRING0xcc3b40x430data0.40578358208955223
                              RT_STRING0xcc7e40x44cdata0.38636363636363635
                              RT_STRING0xccc300x2d4data0.39226519337016574
                              RT_STRING0xccf040xb8data0.6467391304347826
                              RT_STRING0xccfbc0x9cdata0.6410256410256411
                              RT_STRING0xcd0580x374data0.4230769230769231
                              RT_STRING0xcd3cc0x398data0.3358695652173913
                              RT_STRING0xcd7640x368data0.3795871559633027
                              RT_STRING0xcdacc0x2a4data0.4275147928994083
                              RT_RCDATA0xcdd700x10data1.5
                              RT_RCDATA0xcdd800x310data0.6173469387755102
                              RT_RCDATA0xce0900x2cdata1.1818181818181819
                              RT_GROUP_ICON0xce0bc0x14dataEnglishUnited States1.25
                              RT_VERSION0xce0d00x584dataEnglishUnited States0.273371104815864
                              RT_MANIFEST0xce6540x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                              Imports

                              DLLImport
                              kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                              comctl32.dllInitCommonControls
                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                              advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                              Exports

                              NameOrdinalAddress
                              __dbk_fcall_wrapper20x40fc10
                              dbkFCallWrapperAddr10x4b063c

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              No network behavior found

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:05:19:35
                              Start date:26/12/2024
                              Path:C:\Users\user\Desktop\Setup64v7.3.9.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Setup64v7.3.9.exe"
                              Imagebase:0xe30000
                              File size:11'954'989 bytes
                              MD5 hash:ADBAE5FF217253F04132277916D5AF08
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:2
                              Start time:05:19:36
                              Start date:26/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-5VJS5.tmp\Setup64v7.3.9.tmp" /SL5="$10460,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe"
                              Imagebase:0x310000
                              File size:3'282'432 bytes
                              MD5 hash:9C495CFE45360DE58A589F398974999F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:3
                              Start time:05:19:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                              Imagebase:0x7ff7be880000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:05:19:37
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:05:19:40
                              Start date:26/12/2024
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff6ef0c0000
                              File size:496'640 bytes
                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:6
                              Start time:05:19:42
                              Start date:26/12/2024
                              Path:C:\Users\user\Desktop\Setup64v7.3.9.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENT
                              Imagebase:0xe30000
                              File size:11'954'989 bytes
                              MD5 hash:ADBAE5FF217253F04132277916D5AF08
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:7
                              Start time:05:19:42
                              Start date:26/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-2RKH3.tmp\Setup64v7.3.9.tmp" /SL5="$20486,11008966,792064,C:\Users\user\Desktop\Setup64v7.3.9.exe" /VERYSILENT
                              Imagebase:0x4c0000
                              File size:3'282'432 bytes
                              MD5 hash:9C495CFE45360DE58A589F398974999F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Antivirus matches:
                              • Detection: 3%, Virustotal, Browse
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:8
                              Start time:05:19:46
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:05:19:46
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:10
                              Start time:05:19:46
                              Start date:26/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                              Imagebase:0xb40000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              • Detection: 0%, Virustotal, Browse
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:11
                              Start time:05:19:46
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:12
                              Start time:05:19:46
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:13
                              Start time:05:19:47
                              Start date:26/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                              Imagebase:0xb40000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:14
                              Start time:05:19:47
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:15
                              Start time:05:19:47
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:16
                              Start time:05:19:47
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:17
                              Start time:05:19:47
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:18
                              Start time:05:19:47
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:19
                              Start time:05:19:47
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:20
                              Start time:05:19:47
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:21
                              Start time:05:19:47
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:22
                              Start time:05:19:47
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:23
                              Start time:05:19:47
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:24
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:25
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:26
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:27
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:28
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:29
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:30
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:31
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:32
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:33
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:34
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:35
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:36
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:37
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:38
                              Start time:05:19:48
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:39
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:40
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:41
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:42
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:43
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:44
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:45
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:46
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:47
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:48
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:49
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:50
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:51
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:52
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:53
                              Start time:05:19:49
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:54
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:56
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:57
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:58
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:59
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:60
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:61
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:62
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:63
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:64
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:65
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:66
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:67
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:68
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:69
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:70
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:71
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:72
                              Start time:05:19:50
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6068e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:73
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:74
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:75
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:76
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:77
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:78
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:79
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:80
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:81
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:82
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:83
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:84
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:85
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:86
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:87
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:88
                              Start time:05:19:51
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:89
                              Start time:05:19:52
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:90
                              Start time:05:19:52
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:91
                              Start time:05:19:52
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:92
                              Start time:05:19:52
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:93
                              Start time:05:19:52
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:94
                              Start time:05:19:52
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:95
                              Start time:05:19:52
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:96
                              Start time:05:19:52
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:97
                              Start time:05:19:52
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:98
                              Start time:05:19:52
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:99
                              Start time:05:19:52
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:100
                              Start time:05:19:53
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:101
                              Start time:05:19:53
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:102
                              Start time:05:19:53
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:103
                              Start time:05:19:53
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:104
                              Start time:05:19:53
                              Start date:26/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff789d30000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:105
                              Start time:05:19:53
                              Start date:26/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:106
                              Start time:05:19:53
                              Start date:26/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff68b8f0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:0%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:9.3%
                                Total number of Nodes:43
                                Total number of Limit Nodes:1
                                execution_graph 74201 6c6dc974 74202 6c6dc980 74201->74202 74203 6c6dc994 74202->74203 74204 6c6dc987 GetLastError ExitThread 74202->74204 74215 6c6e22c2 GetLastError 74203->74215 74206 6c6dc999 74242 6c6e7676 74206->74242 74209 6c6dc9b0 74248 6c6dc8df 11 API calls 74209->74248 74212 6c6dc9d2 74249 6c6dde29 GetLastError SetLastError TlsGetValue TlsSetValue GetProcAddress 74212->74249 74214 6c6dc9e3 74216 6c6e22d9 74215->74216 74217 6c6e22df 74215->74217 74250 6c6e4433 TlsGetValue GetProcAddress 74216->74250 74233 6c6e22e5 74217->74233 74251 6c6e4472 TlsSetValue GetProcAddress 74217->74251 74220 6c6e22fd 74222 6c6e232c 74220->74222 74223 6c6e2315 74220->74223 74220->74233 74221 6c6e2364 SetLastError 74224 6c6e2373 74221->74224 74228 6c6e2379 74221->74228 74253 6c6e4472 TlsSetValue GetProcAddress 74222->74253 74252 6c6e4472 TlsSetValue GetProcAddress 74223->74252 74224->74206 74227 6c6e2338 74227->74233 74254 6c6e4472 TlsSetValue GetProcAddress 74227->74254 74229 6c6e2390 74228->74229 74255 6c6e4433 TlsGetValue GetProcAddress 74228->74255 74241 6c6e2396 74229->74241 74256 6c6e4472 TlsSetValue GetProcAddress 74229->74256 74233->74221 74234 6c6e23aa 74235 6c6e23d7 74234->74235 74236 6c6e23c2 74234->74236 74234->74241 74258 6c6e4472 TlsSetValue GetProcAddress 74235->74258 74257 6c6e4472 TlsSetValue GetProcAddress 74236->74257 74239 6c6e23e3 74239->74241 74259 6c6e4472 TlsSetValue GetProcAddress 74239->74259 74241->74206 74243 6c6e7688 GetPEB 74242->74243 74244 6c6dc9a4 74242->74244 74243->74244 74245 6c6e769b 74243->74245 74244->74209 74247 6c6e467f GetProcAddress 74244->74247 74260 6c6e4728 GetProcAddress 74245->74260 74247->74209 74248->74212 74249->74214 74250->74217 74251->74220 74252->74233 74253->74227 74254->74233 74255->74229 74256->74234 74257->74241 74258->74239 74259->74241 74260->74244

                                Executed Functions

                                Function 6C6DC974 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetLastError.KERNEL32(6C703A20,0000000C), ref: 6C6DC987
                                • ExitThread.KERNEL32 ref: 6C6DC98E
                                Memory Dump Source
                                • Source File: 00000007.00000002.2302399933.000000006C611000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C610000, based on PE: true
                                • Associated: 00000007.00000002.2302371549.000000006C610000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2303204483.000000006C6F5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2311421140.000000006CC53000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: ErrorExitLastThread
                                • String ID:
                                • API String ID: 1611280651-0
                                • Opcode ID: 8b90557a3fd538b3c0fe36e6a3907bc8540f162175f87b77b30fbe21a7863527
                                • Instruction ID: ce72b7f37ac6599768e836ebb25ff4b6be171ac625466e26c72bcaac02f3b913
                                • Opcode Fuzzy Hash: 8b90557a3fd538b3c0fe36e6a3907bc8540f162175f87b77b30fbe21a7863527
                                • Instruction Fuzzy Hash: B3F0C2B0A04205AFDB05AFB0C409EAE3B75FF46308F11055AF402ABB80CF30A945CBA8

                                Non-executed Functions

                                Function 6C720092 Relevance: 21.8, APIs: 5, Strings: 6, Instructions: 2537COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C720097
                                  • Part of subcall function 6C7231D6: __EH_prolog.LIBCMT ref: 6C7231DB
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $ $*$0UJ$@$@
                                • API String ID: 3519838083-862571645
                                • Opcode ID: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                • Instruction ID: 3168027092766a50dab72f3a8febbbd83aec7e407842a0fbaf0c3eca2e2c056e
                                • Opcode Fuzzy Hash: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                • Instruction Fuzzy Hash: F6339F70E002589FDF21CFA4CA98BDDBBB1BF45308F1080A9D409A7A51DB799E89CF51
                                Function 6C77289F Relevance: 15.6, APIs: 6, Strings: 2, Instructions: 1591COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C7728A4
                                • __aulldiv.LIBCMT ref: 6C772C4A
                                • __aulldiv.LIBCMT ref: 6C772C78
                                • __aulldiv.LIBCMT ref: 6C772D18
                                  • Part of subcall function 6C77436D: __EH_prolog.LIBCMT ref: 6C774372
                                  • Part of subcall function 6C77440E: __EH_prolog.LIBCMT ref: 6C774413
                                  • Part of subcall function 6C773E78: __EH_prolog.LIBCMT ref: 6C773E7D
                                  • Part of subcall function 6C76E24A: __EH_prolog.LIBCMT ref: 6C76E24F
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog$__aulldiv
                                • String ID: L$b
                                • API String ID: 604474441-3566554212
                                • Opcode ID: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                • Instruction ID: 791ffd2b20047ed4f95c13c4dc1275d9405b4cf99ef1222c747e74218f0db85c
                                • Opcode Fuzzy Hash: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                • Instruction Fuzzy Hash: FAE28C30D0528DDFCF25CFA4CA98ADCBBB4AF05308F1440A9D559A7B51DB306A89DF61
                                Function 6C7654AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C7654B1
                                  • Part of subcall function 6C76693B: __EH_prolog.LIBCMT ref: 6C766940
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 1$`)K$h)K
                                • API String ID: 3519838083-3935664338
                                • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                • Instruction ID: 520b00d5270f7b323ddd8a52844caa44583513fbd75837f845d4afc8981aaf04
                                • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                • Instruction Fuzzy Hash: 64F27C70900248DFDB11CFAACA88BDDBBB5AF49308F244599D849EBB41DB719E85CF11
                                Function 6C757EEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C757EF4
                                  • Part of subcall function 6C75B622: __EH_prolog.LIBCMT ref: 6C75B627
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $h%K
                                • API String ID: 3519838083-1737110039
                                • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                • Instruction ID: 10360ff74301cc013ae6c8800a7096530ff906f23857c45bbf03ae06e6cb8a4b
                                • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                • Instruction Fuzzy Hash: 2353AA70D00258DFDF15CBA4CA98BEDBBB4AF19308F5440E9D449A7691DB30AE99CF21
                                Function 6C7697F3 Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1546COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $J
                                • API String ID: 3519838083-1755042146
                                • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                • Instruction ID: 3cff6859ed46face38e2331213c5cbd189b403af4b02fa7c927140daea4aa26e
                                • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                • Instruction Fuzzy Hash: EBE2D030905259DFEF01CFAAC648BDDBBB0AF15318F2480A8EC55ABB82D774D945CB61
                                Function 6C733CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C733CE5
                                  • Part of subcall function 6C709C2A: __EH_prolog.LIBCMT ref: 6C709C2F
                                  • Part of subcall function 6C70B6A6: __EH_prolog.LIBCMT ref: 6C70B6AB
                                  • Part of subcall function 6C733A0E: __EH_prolog.LIBCMT ref: 6C733A13
                                  • Part of subcall function 6C733837: __EH_prolog.LIBCMT ref: 6C73383C
                                  • Part of subcall function 6C737143: __EH_prolog.LIBCMT ref: 6C737148
                                  • Part of subcall function 6C737143: ctype.LIBCPMT ref: 6C73716C
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog$ctype
                                • String ID:
                                • API String ID: 1039218491-3916222277
                                • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                • Instruction ID: 5b626b03d3b139384263055eca9227f5e0278fbe1150011e3924d272baf0709b
                                • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                • Instruction Fuzzy Hash: 9E03DE709012A8DFDF15CFA4CA5CBDCBBB0AF15308F2480A9D84967792DB745B89DB21
                                Function 6C789580 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: 3J$`/J$`1J$p0J
                                • API String ID: 0-2826663437
                                • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                • Instruction ID: c79dfe7ec65655b2b503ecd8612165a00f4bf92786fe1c8ce88c41305872a06b
                                • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                • Instruction Fuzzy Hash: 1A410872F109200AF3888E7A8C895667FC3D7CA346B4AC33DD565C76D9DA7DC40782A4
                                Function 6C75DA52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: W
                                • API String ID: 3519838083-655174618
                                • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                • Instruction ID: 0dcdf1d06d623f0d071ec86a1917d666ac4b144a277eeace356dd9d0275499f5
                                • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                • Instruction Fuzzy Hash: 96B27C70A05259DFDB00CFA8C688B9DBBB5AF09308F6440A9E845EB791CB75DD51CBA0
                                Function 6C74C5EC Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 995COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-3916222277
                                • Opcode ID: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                • Instruction ID: a843edb73fecc8c1fb98c31ce9ae091a0f90f34edb2a0bae6fbabdb1c204a0e0
                                • Opcode Fuzzy Hash: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                • Instruction Fuzzy Hash: C892B030A01249DFDB04DFA8CA58BEEBBB1BF09309F248198E855AB751C771DD49CB61
                                Function 6C75EF11 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 511COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-3916222277
                                • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                • Instruction ID: eda193e675c7469f554ebe451e2cdc89d03cddae6ab987bbd06ac22fa2f1b500
                                • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                • Instruction Fuzzy Hash: 1C224870A002099FDB14CFA8C588B9EBBF0BF08308F508569E859DB782DB75E955CF90
                                Function 6C751896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C75189B
                                  • Part of subcall function 6C752FC9: __EH_prolog.LIBCMT ref: 6C752FCE
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @ K
                                • API String ID: 3519838083-4216449128
                                • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                • Instruction ID: b2be37ce74d16bcdbd80ab0727bcfc5a789850a6e3863bf1284f575cc02a2a4f
                                • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                • Instruction Fuzzy Hash: ECD14271E002048FDB01CFA8C688BDEBBB6FF8031AF54812AD405ABA95DF70D895CB11
                                Function 6C705EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: x=J
                                • API String ID: 3519838083-1497497802
                                • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction ID: 1b59c26b1a5a615b3fac26dbfc19e4de5c79000bb5bed12c2f089a8663641ec3
                                • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction Fuzzy Hash: ED91D4F1F011099ACF04DFA4DAA89EDB7F1FF05348F208069D851A7A52DB715B89CB94
                                Function 6C76F521 Relevance: 2.6, APIs: 1, Instructions: 1105COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                • Instruction ID: ec406a2f4f04c43055eca5692e73b788e2af31efe76765fd6148a9b2e43070ed
                                • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                • Instruction Fuzzy Hash: E6B2AC309047498FCB21CF6AC694BDEBBF1BF05308F2485A9D89AA7E41D771A985CF11
                                Function 6C705972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: @4J$DsL
                                • API String ID: 0-2004129199
                                • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction ID: 101d0ae307244ea2bf9a9d3a304ed9ca8a3a9d5c3d8bfc36280362c1297c46f2
                                • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction Fuzzy Hash: 7E218D37AA48560BD74CCA68EC33AB92680E744305B88527EE94BCB7E1DE6C8800C648
                                Function 6C72240A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C72240F
                                  • Part of subcall function 6C723137: __EH_prolog.LIBCMT ref: 6C72313C
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                • Instruction ID: 988aeafca1a83db13b464cbee76ed742210fa67927f59d95461ae0ea03c5639b
                                • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                • Instruction Fuzzy Hash: C0629C71D14219CFDF15CFA4CA98BEDBBB4BF08318F14416AE855ABA80D7789A44CF90
                                Function 6C77AAD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: YA1
                                • API String ID: 0-613462611
                                • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                • Instruction ID: 3c35f9e2333263a5bdc35342dcc712442476e11e36442ba3924ae49e3682f2a1
                                • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                • Instruction Fuzzy Hash: E44214306093858FD725CF28C59069ABBE2FFC9318F145A6DE8D58B742D771D80ACB62
                                Function 6C7A07C0 Relevance: 1.9, APIs: 1, Instructions: 356COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                • Instruction ID: a902af461a1cbf6ce4f0acc0ca58722f28372f0607245e7f245a3fae53246709
                                • Opcode Fuzzy Hash: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                • Instruction Fuzzy Hash: D0E19E716083448FD724CF69C980B9AB7F5BFC8318F148A2EF8998B755D7309946CB92
                                Function 6C754D43 Relevance: 1.8, APIs: 1, Instructions: 346COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                • Instruction ID: f4bffdf4c842abfdaf95ea9ccb56f88e0edad5288c39e04d53aaade7aeae055a
                                • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                • Instruction Fuzzy Hash: 3EF16C70A00249DFCB44CFA4D698BEDBBB1BF04308F54816DD419ABB52DB71AA69CF50
                                Function 6C7A2D90 Relevance: 1.8, Strings: 1, Instructions: 513COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                • Instruction ID: 62d2d66e7825594d41e9524eb41b6194ef0a63febe1e0c032a1f1138fe7c5ec3
                                • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                • Instruction Fuzzy Hash: 62324AB1A083058FC318CF56C48495AF7E2BFCC314F468A6DE98997355DB74AA09CF86
                                Function 6C7A37C0 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                • Instruction ID: d85d39577c83ab2f029ffb2ea0831dc797bf2a9071d8b4e5e1dc2ec3dc3c06ec
                                • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                • Instruction Fuzzy Hash: B21207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EE898A7311D770E9568BC6
                                Function 6C70DBCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: __aullrem
                                • String ID:
                                • API String ID: 3758378126-0
                                • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction ID: d521bcb3fa1a50fa38054f12074c4bfdf9bf191b55daee2f5c4dc6019e437fd5
                                • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction Fuzzy Hash: 1351E8B1A043459BD710CF6EC4C12EAFBF6AF79214F18C05AE88897242D27A499AC760
                                Function 6C786E80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction ID: a85768886dfcf90e12e2761e58b2afb71b92a0a0120261207e84cac86a05eca8
                                • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction Fuzzy Hash: 9602AC3160A3818BD325CF29C69079EBBE2ABC8358F144A3DFAD697B51C770D945CB42
                                Function 6C7A3999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                • Instruction ID: f89dc111e7c4df107c8e31689dde24936b3065cf28a6ff749f555e70849182a2
                                • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                • Instruction Fuzzy Hash: 91D13E729083148FD758DF4AD44005BF7E2BFC8314F1A8A2EF899A7315DB70A9568BC6
                                Function 6C7097CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: (SL
                                • API String ID: 0-669240678
                                • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction ID: 065ff472b07d250cb6fdb6f2462e06a2de0aa211fa47e8b67d2dde136d52037f
                                • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction Fuzzy Hash: 1F516473E208314AD78CCE24DC2177572D2E784310F8BC2B99D4BAB6E6DD78989587D4
                                Function 6C777B90 Relevance: .9, Instructions: 940COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                • Instruction ID: 43d2b981067f995c490e4223049f7d3ee0d57d01e51239096e1f003973300be0
                                • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                • Instruction Fuzzy Hash: FC72ACB16042168FD758CF28C590268FBE1FF89314B5A46BED85ADB742DB30E895CBD0
                                Function 6C77D020 Relevance: .8, Instructions: 762COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction ID: b952060e4b392b2786f0d581d5e5e5ef61f5caf8d78b6cc655f234a873227ef2
                                • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction Fuzzy Hash: CA528F31208B458BD728CF29C6946AABBE2FFA5308F148A2DD4DAC7B41DB70F445CB55
                                Function 6C797930 Relevance: .7, Instructions: 740COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction ID: 140c155310c044133fd5f2869f57efe234cf805b8cf831dee0f794b9e8638d16
                                • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction Fuzzy Hash: E96214B1A087458FC714CF1AD68091AFBF6BFC8744F248A2EE89997715D770E845CB82
                                Function 6C795950 Relevance: .7, Instructions: 697COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                • Instruction ID: d2d7529903a026f1530f1608b959316520afda8ef9028079635f8c2322e7ee1b
                                • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                • Instruction Fuzzy Hash: 47429E31204B168FD368CF29E9847AAB7F2FB84314F044A2DE896C7B95E774E549CB41
                                Function 6C7841F0 Relevance: .6, Instructions: 634COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                                • Instruction ID: 67cc25770ed9278bf3f5bc0f0b49779231c356a1bd56432274a49fb52453f505
                                • Opcode Fuzzy Hash: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                                • Instruction Fuzzy Hash: F032F171A0124A8BDB08CF28C9A02DE3BA6FF89344F55853DEE55DB781D7B0E951DB80
                                Function 6C780D50 Relevance: .5, Instructions: 547COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction ID: 7f0cfa89f4cc91ff6ec5501659bcbd8acbdfd46cd50e1252225f22b94d7b1619
                                • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction Fuzzy Hash: 2112AF7160A3458FC718CF29C6906AABBF2BFC8344F54893DE6A687B42D731E845CB51
                                Function 6C791489 Relevance: .5, Instructions: 519COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                • Instruction ID: 0578b5a7f392e7cdaa4169b9ff9eb8074ed25591f068c4cc783eb34dd79b7ba0
                                • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                • Instruction Fuzzy Hash: E2022673A483504BD714CE2ACD80219BBE7FBC4390F5A4A2EF89647786DAB0D956C781
                                Function 6C791AA0 Relevance: .5, Instructions: 474COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction ID: 613487c8aa1e75cdd4b75fac180de45327bce64e4927c1df8e87ef4d5d4422e0
                                • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction Fuzzy Hash: 00022832A483118BC318CE28D580269BBF7FBC4345F190B3EE49697B96D770D894CB82
                                Function 6C79B600 Relevance: .5, Instructions: 470COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                • Instruction ID: 94dfb1edb65afe0bb329226295c03031edc1e40529e97adf99806cb9572b9058
                                • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                • Instruction Fuzzy Hash: C012C0306087618FC328CF2ED594626FBF2AF89304F188A6ED1D687BA5D735E548CB51
                                Function 6C7992A0 Relevance: .5, Instructions: 461COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                • Instruction ID: 288c422445355a40066e6ccb371b3e1ed19249e432d1edbab9d75d5f811811a7
                                • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                • Instruction Fuzzy Hash: 9602B3706087208FD328CF2ED49422AFBF1EF85301F188A6EE5DA87B91D636E555CB51
                                Function 6C77CA50 Relevance: .5, Instructions: 453COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                • Instruction ID: bd5776b1ccd442b575cde822768e743fbeff37ae3fc4e3df58dd3d0479642022
                                • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                • Instruction Fuzzy Hash: 29F100326042888BEF34DE2CD9507EEBBE2FBC9305F544539D889CBB41DB35954A87A1
                                Function 6C783D10 Relevance: .4, Instructions: 429COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                • Instruction ID: ae691f7cc9cf70a097ef72d6429b4640e92e208ed3012a4092313ddcbc358d7b
                                • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                • Instruction Fuzzy Hash: B9E1FE35705B008BE724CE2DD9A03ABB7E6EBC4314F544A3DC69687B81DB75E40ACB91
                                Function 6C79BBC0 Relevance: .4, Instructions: 399COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                • Instruction ID: 944eba0d0692b41c856f46f6b63b8eb73a67d4e6ef4cc8b56356edfcb42e90a8
                                • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                • Instruction Fuzzy Hash: 0AF1C070608B518FC328CF2DD490266FBE2BF89305F188A6ED1D68BB92D739E554CB51
                                Function 6C7998D0 Relevance: .4, Instructions: 383COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                • Instruction ID: c0fe9fc3cf094ec456e37ab172f3b52e5afe3ffe1abd4cf37be96dd675aec91b
                                • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                • Instruction Fuzzy Hash: F2F1F2705087618FD328CF2AD59026AFBF2FF95304F188A2ED4DA87A92D339E155CB51
                                Function 6C783900 Relevance: .3, Instructions: 341COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                • Instruction ID: 42daab89f6222ec717da0bb4a76fed9794f721d9ee782450bb698bcc5ade1a0a
                                • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                • Instruction Fuzzy Hash: 0EC1D171605B068BE328CF2DC5906AAB7E2FBC4314F548A3DC6A787B46D674F485CB81
                                Function 6C78C5C0 Relevance: .3, Instructions: 333COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                • Instruction ID: 173007538d3e4f713f13967a3b9cc3b53d25ea62ee00115a2908ac9483ee86b5
                                • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                • Instruction Fuzzy Hash: 4FD131715067128FD718EF2DC5A4236BBE1FF86305F054ABDDAA28B78AD7349605CB40
                                Function 6C7A1DE0 Relevance: .3, Instructions: 333COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                • Instruction ID: 9ecb98e9944d00ae98d55e2ccf2b273190728a07c0cba061d3a3092672eec275
                                • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                • Instruction Fuzzy Hash: FFE1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B423DDA650B392D734A942DB94
                                Function 6C78B0E0 Relevance: .3, Instructions: 320COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                • Instruction ID: 3edc3be9fc2e306e46ec5a7c8e88b62ef595cc57052693a34b2bf3056968208f
                                • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                • Instruction Fuzzy Hash: EEB16071A062118FC340CF29C9802497BA2FFC5269775D7BDC5A89FA5AD336E817CB90
                                Function 6C77F580 Relevance: .3, Instructions: 316COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction ID: 8f8d38bb849358b8f17576c6c7a6e179bb1a01a0ac052074626fb196b1feb70c
                                • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction Fuzzy Hash: 29C1B5352047458BC728CF39D2A0697BFE2EFD9314F148A6DC4DA8BB56DA30A40DCB65
                                Function 6C78B4D0 Relevance: .3, Instructions: 307COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                • Instruction ID: 1bd55ce7cb60a90c934a6e6827e2d00b849b3b0e024cfb3a5540efb5c9109ec6
                                • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                • Instruction Fuzzy Hash: A1B17F71A022448FC750CF29C980244BBA2FF8536CB7996AEC9948F647D337E847CB90
                                Function 6C7A1870 Relevance: .3, Instructions: 298COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                • Instruction ID: 9fde50c89d06fff5847dc13e5f1d60358b3baa9aa391ba54541237efc3f79301
                                • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                • Instruction Fuzzy Hash: 4FD1E7B1848B9A5FD394EF4DEC81A357762AB88301F4A8239DB6007753D634FB12D794
                                Function 6C77B810 Relevance: .3, Instructions: 296COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                • Instruction ID: f77986e58f35b62b6e5f94439c85a98613b19215ca959f28b298c49e21ed273d
                                • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                • Instruction Fuzzy Hash: FEB1C0313047094BEB24DF39CA98BDAB7E1BF84318F44452DC5AA87B51DF34B50987A1
                                Function 6C77EAA0 Relevance: .3, Instructions: 291COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                • Instruction ID: c29c80ff79d6113136ca3f52304ec08377df1b395f8727aa93f9995b857a4411
                                • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                • Instruction Fuzzy Hash: 76B18A7560470A8FC314DF29C9806EAF7E2FFC8304F14892DE49A87711E771A55ACBA6
                                Function 6C7869F0 Relevance: .3, Instructions: 287COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                • Instruction ID: 559716ef8a3ae9a33d1d7883021436a8e4058ae519a96fb4494dbd7b7a152308
                                • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                • Instruction Fuzzy Hash: 89A1037221D3419FC319CF29C69069EBBE1ABD5308F148A3DE5D6C7B41D631EA4ACB42
                                Function 6C7815D0 Relevance: .2, Instructions: 224COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                • Instruction ID: 37f1a0c66a0da92f37bcdf182c91b030960caab3f0fcd171852a67921ad05877
                                • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                • Instruction Fuzzy Hash: 73614EB23092558FD708CFA9E680A96B3E9EB98321B1685BFD215CB361E771DC41C718
                                Function 6C7866E0 Relevance: .2, Instructions: 223COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                • Instruction ID: abfd2fec1306410e6a692232718a69e86624b64723a97e1a143b0653304738a9
                                • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                • Instruction Fuzzy Hash: 3881BF35A057018FC320CF29C180646B7E2FF99714F288A7DC699DB715E772EA46CB81
                                Function 6C795200 Relevance: .2, Instructions: 222COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                • Instruction ID: a875ea77e5bbcef81998881c571aa32d5d72f5b5012444b459aab8547d46067e
                                • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                • Instruction Fuzzy Hash: F281F1B2D447298BD710CF88ECC4596B3A1FB88308F0A4679DE591B352D2B9B915DBD0
                                Function 6C7948C8 Relevance: .2, Instructions: 216COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                • Instruction ID: 787857ee72f5cf085c5abf0d4abe15197f57424b88dace1f8a38f570d7df41b2
                                • Opcode Fuzzy Hash: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                • Instruction Fuzzy Hash: DCA1BE7190824A8FD729CF19D590AAEB7F2FFC4308F188A2DE4968B342D735A555CF41
                                Function 6C795520 Relevance: .2, Instructions: 216COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                • Instruction ID: 1fb8354a894b0046dc8cd2aa6bcda48dafe8b6fa6a3d246dc604947905624d42
                                • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                • Instruction Fuzzy Hash: 75918072C1872A8BD314CF18D88025AB7E0FB88318F49067DED9A97342D739EA55CBC5
                                Function 6C71DB66 Relevance: .2, Instructions: 167COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction ID: b989bef354057c7b85744302e0fcd90e23eef1fc20d42fc28ad64457fbc0bc41
                                • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction Fuzzy Hash: 0D518072F046099FDB08CE98DE926ADB7F1EB98304F28857AD111E7B82D7749A41CF44
                                Function 6C778650 Relevance: .2, Instructions: 154COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                • Instruction ID: 6b72832230faba651ab232b871f169f9c7a33389a905e389f6d2e0ef17d1ae37
                                • Opcode Fuzzy Hash: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                • Instruction Fuzzy Hash: 545180316083498BDB20DF6EC980516B7E1FB98308F244A6EE994A7712D775E907CBE1
                                Function 6C71FEC9 Relevance: .1, Instructions: 136COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction ID: 2634bdf23425acd3f49c636be113d8ce5f2e64f1b38bb7fb4f46f4fcc5821dcc
                                • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction Fuzzy Hash: 183114277A840103C70CCD3BCD1279F91575BD422A70ECF39AC09DEF56D52CC8164144
                                Function 6C78C050 Relevance: .1, Instructions: 123COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                • Instruction ID: eb981baf0efec9ec8086ce615a09d0b792c601a7a73b97db264400206fe086ed
                                • Opcode Fuzzy Hash: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                • Instruction Fuzzy Hash: C43139F3D02A054BF200A91ACFC07567223DBC27FAF2AC775DB6687EE8DA7594468141
                                Function 6C78BEF0 Relevance: .1, Instructions: 123COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                • Instruction ID: 17f64d3c2385b89045fbc699ea69ba71c20ee1db800718b0755c83454e284b38
                                • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                • Instruction Fuzzy Hash: 29315973506A050AF200952ACF80356B323DFC23BDF2AC735DB6687EEDCA71A8468641
                                Function 6C793820 Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                • Instruction ID: 477df0902110f3be4ed57c45303762b048f17ebee62129885bb224e02b5f54c1
                                • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                • Instruction Fuzzy Hash: 6541C1B29047068BD704CF19C890A6AB3E4FF88318F454A7DED5AA7381E331FA15CB91
                                Function 6C7A16C0 Relevance: .1, Instructions: 88COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                • Instruction ID: 302fbc15d23d41c30dad31d75c873bc251c93a12270849ad4679bd35ca102acf
                                • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                • Instruction Fuzzy Hash: 162106B1A087A647F7209EBDCC8027577929BC1305F098379D9B48EA87D179D4A3D260
                                Function 6C7A791A Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                • Instruction ID: d848a2c2db61fc39f7db48f61f1d59dabccc8f23f54cb53d403d632a14fd8ef4
                                • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                • Instruction Fuzzy Hash: 1B21377251442547C301DF6DE888677B7E1FFC431DF638B3BD9968B581C624D445CA90
                                Function 6C7A7A00 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                • Instruction ID: e5b48dffe3e786eb440c4bf672b24756ae14bdaf2ee92958294b2ecfb65ee04e
                                • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                • Instruction Fuzzy Hash: E021F1336021149BC701EFAED98469B73A6FBC8365F67C639ED8187645C630EA0686A0
                                Function 6C7A6700 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                • Instruction ID: 49fa0e5f510183b275095d123494cdcbc172079cbfb8a60aa1f3e0f88a4ef22d
                                • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                • Instruction Fuzzy Hash: 3F219077320A0647E74C8A38D93737532D0A705318F98A26DEA6BCE2C2E73AC457C385
                                Function 6C78A380 Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                                • Instruction ID: 4ab99afa4ba8f7c1f118fc164d91aa775dc724ec5ed5c7ed1ba071f1d4455ba5
                                • Opcode Fuzzy Hash: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                                • Instruction Fuzzy Hash: 9B2190327193428FC308DF58D88096BBBE6FFC9210F15857DE9849B351C635E906CB91
                                Function 6C78A280 Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                                • Instruction ID: e16502c976fb2a1bdf9921175b9df0419063d4d5a8e96445d169a9838a7c7914
                                • Opcode Fuzzy Hash: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                                • Instruction Fuzzy Hash: 6C1190723183464BC308CE1DDC90966BBE5FBC9310F24897DE985C7342C626D907DB95
                                Function 6C79C640 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                • Instruction ID: 50bf7f4080c4bd96ea524f8bb5b9bea3615a3b8760685663bc16e5ef1b32489e
                                • Opcode Fuzzy Hash: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                • Instruction Fuzzy Hash: AB01216529668989DB81DA79D590748FE80F756203FACC3F4E0C8CBF42D589C54BC3A1
                                Function 6C7937A0 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                • Instruction ID: 3b3cfedc7a1d996c2808222ead9ea5b2edc45f8a8261cea1220b7f3660662a52
                                • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                • Instruction Fuzzy Hash: 9801D17291462E57D7189F08CC41132B390FB84312F49823ADD479B385E734F870C6C0
                                Function 6C6E7676 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2302399933.000000006C611000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C610000, based on PE: true
                                • Associated: 00000007.00000002.2302371549.000000006C610000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2303204483.000000006C6F5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2311421140.000000006CC53000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5c9894cd077a2c440a1f974aad43339a956dc4c7ef1791398d89484d1280d6b2
                                • Instruction ID: 15897804d3aa0d344a66018f096cc443cfd39ceaf8e273b0ba274ef6deea26e3
                                • Opcode Fuzzy Hash: 5c9894cd077a2c440a1f974aad43339a956dc4c7ef1791398d89484d1280d6b2
                                • Instruction Fuzzy Hash: 4DF03771A152249BCB11DA4DC905B8573F8D74A759F110156E501A7641C6B0ED41C7D8
                                Function 6C7A4720 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                • Instruction ID: 79bb21561801745295d783b800fc6bf97490bfd90da4f823d67ba6362670e109
                                • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                • Instruction Fuzzy Hash: 3AC08CA312810017C306EA3599C0BAAF6A37361330F228D3EE0A2E7E43C329D0658511
                                Function 6C73BB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1435 6c73bb50-6c73bb78 call 6c7a3f10 1438 6c73bf6a-6c73bf74 call 6c7063a0 1435->1438 1439 6c73bb7e-6c73bb88 1435->1439 1448 6c73bf76-6c73bf84 1438->1448 1441 6c73bba4-6c73bba8 1439->1441 1442 6c73bb8a-6c73bba2 call 6c73c016 1439->1442 1445 6c73bbaa-6c73bbbc 1441->1445 1446 6c73bbbe-6c73bbc6 call 6c7063b3 1441->1446 1450 6c73bbcb-6c73bbd0 1442->1450 1445->1450 1446->1450 1452 6c73bc12-6c73bc1c 1450->1452 1453 6c73bbd2-6c73bbd4 1450->1453 1456 6c73bc22-6c73bc40 1452->1456 1457 6c73bd2a-6c73bd43 1452->1457 1454 6c73bbd6-6c73bbea 1453->1454 1455 6c73bbeb-6c73bc05 call 6c7064df 1453->1455 1454->1455 1469 6c73bf5b-6c73bf64 1455->1469 1470 6c73bc0b-6c73bc0d 1455->1470 1456->1448 1472 6c73bc46-6c73bc4b 1456->1472 1459 6c73bdb0-6c73bdb7 1457->1459 1460 6c73bd45-6c73bd46 1457->1460 1463 6c73bdca-6c73bdcf 1459->1463 1464 6c73bdb9-6c73bdbc 1459->1464 1466 6c73bd48-6c73bd4b 1460->1466 1467 6c73bd9f-6c73bda6 1460->1467 1473 6c73bdd1-6c73bdd4 1463->1473 1474 6c73be0f-6c73be14 1463->1474 1471 6c73bdbe-6c73bdc1 call 6c70da04 1464->1471 1475 6c73bd4d-6c73bd64 1466->1475 1476 6c73bd6c-6c73bd76 1466->1476 1467->1463 1468 6c73bda8-6c73bdae 1467->1468 1468->1471 1469->1438 1469->1439 1482 6c73bf56 call 6c7063a0 1470->1482 1497 6c73bdc6 1471->1497 1484 6c73bc51-6c73bc58 1472->1484 1485 6c73bf4a-6c73bf4f 1472->1485 1477 6c73bdd6-6c73bdda 1473->1477 1478 6c73bddc-6c73bdfe call 6c73bf9a 1473->1478 1480 6c73be16-6c73be19 1474->1480 1481 6c73be3b-6c73be3f 1474->1481 1501 6c73bd6a 1475->1501 1502 6c73bf8e-6c73bf98 call 6c70da5d 1475->1502 1476->1463 1479 6c73bd78-6c73bd9d call 6c70da30 1476->1479 1477->1474 1477->1478 1516 6c73be00-6c73be07 1478->1516 1517 6c73be09-6c73be0a 1478->1517 1479->1497 1493 6c73be1f 1480->1493 1494 6c73bf3e-6c73bf45 call 6c70da5d 1480->1494 1495 6c73be41-6c73be7a call 6c719133 call 6c73c0fe 1481->1495 1496 6c73beac-6c73beb0 1481->1496 1482->1469 1486 6c73bc85-6c73bc88 1484->1486 1487 6c73bc5a-6c73bc5e 1484->1487 1485->1469 1490 6c73bf51 1485->1490 1505 6c73bcd2-6c73bcd6 1486->1505 1506 6c73bc8a-6c73bca7 call 6c707204 call 6c73317e 1486->1506 1498 6c73bf87-6c73bf8c 1487->1498 1499 6c73bc64-6c73bc76 call 6c732da0 1487->1499 1490->1482 1507 6c73be22-6c73be36 call 6c73c016 1493->1507 1494->1485 1540 6c73be90-6c73be9f call 6c7a4270 1495->1540 1541 6c73be7c-6c73be82 1495->1541 1508 6c73beb2-6c73bed3 call 6c707497 call 6c70649a 1496->1508 1509 6c73beee-6c73bf02 call 6c732bff 1496->1509 1497->1463 1498->1448 1533 6c73bc78-6c73bc80 1499->1533 1501->1497 1502->1448 1505->1498 1515 6c73bcdc-6c73bce0 1505->1515 1551 6c73bca9-6c73bcb8 call 6c706410 1506->1551 1552 6c73bcbd-6c73bccc call 6c706240 1506->1552 1507->1494 1553 6c73bee1-6c73beec call 6c73c042 1508->1553 1554 6c73bed5-6c73bedf call 6c706410 1508->1554 1536 6c73bf16-6c73bf34 call 6c73c091 1509->1536 1537 6c73bf04-6c73bf11 1509->1537 1523 6c73bce2-6c73bd02 call 6c7065d8 1515->1523 1524 6c73bd07-6c73bd25 call 6c73c176 1515->1524 1525 6c73be83-6c73be8b 1516->1525 1526 6c73bf35-6c73bf3d call 6c7a4270 1517->1526 1523->1485 1524->1533 1525->1494 1526->1494 1533->1485 1536->1526 1537->1525 1540->1494 1563 6c73bea5-6c73bea7 1540->1563 1541->1525 1551->1552 1552->1485 1552->1505 1553->1494 1554->1494 1563->1507
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                • API String ID: 3519838083-609671
                                • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction ID: da0a0b06adcf88d2d1bbfc83b247ae463ae961804e63421784fad684191dd8d8
                                • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction Fuzzy Hash: E4D1D471A0461ADFCB01CFA4DA94FEDB7B5FF05308F105169E159A3A52DB70AA48CF60
                                Function 6C764BB3 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 406COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2252 6c764bb3-6c764bef call 6c7a3f10 2255 6c764c23-6c764c26 2252->2255 2256 6c764bf1-6c764bf4 2252->2256 2257 6c764c2c-6c764c3a call 6c706add 2255->2257 2258 6c764f08-6c764f0b 2255->2258 2259 6c764bf8-6c764bfb 2256->2259 2274 6c764c3c-6c764c48 2257->2274 2275 6c764c98-6c764c9c 2257->2275 2263 6c764f17-6c764f90 call 6c762258 call 6c706b5e 2258->2263 2264 6c764f0d-6c764f11 2258->2264 2261 6c764c04-6c764c06 2259->2261 2262 6c764bfd-6c764bff 2259->2262 2267 6c764c1a-6c764c20 2261->2267 2268 6c764c08-6c764c0f 2261->2268 2266 6c764c01-6c764c02 2262->2266 2262->2267 2297 6c764f96-6c764f99 2263->2297 2264->2263 2269 6c76500d-6c765013 2264->2269 2266->2259 2267->2255 2276 6c764c17 2268->2276 2277 6c764c11-6c764c15 2268->2277 2272 6c7650e7-6c7650eb call 6c7647d6 2269->2272 2273 6c765019-6c765024 2269->2273 2287 6c7650f0-6c7650fe 2272->2287 2282 6c765026-6c765033 call 6c706d7f 2273->2282 2283 6c765050-6c765062 call 6c706b5e 2273->2283 2284 6c764c82-6c764c85 2274->2284 2285 6c764c4a-6c764c4d 2274->2285 2280 6c764c9e-6c764caa call 6c765101 2275->2280 2281 6c764caf-6c764cb3 2275->2281 2276->2267 2277->2268 2277->2276 2280->2281 2289 6c764cb5 2281->2289 2290 6c764cf1-6c764cf4 2281->2290 2309 6c7650d5-6c7650e2 call 6c706d49 2282->2309 2312 6c765064-6c765069 2283->2312 2313 6c76506b-6c765098 call 6c706ca1 call 6c7a25a0 call 6c705e01 2283->2313 2284->2275 2294 6c764c87-6c764c93 call 6c765101 2284->2294 2285->2284 2292 6c764c4f-6c764c53 2285->2292 2298 6c764cb7-6c764cb9 2289->2298 2299 6c764cbb-6c764cf0 call 6c706add call 6c7076a0 call 6c765101 call 6c706240 2289->2299 2295 6c764cf6-6c764d02 call 6c765315 2290->2295 2296 6c764d07-6c764d0a 2290->2296 2292->2284 2301 6c764c55-6c764c57 2292->2301 2294->2275 2295->2296 2305 6c764d0c-6c764d18 call 6c765315 2296->2305 2306 6c764d1d-6c764d47 call 6c765315 * 2 2296->2306 2307 6c764fa7-6c764fae 2297->2307 2308 6c764f9b-6c764fa5 2297->2308 2298->2290 2298->2299 2299->2290 2301->2284 2311 6c764c59 2301->2311 2305->2306 2348 6c764d5f 2306->2348 2349 6c764d49 2306->2349 2315 6c764fb1-6c764fba 2307->2315 2308->2315 2309->2272 2318 6c764c5b-6c764c65 2311->2318 2319 6c76509b-6c7650a5 call 6c706ca1 2312->2319 2313->2319 2323 6c764ff5-6c764ffc 2315->2323 2324 6c764fbc-6c764fdd call 6c7647d6 2315->2324 2318->2284 2327 6c764c67-6c764c6b 2318->2327 2338 6c7650a7-6c7650b7 2319->2338 2339 6c7650cb-6c7650cd call 6c706c89 2319->2339 2323->2297 2335 6c764ffe-6c765008 call 6c7605ac 2323->2335 2346 6c764fdf-6c764ff0 call 6c7653d4 2324->2346 2347 6c765038-6c765044 call 6c7605ac 2324->2347 2327->2318 2334 6c764c6d-6c764c78 2327->2334 2334->2284 2343 6c764c7a-6c764c7d 2334->2343 2335->2269 2338->2339 2345 6c7650b9-6c7650c9 call 6c706bbb 2338->2345 2360 6c7650d2 2339->2360 2343->2284 2352 6c764c7f 2343->2352 2345->2360 2346->2347 2373 6c764ff2 2346->2373 2364 6c765049-6c76504b 2347->2364 2353 6c764d63-6c764d6c 2348->2353 2358 6c764d4f-6c764d52 2349->2358 2359 6c764d4b-6c764d4d 2349->2359 2352->2284 2362 6c764d6e-6c764d71 2353->2362 2363 6c764d98-6c764d9f 2353->2363 2358->2348 2367 6c764d54 2358->2367 2359->2348 2359->2358 2360->2309 2369 6c764d86-6c764d93 call 6c7651a4 2362->2369 2370 6c764d73-6c764d76 2362->2370 2371 6c764db3-6c764dc0 2363->2371 2372 6c764da1-6c764dae call 6c7651a4 2363->2372 2364->2287 2374 6c764d56-6c764d58 2367->2374 2375 6c764d5a-6c764d5d 2367->2375 2369->2363 2370->2363 2376 6c764d78-6c764d7b 2370->2376 2379 6c764dd4-6c764dda 2371->2379 2380 6c764dc2-6c764dcf call 6c7651a4 2371->2380 2372->2371 2373->2323 2374->2348 2374->2375 2375->2353 2376->2369 2383 6c764d7d-6c764d7f 2376->2383 2381 6c764ddc-6c764de8 call 6c765101 2379->2381 2382 6c764ded-6c764df1 2379->2382 2380->2379 2381->2382 2386 6c764e04-6c764e0c 2382->2386 2387 6c764df3-6c764dff call 6c765101 2382->2387 2383->2363 2388 6c764d81-6c764d84 2383->2388 2390 6c764ef6-6c764f03 call 6c706240 2386->2390 2391 6c764e12-6c764e81 call 6c762258 call 6c706b5e 2386->2391 2387->2386 2388->2363 2388->2369 2390->2269 2398 6c764e83-6c764e89 2391->2398 2399 6c764e8f-6c764eb7 call 6c7647d6 2391->2399 2398->2399 2402 6c764eca-6c764ee3 call 6c7605ac call 6c706240 2399->2402 2403 6c764eb9-6c764ec8 call 6c7653d4 2399->2403 2402->2364 2403->2402 2408 6c764ee8-6c764ef1 call 6c7605ac 2403->2408 2408->2390
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: L$L'K$T'K$\'K$d'K$p'K$)K
                                • API String ID: 3519838083-3887797823
                                • Opcode ID: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                • Instruction ID: 3a47b42947889b9114b5818d8ca7f1beed192aa1465e36d987ccd23852b9208a
                                • Opcode Fuzzy Hash: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                • Instruction Fuzzy Hash: 9D020571901249DFCB11CF66CAA4ADDFBB5BF05308F5481AEC845A7E41DB30AA88DF60
                                Function 6C752B6F Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 151COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2412 6c752b6f-6c752b9c call 6c7a3f10 call 6c707247 call 6c706685 2419 6c752bcc-6c752bd1 2412->2419 2420 6c752b9e-6c752ba5 2412->2420 2423 6c752d43-6c752d5c call 6c706240 2419->2423 2421 6c752ba7-6c752bb3 call 6c707963 2420->2421 2422 6c752be6-6c752bf6 call 6c712117 2420->2422 2432 6c752bb5-6c752bbf call 6c752ac2 2421->2432 2433 6c752bc4-6c752bca 2421->2433 2430 6c752d36-6c752d3c call 6c744d82 2422->2430 2431 6c752bfc-6c752c0b call 6c7067ac 2422->2431 2440 6c752d41 2430->2440 2443 6c752c20-6c752c2f call 6c7067ac 2431->2443 2444 6c752c0d 2431->2444 2432->2440 2433->2419 2437 6c752bd6-6c752be1 call 6c7529b6 2433->2437 2437->2440 2440->2423 2450 6c752c36-6c752c45 call 6c7067ac 2443->2450 2451 6c752c31-6c752c34 2443->2451 2445 6c752c13-6c752c1b call 6c7120d7 2444->2445 2445->2440 2454 6c752c74-6c752c83 call 6c7067ac 2450->2454 2455 6c752c47-6c752c58 call 6c7120d7 2450->2455 2451->2445 2461 6c752c85-6c752c92 call 6c7120d7 2454->2461 2462 6c752ca3-6c752cb9 call 6c7450c1 2454->2462 2455->2440 2460 6c752c5e-6c752c6f 2455->2460 2460->2440 2461->2440 2468 6c752c98 2461->2468 2462->2440 2467 6c752cbf-6c752cc2 2462->2467 2469 6c752cc4-6c752ccd 2467->2469 2470 6c752ce2-6c752cf1 call 6c7067ac 2467->2470 2471 6c752c9c-6c752c9e 2468->2471 2469->2471 2472 6c752ccf-6c752cd1 2469->2472 2477 6c752cf3-6c752d00 call 6c745191 2470->2477 2478 6c752d02-6c752d11 call 6c7067ac 2470->2478 2471->2423 2472->2471 2474 6c752cd3-6c752cd6 2472->2474 2474->2471 2476 6c752cd8-6c752cdb 2474->2476 2476->2471 2479 6c752cdd 2476->2479 2477->2440 2484 6c752d13-6c752d19 2478->2484 2485 6c752d1b-6c752d2a call 6c7067ac 2478->2485 2479->2419 2486 6c752d2f 2484->2486 2485->2430 2489 6c752d2c 2485->2489 2486->2430 2489->2486
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C752B74
                                  • Part of subcall function 6C752AC2: __EH_prolog.LIBCMT ref: 6C752AC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: DJ$H K$L K$P K$T K$X K$\ K
                                • API String ID: 3519838083-3148776506
                                • Opcode ID: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                • Instruction ID: 72f93a77f805446b59a10ba7c1e0f987437603f7ef7588ab3f835c2e9234c6cf
                                • Opcode Fuzzy Hash: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                • Instruction Fuzzy Hash: C551D471E0420A9BCF04DF64C69CAEEB372AB4130CF60C52ACD619BB91DF759A59C790
                                Function 6C750CB2 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 347COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3077 6c750cb2-6c750cd3 call 6c7a3f10 call 6c70da86 3082 6c750cd5-6c750cd7 3077->3082 3083 6c750cdc-6c750d1c call 6c75353e 3077->3083 3084 6c7510f1-6c7510fd 3082->3084 3087 6c7510e0-6c7510f0 call 6c70d875 3083->3087 3088 6c750d22-6c750d25 3083->3088 3087->3084 3089 6c7510b1-6c7510b5 3088->3089 3090 6c750d2b-6c750d50 call 6c7533b5 3088->3090 3089->3087 3092 6c7510b7-6c7510ba 3089->3092 3097 6c750d84-6c750d8e 3090->3097 3098 6c750d52-6c750d7f call 6c7a4250 3090->3098 3092->3087 3095 6c7510bc-6c7510d8 3092->3095 3095->3087 3100 6c750da0-6c750da8 3097->3100 3101 6c750d90-6c750d9b call 6c75353e * 2 3097->3101 3109 6c750d81 3098->3109 3102 6c750dbe-6c750dc6 3100->3102 3103 6c750daa-6c750dbb call 6c75353e 3100->3103 3101->3100 3107 6c751021-6c75103f call 6c706add call 6c70efdb 3102->3107 3108 6c750dcc 3102->3108 3103->3102 3130 6c751041-6c751042 3107->3130 3131 6c75104a-6c75104f 3107->3131 3112 6c750dce-6c750dd2 3108->3112 3113 6c750dd8-6c750de1 3108->3113 3109->3097 3112->3107 3112->3113 3116 6c750de7-6c750df1 3113->3116 3117 6c750ecf-6c750ed2 3113->3117 3121 6c750df3-6c750e06 call 6c750a9a 3116->3121 3122 6c750e68-6c750e6d 3116->3122 3119 6c750ed4-6c750ede 3117->3119 3120 6c750ef0-6c750ef6 3117->3120 3119->3122 3125 6c750ee0-6c750eeb call 6c750b0c 3119->3125 3128 6c750f3e-6c750f41 3120->3128 3129 6c750ef8-6c750f02 3120->3129 3121->3122 3147 6c750e08-6c750e35 3121->3147 3122->3107 3126 6c750e73-6c750e79 3122->3126 3125->3122 3135 6c750e82-6c750e87 3126->3135 3136 6c750e7b-6c750e80 3126->3136 3132 6c750f43-6c750f4d 3128->3132 3133 6c750f5c-6c750f5f 3128->3133 3129->3122 3138 6c750f08-6c750f1c call 6c705cad 3129->3138 3130->3131 3139 6c751051-6c751068 call 6c7507b7 3131->3139 3140 6c75106a-6c75106f 3131->3140 3132->3122 3141 6c750f53-6c750f5a 3132->3141 3142 6c750f61-6c750f6b 3133->3142 3143 6c750f78-6c750f7e 3133->3143 3145 6c750e91-6c750e96 3135->3145 3146 6c750e89-6c750e8f 3135->3146 3136->3135 3136->3136 3173 6c750f22-6c750f26 3138->3173 3167 6c751091-6c75109e call 6c706240 3139->3167 3150 6c751071-6c75107a 3140->3150 3151 6c7510a3-6c7510ac call 6c706240 3140->3151 3152 6c750fc2-6c750fc7 call 6c705cad 3141->3152 3142->3122 3153 6c750f71-6c750f76 3142->3153 3154 6c750f80-6c750f87 3143->3154 3155 6c750f8c-6c750f92 3143->3155 3158 6c750e99-6c750e9d 3145->3158 3159 6c750e98 3145->3159 3146->3145 3146->3146 3156 6c750e44-6c750e46 3147->3156 3157 6c750e37-6c750e42 call 6c751100 3147->3157 3150->3167 3168 6c75107c 3150->3168 3151->3089 3152->3122 3153->3152 3154->3122 3169 6c750f94-6c750f9b 3155->3169 3170 6c750fa0-6c750fa6 3155->3170 3163 6c750e55-6c750e58 3156->3163 3164 6c750e48-6c750e53 call 6c751100 3156->3164 3157->3156 3161 6c750ea0-6c750ea6 3158->3161 3162 6c750e9f 3158->3162 3159->3158 3174 6c750eac-6c750ebe 3161->3174 3175 6c7510ae 3161->3175 3162->3161 3181 6c750e65 3163->3181 3182 6c750e5a-6c750e60 call 6c751100 3163->3182 3164->3163 3196 6c75100f-6c751016 3167->3196 3183 6c751083-6c75108f 3168->3183 3169->3122 3170->3107 3185 6c750fa8-6c750fb2 3170->3185 3178 6c750f2f-6c750f39 call 6c750a9a 3173->3178 3179 6c750f28-6c750f2d 3173->3179 3188 6c750ebf-6c750ec2 3174->3188 3175->3089 3178->3122 3179->3173 3181->3122 3182->3181 3183->3167 3183->3183 3185->3122 3187 6c750fb8-6c750fc0 3185->3187 3187->3152 3193 6c750fcc-6c750fce 3188->3193 3194 6c750ec8-6c750ecd 3188->3194 3197 6c750fd0-6c750fed 3193->3197 3198 6c750ff9-6c750ffd 3193->3198 3194->3188 3196->3088 3199 6c75101c 3196->3199 3197->3198 3200 6c750fef-6c750ff7 3197->3200 3201 6c75100c 3198->3201 3202 6c750fff-6c751004 3198->3202 3199->3087 3200->3198 3200->3200 3201->3196 3202->3201
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $ $$ K$, K$.$o
                                • API String ID: 3519838083-1786814033
                                • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                • Instruction ID: 8e564916e9ee03d0f9a04cbbc202775b3b857bbdb50d5abf7b6cbacb0d8721ee
                                • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                • Instruction Fuzzy Hash: 5FD12631E042D98FCF01CFA8DA947EEBBB1BF0530CFA44269C455ABA81CB719955CB51
                                Function 6C723798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3203 6c723798-6c7237ba call 6c7a3f10 3206 6c7237bf-6c7237cf call 6c70f028 3203->3206 3207 6c7237bc 3203->3207 3210 6c723b20-6c723b25 3206->3210 3211 6c7237d5-6c7237da 3206->3211 3207->3206 3212 6c723cf6-6c723d04 3210->3212 3213 6c7237df-6c72380f call 6c7a4210 call 6c7a40e0 * 2 3211->3213 3214 6c7237dc 3211->3214 3221 6c723811-6c723818 3213->3221 3222 6c72381b-6c723833 3213->3222 3214->3213 3221->3222 3223 6c723840-6c723863 call 6c723dba call 6c70620c 3222->3223 3224 6c723835-6c72383a 3222->3224 3234 6c723865-6c72387d call 6c7a402a 3223->3234 3235 6c72387f 3223->3235 3224->3223 3225 6c723ace-6c723af9 call 6c706add call 6c70f36c 3224->3225 3238 6c723aff-6c723b04 3225->3238 3239 6c723bbc-6c723bce call 6c706240 3225->3239 3236 6c723881-6c723894 call 6c79c2e0 3234->3236 3235->3236 3249 6c723896 3236->3249 3250 6c7238a9-6c7238b2 3236->3250 3242 6c723b06-6c723b18 call 6c706240 3238->3242 3243 6c723b2a-6c723b42 3238->3243 3252 6c723bd0-6c723bd2 3239->3252 3253 6c723bd6-6c723bd8 3239->3253 3242->3210 3254 6c723b1a-6c723b1c 3242->3254 3259 6c723b56-6c723b79 call 6c71f10c 3243->3259 3260 6c723b44-6c723b54 call 6c71238c 3243->3260 3255 6c7238a2-6c7238a4 3249->3255 3256 6c723898-6c72389d 3249->3256 3257 6c7238b8-6c7238bb 3250->3257 3258 6c72399d-6c7239a3 3250->3258 3252->3253 3253->3212 3254->3210 3261 6c723abd-6c723ac9 call 6c723dcd 3255->3261 3256->3255 3263 6c7238be-6c7238e8 call 6c706add call 6c70f36c 3257->3263 3264 6c7239f0-6c7239f6 3258->3264 3265 6c7239a5 3258->3265 3280 6c723ba3-6c723ba6 call 6c78ae40 3259->3280 3281 6c723b7b-6c723ba1 call 6c71cff7 call 6c71f1fc 3259->3281 3260->3259 3276 6c723bab-6c723bb4 3260->3276 3261->3253 3299 6c723a91-6c723a93 3263->3299 3300 6c7238ee-6c7238f0 3263->3300 3268 6c723a2a-6c723a40 call 6c71cff7 call 6c71f4b1 3264->3268 3269 6c7239f8 3264->3269 3273 6c7239a8-6c7239d2 call 6c723d07 3265->3273 3268->3249 3301 6c723a46-6c723a5d call 6c71d0a2 3268->3301 3274 6c7239fa-6c723a0b call 6c79c180 3269->3274 3289 6c7239d7-6c7239d9 3273->3289 3290 6c7239d4 3273->3290 3274->3249 3298 6c723a11-6c723a16 3274->3298 3276->3239 3284 6c723bb6-6c723bb8 3276->3284 3280->3276 3281->3280 3308 6c723bdd-6c723c00 call 6c71d0a2 call 6c78ae40 3281->3308 3284->3239 3289->3255 3297 6c7239df-6c7239ec 3289->3297 3290->3289 3297->3273 3303 6c7239ee 3297->3303 3298->3261 3304 6c723a1c-6c723a28 3298->3304 3305 6c723aaf-6c723ab8 call 6c706240 3299->3305 3306 6c7238f6-6c723910 3300->3306 3307 6c723a95-6c723a9a 3300->3307 3318 6c723a80-6c723a8c call 6c723dcd 3301->3318 3319 6c723a5f-6c723a62 3301->3319 3303->3264 3304->3268 3304->3274 3305->3261 3315 6c723912-6c723922 call 6c71238c 3306->3315 3316 6c723928-6c72394f 3306->3316 3307->3305 3332 6c723c02-6c723c04 3308->3332 3333 6c723c08-6c723c1a call 6c706240 3308->3333 3315->3316 3334 6c723a9c-6c723aa5 3315->3334 3322 6c723951-6c723957 3316->3322 3323 6c72395a-6c72396e 3316->3323 3338 6c723c22-6c723c62 call 6c7a4210 * 2 3318->3338 3324 6c723a65-6c723a6a 3319->3324 3322->3323 3328 6c723970-6c723972 3323->3328 3329 6c723976-6c723997 call 6c706240 3323->3329 3324->3261 3330 6c723a6c-6c723a6e 3324->3330 3328->3329 3329->3258 3329->3263 3335 6c723a70-6c723a75 3330->3335 3336 6c723a77-6c723a7e 3330->3336 3332->3333 3333->3338 3347 6c723c1c-6c723c1e 3333->3347 3343 6c723aa7-6c723aa9 3334->3343 3344 6c723aad 3334->3344 3335->3336 3340 6c723aba-6c723abc 3335->3340 3336->3318 3336->3324 3350 6c723c64-6c723c68 3338->3350 3351 6c723ccc-6c723cf4 call 6c71d2d6 call 6c71d1df 3338->3351 3340->3261 3343->3344 3344->3305 3347->3338 3352 6c723cc0-6c723cca 3350->3352 3353 6c723c6a-6c723c6e 3350->3353 3351->3212 3352->3212 3352->3351 3355 6c723c70-6c723c7a call 6c7a4210 3353->3355 3356 6c723c7f-6c723cbb call 6c7a4210 call 6c7a41d0 call 6c71d2d6 call 6c71f7ff 3353->3356 3355->3356 3356->3352
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: __aulldiv$H_prolog
                                • String ID: >WJ$x$x
                                • API String ID: 2300968129-3162267903
                                • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction ID: 664e32f070883f7c0b9f050d542da3f983d17a66d1b59d917933a3540804480f
                                • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction Fuzzy Hash: F6128F71900209EFDF10DFA4CA88ADDBBB9FF08318F24856DE915AB650DB399A45CF50
                                Function 6C711FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3369 6c711fa6-6c711fe0 call 6c7a40e0 call 6c7a4150 3374 6c711fe2-6c711fef call 6c7a40e0 3369->3374 3375 6c712009-6c71200e 3369->3375 3382 6c711ff1 3374->3382 3383 6c711ff8-6c712006 call 6c7a4210 3374->3383 3377 6c712071-6c712074 3375->3377 3378 6c712010-6c71201f call 6c7a40e0 3375->3378 3379 6c712077-6c71207b 3377->3379 3385 6c712041-6c712053 call 6c7a40e0 call 6c7a4210 3378->3385 3386 6c712021 3378->3386 3387 6c711ff3-6c711ff6 3382->3387 3388 6c71206a-6c71206f 3382->3388 3383->3375 3399 6c712058-6c712061 3385->3399 3390 6c712023-6c712026 3386->3390 3391 6c712028-6c71203f call 6c7a4210 call 6c7a40e0 3386->3391 3387->3383 3387->3388 3388->3379 3390->3385 3390->3391 3391->3399 3399->3377 3401 6c712063 3399->3401 3401->3388 3402 6c712065-6c712068 3401->3402 3402->3377 3402->3388
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: __aulldiv$__aullrem
                                • String ID:
                                • API String ID: 2022606265-0
                                • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction ID: dcad22b3b923e8b3514cd3aec283ff65230f9fc89c7cc3070ce385ce9c68523e
                                • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction Fuzzy Hash: 05210130904219FEDF108ED5DE4CDDF7A7AEB423A8F248326B42061AD0D7728DA0E661
                                Function 6C7176EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3403 6c7176ec-6c717705 call 6c7a3f10 3406 6c717707-6c71770c 3403->3406 3407 6c71771c-6c717723 3403->3407 3408 6c717715-6c71771a 3406->3408 3409 6c71770e-6c717713 3406->3409 3410 6c717724-6c717787 call 6c717e93 call 6c707204 call 6c7178f4 call 6c7448d2 call 6c718009 3407->3410 3408->3410 3409->3410 3421 6c717789-6c717795 call 6c7179b9 3410->3421 3422 6c71779a-6c7177a3 3410->3422 3421->3422 3424 6c7177a5-6c7177b1 3422->3424 3425 6c7177cc-6c7177d9 3422->3425 3426 6c7177c0-6c7177c7 call 6c7073ec 3424->3426 3427 6c7177b3-6c7177be call 6c70a89f 3424->3427 3428 6c7177f0-6c7177f9 3425->3428 3429 6c7177db-6c7177eb call 6c7073ec 3425->3429 3426->3425 3427->3425 3431 6c717882-6c7178ae call 6c717965 call 6c706240 3428->3431 3432 6c7177ff-6c71780a 3428->3432 3429->3428 3432->3431 3435 6c71780c 3432->3435 3438 6c717811-6c717828 call 6c732109 3435->3438 3444 6c7178b1-6c7178d2 call 6c726173 call 6c7a3f30 3438->3444 3445 6c71782e-6c71783d 3438->3445 3450 6c7178d7-6c7178ee call 6c726173 3444->3450 3447 6c717849-6c717880 call 6c714c9e 3445->3447 3448 6c71783f-6c717843 3445->3448 3447->3431 3456 6c71780e 3447->3456 3448->3447 3448->3450 3457 6c7178f4-6c717964 call 6c7a3f10 call 6c707204 * 7 3450->3457 3458 6c7178ef call 6c7a3f30 3450->3458 3456->3438 3458->3457
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C7176F1
                                  • Part of subcall function 6C726173: __EH_prolog.LIBCMT ref: 6C726178
                                • __EH_prolog.LIBCMT ref: 6C7178F9
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: IJ$WIJ$J
                                • API String ID: 3519838083-740443243
                                • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction ID: 8956f605b38eb4494d00d93c818af85f3f837dfa688992cfea32de835332b7d1
                                • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction Fuzzy Hash: 6C71D270A04255DFDB05DFA4C648BDDB7F0BF19308F1484A9E955ABB92CB74BA08CB90
                                Function 6C76084E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • __EH_prolog.LIBCMT ref: 6C760853
                                  • Part of subcall function 6C7605DF: __EH_prolog.LIBCMT ref: 6C7605E4
                                  • Part of subcall function 6C760943: __EH_prolog.LIBCMT ref: 6C760948
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: ((K$<(K$L(K$\(K
                                • API String ID: 3519838083-3238140439
                                • Opcode ID: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                • Instruction ID: f5b28e4a23f5fbc524fdbc25960d95079bbad757e264c6df253c8ba966c7d743
                                • Opcode Fuzzy Hash: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                • Instruction Fuzzy Hash: 30215EB0901B448ED724DF6AC64869BFBF4EF50308F108A5F849687B50D7B4A608CB68
                                Function 6C72B418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • __EH_prolog.LIBCMT ref: 6C72B41D
                                  • Part of subcall function 6C72BE40: __EH_prolog.LIBCMT ref: 6C72BE45
                                  • Part of subcall function 6C72B8EB: __EH_prolog.LIBCMT ref: 6C72B8F0
                                  • Part of subcall function 6C72B593: __EH_prolog.LIBCMT ref: 6C72B598
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: &qB$0aJ$A0$XqB
                                • API String ID: 3519838083-1326096578
                                • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction ID: 5ab94c25839066f47613eea69ba4ecddd2134c12356eaafe52e5f200c21d6832
                                • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction Fuzzy Hash: 55218EB1E01258AACF05DBE5DA9C9EDBBF4AF15318F10806AE51667781DB781E0CCB50
                                Function 6C72B234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J$DJ$`J
                                • API String ID: 3519838083-2453737217
                                • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction ID: 1a91df6764e4438085ea9067c3906bf34b70e7d28b03c4be6ff709304317fcf4
                                • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction Fuzzy Hash: F111B0B0900B648AC7249F5AC55859AFBE4BFA5708B10CA1FC4A787B50C7F8A548CB99
                                Function 6C753E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5288 6c753e3f-6c753eea call 6c7a3f10 call 6c753c9d call 6c75353e call 6c753314 call 6c75c04a call 6c7559c7 call 6c75c04a * 2 5305 6c753ef0 5288->5305 5306 6c7541ee-6c75422d call 6c70869a 5288->5306 5307 6c753ef7-6c753f1d call 6c75353e 5305->5307 5312 6c75422f-6c75423b call 6c7a40c8 5306->5312 5313 6c75423e-6c754276 call 6c706240 * 2 call 6c753284 call 6c753c9d call 6c75599a 5306->5313 5315 6c753f23-6c753f26 5307->5315 5316 6c75438b-6c75439a call 6c7a3f30 5307->5316 5312->5313 5341 6c754290-6c75429c call 6c753447 5313->5341 5384 6c754278-6c75428e call 6c753447 5313->5384 5315->5316 5319 6c753f2c-6c753f32 5315->5319 5325 6c75439f-6c7543a7 call 6c753434 5316->5325 5323 6c7540bf-6c7540c2 5319->5323 5324 6c753f38-6c753f47 call 6c7533b5 5319->5324 5327 6c7540a7-6c7540ac 5323->5327 5339 6c7542c3-6c7542d2 call 6c7a3f30 5324->5339 5340 6c753f4d-6c753f56 5324->5340 5325->5341 5331 6c7540c4-6c7540ca 5327->5331 5332 6c7540ae-6c7540b1 5327->5332 5337 6c754327-6c754336 call 6c7a3f30 5331->5337 5338 6c7540d0-6c7540ed call 6c7543bd * 2 5331->5338 5332->5331 5336 6c7540b3-6c7540ba 5332->5336 5345 6c7541a9-6c7541cb 5336->5345 5350 6c75433b-6c75434a call 6c7a3f30 5337->5350 5386 6c754140-6c75414f 5338->5386 5387 6c7540ef-6c7540fa call 6c75353e 5338->5387 5347 6c7542d7-6c7542e6 call 6c7a3f30 5339->5347 5340->5347 5348 6c753f5c-6c753f65 5340->5348 5359 6c7542a2-6c7542a5 5341->5359 5360 6c7543ac-6c7543ba 5341->5360 5351 6c7541d2-6c7541e8 5345->5351 5352 6c7541cd call 6c753367 5345->5352 5365 6c7542eb-6c7542fa call 6c7a3f30 5347->5365 5356 6c753f67 call 6c753367 5348->5356 5357 6c753f6c-6c753f84 5348->5357 5372 6c75434f-6c75435e call 6c7a3f30 5350->5372 5351->5306 5364 6c753ef2-6c753ef5 5351->5364 5352->5351 5356->5357 5368 6c753f86 5357->5368 5369 6c753fc0-6c753fd2 5357->5369 5359->5325 5371 6c7542ab-6c7542ad 5359->5371 5364->5307 5385 6c7542ff-6c75430e call 6c7a3f30 5365->5385 5370 6c753f8b-6c753fb8 call 6c7a4250 5368->5370 5373 6c753fd4-6c753fdd call 6c72b61b 5369->5373 5374 6c753fe2-6c753fed 5369->5374 5402 6c753f88 5370->5402 5403 6c753fba-6c753fbd 5370->5403 5371->5325 5379 6c7542b3-6c7542c1 call 6c753d1d 5371->5379 5392 6c754363-6c754372 call 6c7a3f30 5372->5392 5373->5374 5382 6c754012-6c75401c 5374->5382 5383 6c753fef-6c753ffc call 6c75353e 5374->5383 5379->5341 5388 6c754313-6c754322 call 6c7a3f30 5382->5388 5389 6c754022-6c754026 5382->5389 5383->5365 5416 6c754002-6c75400c call 6c75353e 5383->5416 5384->5341 5385->5388 5393 6c754185-6c75418a 5386->5393 5394 6c754151-6c754157 5386->5394 5387->5372 5417 6c754100-6c754108 5387->5417 5388->5337 5400 6c754095-6c75409e 5389->5400 5401 6c754028-6c75403a call 6c75353e 5389->5401 5415 6c754377-6c754386 call 6c7a3f30 5392->5415 5410 6c7541a3 5393->5410 5411 6c75418c-6c754193 5393->5411 5394->5393 5406 6c754159-6c754163 call 6c75353e 5394->5406 5400->5324 5414 6c7540a4 5400->5414 5429 6c754044-6c754048 5401->5429 5430 6c75403c-6c754041 call 6c753367 5401->5430 5402->5370 5403->5369 5406->5392 5431 6c754169-6c754171 5406->5431 5410->5345 5410->5415 5412 6c754195-6c754199 5411->5412 5413 6c75419d 5411->5413 5412->5411 5420 6c75419b 5412->5420 5422 6c7541a0 5413->5422 5414->5327 5415->5316 5416->5382 5416->5385 5417->5372 5421 6c75410e-6c75411e call 6c75353e 5417->5421 5420->5422 5421->5350 5437 6c754124-6c75412c 5421->5437 5422->5410 5434 6c75406a-6c754071 5429->5434 5435 6c75404a-6c75404e 5429->5435 5430->5429 5431->5392 5436 6c754177-6c754183 5431->5436 5440 6c754073-6c754077 5434->5440 5441 6c754092 5434->5441 5435->5434 5439 6c754050-6c754053 5435->5439 5436->5393 5436->5406 5437->5350 5442 6c754132-6c75413e 5437->5442 5439->5441 5443 6c754055-6c754063 5439->5443 5440->5441 5444 6c754079-6c75407c 5440->5444 5441->5400 5442->5386 5442->5387 5443->5441 5445 6c754065-6c754068 5443->5445 5444->5441 5446 6c75407e-6c75408d 5444->5446 5445->5441 5446->5441 5447 6c75408f 5446->5447 5447->5441
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $!$@
                                • API String ID: 3519838083-2517134481
                                • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction ID: 58b5625096319baac91be1fefca74a650f026f9d9fb12e00b94e4e93011b9061
                                • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction Fuzzy Hash: 66129E70D01249DFCF04CFA4CA94ADDBBB1BF08308F548469E445ABB51DB35E965DB60
                                Function 6C71FB91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5448 6c71fb91-6c71fbba call 6c7a3f10 5451 6c71fbc3-6c71fbda call 6c7a41d0 5448->5451 5452 6c71fbbc 5448->5452 5455 6c71fbe0-6c71fbee call 6c7a41d0 5451->5455 5456 6c71fbdc-6c71fbde 5451->5456 5452->5451 5460 6c71fbfd-6c71fc0c 5455->5460 5456->5455 5457 6c71fbf0-6c71fbfa 5456->5457 5457->5460 5461 6c71fc19-6c71fc3a call 6c70620c 5460->5461 5462 6c71fc0e-6c71fc13 5460->5462 5467 6c71fc5c 5461->5467 5468 6c71fc3c-6c71fc5a call 6c7a402a 5461->5468 5462->5461 5463 6c71fd6e-6c71fd92 call 6c71cff7 5462->5463 5472 6c71fd94-6c71fd96 5463->5472 5473 6c71fd98-6c71fdae call 6c71fec9 5463->5473 5471 6c71fc5e-6c71fc6c 5467->5471 5468->5471 5476 6c71fc9a-6c71fcab call 6c71cff7 5471->5476 5477 6c71fc6e 5471->5477 5472->5473 5478 6c71fdce-6c71fdd1 5472->5478 5483 6c71fdb0-6c71fdb9 5473->5483 5484 6c71fdbf-6c71fdc7 5473->5484 5490 6c71fd0b-6c71fd15 call 6c72003a 5476->5490 5491 6c71fcad 5476->5491 5481 6c71fc70-6c71fc98 5477->5481 5480 6c71fdd4-6c71fddb 5478->5480 5485 6c71fdf0-6c71fe6c call 6c71d0a2 call 6c7a4210 * 2 call 6c71d2d6 call 6c7a40e0 call 6c71d1df 5480->5485 5486 6c71fddd-6c71fddf 5480->5486 5481->5476 5481->5481 5483->5484 5498 6c71feb8-6c71fec6 5483->5498 5484->5473 5488 6c71fdc9-6c71fdcc 5484->5488 5535 6c71feb6 5485->5535 5536 6c71fe6e-6c71fe76 5485->5536 5486->5485 5489 6c71fde1-6c71fdea 5486->5489 5488->5473 5488->5478 5489->5485 5489->5498 5506 6c71fd17-6c71fd1f 5490->5506 5507 6c71fd49 5490->5507 5495 6c71fcb0-6c71fcc0 5491->5495 5501 6c71fce3-6c71fce9 call 6c79c200 5495->5501 5502 6c71fcc2-6c71fce1 call 6c71d506 call 6c79c240 5495->5502 5512 6c71fcee-6c71fcf3 5501->5512 5502->5512 5513 6c71fd21-6c71fd24 5506->5513 5514 6c71fd38-6c71fd44 call 6c72007b 5506->5514 5510 6c71fd55-6c71fd57 5507->5510 5511 6c71fd4b-6c71fd50 5507->5511 5518 6c71fd5b-6c71fd69 call 6c72007b 5510->5518 5511->5510 5519 6c71fcf5 5512->5519 5520 6c71fcf8-6c71fcfa 5512->5520 5521 6c71fd27-6c71fd2b 5513->5521 5514->5480 5518->5498 5519->5520 5520->5507 5528 6c71fcfc-6c71fd09 5520->5528 5522 6c71fd59 5521->5522 5523 6c71fd2d-6c71fd36 5521->5523 5522->5518 5523->5514 5523->5521 5528->5490 5528->5495 5535->5498 5537 6c71fe90-6c71fe92 5536->5537 5538 6c71fe78-6c71fe82 5536->5538 5541 6c71fe94-6c71feb4 call 6c71f7ff 5537->5541 5539 6c71fe84-6c71fe86 5538->5539 5540 6c71fe88-6c71fe8e 5538->5540 5539->5541 5540->5541 5541->5498 5541->5535
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog__aulldiv
                                • String ID: $SJ
                                • API String ID: 4125985754-3948962906
                                • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction ID: ef4f1dd2817126ba5e1efdd96992c9868cc51d4954af4ebbcba1e009dd0dc88c
                                • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction Fuzzy Hash: 21B16CB1D04209DFCB14CFA9CA949EEBBB5FF48318B24862ED459A7B51C730AA45CF50
                                Function 6C7231D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5545 6c7231d6-6c723202 call 6c7a3f10 call 6c7232bf 5550 6c723204-6c723217 5545->5550 5551 6c72321c-6c72321e 5545->5551 5556 6c7232a0-6c7232ad 5550->5556 5552 6c723223-6c723229 5551->5552 5552->5552 5554 6c72322b-6c723238 call 6c723300 5552->5554 5558 6c72323a-6c72324d call 6c71f173 5554->5558 5559 6c72328b-6c72329f 5554->5559 5563 6c723251-6c723257 5558->5563 5559->5556 5564 6c72325a-6c723272 call 6c723300 call 6c7a25a0 5563->5564 5569 6c723274-6c72327b 5564->5569 5570 6c7232ae-6c7232b0 5564->5570 5569->5564 5571 6c72327d-6c723287 5569->5571 5570->5559 5572 6c723289 5571->5572 5573 6c72324f 5571->5573 5572->5559 5573->5563
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $CK$CK
                                • API String ID: 3519838083-2957773085
                                • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction ID: f1f79f13b91b7cac3b6b40fdf21b574f51cd42b7d7cf2f8d2b352214a9065262
                                • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction Fuzzy Hash: 1D21B670E41205CBCB04DFE9C6841EEF7FAFF94314F14862EC522A7B92C7785A068A60
                                Function 6C73A584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5574 6c73a584-6c73a5ac call 6c7a3f10 call 6c706add 5579 6c73a5b1-6c73a5bb 5574->5579 5580 6c73a5df-6c73a5eb 5579->5580 5581 6c73a5bd-6c73a5c6 5579->5581 5580->5579 5584 6c73a5ed-6c73a5ef 5580->5584 5582 6c73a5d0-6c73a5dd call 6c706ca1 5581->5582 5583 6c73a5c8-6c73a5cb call 6c706c81 5581->5583 5582->5580 5583->5582 5587 6c73a5f1-6c73a607 call 6c705d77 5584->5587 5588 6c73a61d-6c73a643 call 6c706b39 call 6c706240 5584->5588 5594 6c73a611-6c73a618 call 6c706ca1 5587->5594 5595 6c73a609-6c73a60c call 6c706c81 5587->5595 5594->5588 5595->5594
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0$LrJ$x
                                • API String ID: 3519838083-658305261
                                • Opcode ID: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                • Instruction ID: acd71d29b0153d9a857cfe4f4b92173b537516c8225cb423914a384c6c3599e6
                                • Opcode Fuzzy Hash: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                • Instruction Fuzzy Hash: 32219272E011299ACF04DBD4CA996EEB7F5EF48308F20006AD811B3641DB755F48CBA0
                                Function 6C731EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C731ECC
                                  • Part of subcall function 6C71C58A: __EH_prolog.LIBCMT ref: 6C71C58F
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :hJ$dJ$xJ
                                • API String ID: 3519838083-2437443688
                                • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction ID: 6bbec1cb7b6e98c818db36d61d9f0501566166cb34b15cf2c7ebe1bdb4742984
                                • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction Fuzzy Hash: 4221DCB0901B40CFC761DF6AC14828ABBF4BF1A714B10C95EC1AA97B11D7B4A508CF55
                                Function 6C7501B5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C7501BA
                                  • Part of subcall function 6C750269: __EH_prolog.LIBCMT ref: 6C75026E
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J$DJ
                                • API String ID: 3519838083-3152824450
                                • Opcode ID: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                                • Instruction ID: 7019fb8a2256cab21b27e34a81f23bced54c65711d7045f0233ca02d6f8c513b
                                • Opcode Fuzzy Hash: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                                • Instruction Fuzzy Hash: 0D11D4B1901794CFC321CF5AC5986D6FBF4FB25308F90C9AE90AA87711D7B4A508CB64
                                Function 6C728D0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: <J$DJ$HJ$TJ$]
                                • API String ID: 0-686860805
                                • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction ID: 2a3bb24d29db3534e98d1491e01319f6f44d44e83e15bb943ab6867430f62c7b
                                • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction Fuzzy Hash: 2C41CC72D05249AFCF14DBA0D6988EE77B4BF25308B10C16FD02167E50D73AA64DCB11
                                Function 6C776300 Relevance: 6.3, Strings: 5, Instructions: 49COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,3K$,3K@3KP3K$@3K$P3K$p3K
                                • API String ID: 0-3393562052
                                • Opcode ID: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                                • Instruction ID: a32dbe49821bee235f04d94fede633835205dcb47b7e25cc916d95a78ec86563
                                • Opcode Fuzzy Hash: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                                • Instruction Fuzzy Hash: D42138B0140B419FC320CF26C488787FBF4FB15745F50DA2ED1AA47A40C7B8A108CB98
                                Function 6C723331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction ID: f3e1137b0a31f8a6cd42a20402c54c00c6b6c1182e6be0b8420c4078c2751fda
                                • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction Fuzzy Hash: B311E776200308BFEB204AA1DD49EAFBBBDEFC5744F00852DF14156A50CB72AC15E720
                                Function 6C70B072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C70B077
                                  • Part of subcall function 6C70AFF5: __EH_prolog.LIBCMT ref: 6C70AFFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :$\
                                • API String ID: 3519838083-1166558509
                                • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction ID: 1a646c4676b4c4f8852f1bc9358cb2ef7bbea7c66981c5df515e3e7635a9c9a0
                                • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction Fuzzy Hash: 5BE1C2B0B002099ACB11DFA4CA98BEDB7F1EF1531CF10852DD86567A91EB70B789CB15
                                Function 6C760BED Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: x'K$|'K
                                • API String ID: 3519838083-1041342148
                                • Opcode ID: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                • Instruction ID: c6d4fcc3a085517652e950082385643b688211f634bde3dd42582923c91bb4a1
                                • Opcode Fuzzy Hash: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                • Instruction Fuzzy Hash: D3D106709447C59BCF21CB62CB58AEFB7B0EF0130CF204629D8A663E90D775A64ADB15
                                Function 6C730C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$hfJ
                                • API String ID: 3519838083-1391159562
                                • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction ID: ca9ff5984be41596d291f8d3fb11cefdafdfc5ca8a992a93682f2659b8fa8568
                                • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction Fuzzy Hash: 31914CB0A10359DFCB10DF99CA889DEFBF4BF18308F54552EE459A7A91D770AA48CB10
                                Function 6C725C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C725C5D
                                  • Part of subcall function 6C72461A: __EH_prolog.LIBCMT ref: 6C72461F
                                  • Part of subcall function 6C724A2E: __EH_prolog.LIBCMT ref: 6C724A33
                                  • Part of subcall function 6C725EA5: __EH_prolog.LIBCMT ref: 6C725EAA
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: WZJ
                                • API String ID: 3519838083-1089469559
                                • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction ID: 4c77fff1cd288ae727b8ebbfa5d3a635544e5c01fb5cba0a46e79afddd9dd34d
                                • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction Fuzzy Hash: 3B818E31D00159DFCF15DFA4DA98ADDBBB4AF08318F1080AAE516B7791DB34AE49CB60
                                Function 6C7573DF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog__aullrem
                                • String ID: d%K
                                • API String ID: 3415659256-3110269457
                                • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                • Instruction ID: 553aa8db9b53c88f51fa5b8c6940795f8bf40daa6a3be56dc230e43ea39404e1
                                • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                • Instruction Fuzzy Hash: F761E171A106098FDF00CF64C644BEEBBF5AF44309F64C068D858AF685DB71DA15CBA0
                                Function 6C7535B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: CK$CK
                                • API String ID: 3519838083-2096518401
                                • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                • Instruction ID: c1423dd80704b63680bd20fdbaba144414e0845015a6f31549e1d987c2c72694
                                • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                • Instruction Fuzzy Hash: FF51A0B6E003059FDB04CFA4C9C4BEEB3B5FF88318F548529D901AB751DB75A9158BA0
                                Function 6C72CF9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: <dJ$Q
                                • API String ID: 3519838083-2252229148
                                • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                • Instruction ID: d28ed1e7b21f21a58624a4a19a8fa8266b20a1b3e1b5237b02108d057c1fbc9d
                                • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                • Instruction Fuzzy Hash: A9519EB1A04209EFCF10DF94CA848EDB7B1FF59308F10852EE521ABA50D7759A8ACB14
                                Function 6C7289B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $D^J
                                • API String ID: 3519838083-3977321784
                                • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                • Instruction ID: c5e177d034740fdfc2bca7ef627c2ce1472ee9efbf9954575094b2475f13e83e
                                • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                • Instruction Fuzzy Hash: 414180A3A056905ED7228F28C6587DCBBB16F16308F14816FC4D147E81DF6F558BC395
                                Function 6C73AB66 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 8)L$8)L
                                • API String ID: 3519838083-2235878380
                                • Opcode ID: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                • Instruction ID: acb7ac4637641c8388b5cb089bb60246576c0a110098db1aa7ac17a8cca45596
                                • Opcode Fuzzy Hash: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                • Instruction Fuzzy Hash: 30510131601600CFCB158FA4CA99ADAB7F2FF85328F10443ED19A87A61CB317888CF54
                                Function 6C738606 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: qJ$#
                                • API String ID: 3519838083-4209149730
                                • Opcode ID: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                • Instruction ID: 4383d51e70cdae7bbdc206ac6a1708db6513d8195d2c4968cfe9db92ec89b5e4
                                • Opcode Fuzzy Hash: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                • Instruction Fuzzy Hash: 3B517D75A00259DFCF00CFA8C6489DDBBB5FF09318F14855AE815AB792C735EA05CBA1
                                Function 6C72D14A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: PdJ$Q
                                • API String ID: 3519838083-3674001488
                                • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                • Instruction ID: e592e7a48090b2c64a3634b767e2b237ef3154ffd7e2a5841a5aaa0563500e14
                                • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                • Instruction Fuzzy Hash: 0D41BB71E04209DBCB10DFA8CA948EDB3B0FF5D758B10C12AE925A7A50C3349E45CBA8
                                Function 6C74212C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: X&L$p|J
                                • API String ID: 3519838083-2944591232
                                • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                • Instruction ID: bb0937f903efec88cbbe41d41ed9416885c4cf0abf8908586a214d189d9394c1
                                • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                • Instruction Fuzzy Hash: B631F131785105CBD7009B58DF0DFF977B1EB02368F12C13ADA10E6EA0CBA09AE68B50
                                Function 6C741C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0|J$`)L
                                • API String ID: 3519838083-117937767
                                • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction ID: aeff6d59cd5248de75b3e971e9b605a92e6701394dcffec89a9d9eecd7557558
                                • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction Fuzzy Hash: 70419FB1601785DFDF119F60C6987EABBE2FF45208F00843EE45A97710CB31A954CB91
                                Function 6C744CB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID: 3333
                                • API String ID: 3732870572-2924271548
                                • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction ID: 8d4b6a12cc917ff8ac244be22d787ca29a5929e87b33ba5cd951d6014c8a10f4
                                • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction Fuzzy Hash: FF21A6B0A407046ED720CFB98985B9BBAFCEB44714F10CA2EA186D3B40DB70A9049B65
                                Function 6C73877E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: #$4qJ
                                • API String ID: 3519838083-3965466581
                                • Opcode ID: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                • Instruction ID: 95bdf84dc14167dd208dcc251ed2ddb57da6e0978d5350acf77a22d66e16b9e6
                                • Opcode Fuzzy Hash: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                • Instruction Fuzzy Hash: 0231CC75A05229DFDF10CF66CA48AEE73B5AF45318F00816AEC15A7B52C770AD09CB90
                                Function 6C73D906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$LuJ
                                • API String ID: 3519838083-205571748
                                • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction ID: 1cc0cb467f35401b8fbb9bd65f2ba38d70f9b3ecab30e95ff4a0edcbabc6bce0
                                • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction Fuzzy Hash: EF01C0B2E04309DACB10CFE985845AEFBB4FF69314F40942EE169F3A41C3349A04CB59
                                Function 6C7190AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$xMJ
                                • API String ID: 3519838083-951924499
                                • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction ID: addd9f758a668dd83aaf7137e0128ae412e61a39c12cffa79f73bb7280365525
                                • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction Fuzzy Hash: 00117C71A0420ADBCB00CFE9C59859EF7B4FF28358B50C42ED429E7B00D3349A46CB55
                                Function 6C7695D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: p/K$J
                                • API String ID: 3519838083-2069324279
                                • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                • Instruction ID: 185b506758bce0f8a0577774f5e1791c166b1d00e4b50b71294d1d466bafe349
                                • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                • Instruction Fuzzy Hash: F301BCB1A117019FD724CF59D6083AAF7F4EF54719F10C92ED052A3B40C7F8A9088BA4
                                Function 6C74A180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C74A185
                                  • Part of subcall function 6C74A22B: __EH_prolog.LIBCMT ref: 6C74A230
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J
                                • API String ID: 3519838083-2882003284
                                • Opcode ID: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                                • Instruction ID: 8759be5365730707611fc29ff48c86e12f2b7db335057116b06dcb4c255f15ae
                                • Opcode Fuzzy Hash: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                                • Instruction Fuzzy Hash: 3011A2B0911B108BC3249F2AC5581D6FBF8FFA5714F40C91FC4AA87B20C7B8A5488F98
                                Function 6C747FC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C747FCC
                                  • Part of subcall function 6C7474D1: __EH_prolog.LIBCMT ref: 6C7474D6
                                  • Part of subcall function 6C74614B: __EH_prolog.LIBCMT ref: 6C746150
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J
                                • API String ID: 3519838083-2882003284
                                • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                • Instruction ID: c1e361f6b44aa93eb65e6728bd03cb033689f1ed9f34af31076408c24ee1df78
                                • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                • Instruction Fuzzy Hash: 490105B1800B51CFC325CF55C5A868AFBE0BB15304F90CD5EC0A657B50D7B8A508CB68
                                Function 6C768434 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C768439
                                  • Part of subcall function 6C7684BA: __EH_prolog.LIBCMT ref: 6C7684BF
                                  • Part of subcall function 6C74A22B: __EH_prolog.LIBCMT ref: 6C74A230
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: D.K$T.K
                                • API String ID: 3519838083-2437000251
                                • Opcode ID: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                • Instruction ID: d667da730313e57be5a1ed4a110081fbfb9b6d9a66239cdeebac606390fbffd7
                                • Opcode Fuzzy Hash: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                • Instruction Fuzzy Hash: 75012CB1911711CFC724CF69C6182CABBF0AF19704F00CD1F84AA97B40E7B8A608CBA5
                                Function 6C73A425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 8)L$8rJ
                                • API String ID: 3519838083-896068166
                                • Opcode ID: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                • Instruction ID: eaa6ac0dd121afb6a6f0b9be8cef09d4798cc6ebd31dd06cf4a2def654b2c259
                                • Opcode Fuzzy Hash: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                • Instruction Fuzzy Hash: A9F03A76A14114EFC700CF98D949ADEBBF8FF4A364F14816AF405A7211C7B9DA04CBA5
                                Function 6C7413F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C7413F9
                                  • Part of subcall function 6C741320: __EH_prolog.LIBCMT ref: 6C741325
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: `)L$|{J
                                • API String ID: 3519838083-2198066115
                                • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                • Instruction ID: fbb682e6f2a04a34ce8be660c0a131e8715340bb7c8a47b4511615c2a398225f
                                • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                • Instruction Fuzzy Hash: FBF08272610014FFCB059F94DD08BDEBBB9FF49314F00802AF51596650CBB5AA15CB94
                                Function 6C740431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: |zJ
                                • API String ID: 3037903784-3782439380
                                • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                • Instruction ID: e2622474ac99ebd12105ce7ed8f0abc790afc204f2817f589c17b02c8d7f6327
                                • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                • Instruction Fuzzy Hash: 3CE0E5726411109BE7048F48D904BDEF3A4FF65714F10801FD026A3A40CBB4A8108781
                                Function 6C7444CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: \~J
                                • API String ID: 3037903784-3176329776
                                • Opcode ID: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                • Instruction ID: 99548181a119ffa8d432dc6cfa58653aca48db83c1c5d6444c9f732b4b711536
                                • Opcode Fuzzy Hash: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                • Instruction Fuzzy Hash: DFE06D76A055119BDB24CF4DDA18BDEF3B8EF44B18F20816ED021A7A51CBB1A900A684
                                Function 6C7460DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 6C7460E0
                                  • Part of subcall function 6C74614B: __EH_prolog.LIBCMT ref: 6C746150
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J
                                • API String ID: 3519838083-2882003284
                                • Opcode ID: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                • Instruction ID: be4c41749cc2de928482f2abc2d4c06639d0aae7855314c34cbf5babf931acef
                                • Opcode Fuzzy Hash: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                • Instruction Fuzzy Hash: F0F0C4B0911B51CFC724DF59D91868ABBF0FB15704B50C91F80AA97B10D7B8A548CBA8
                                Function 6C737143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: <oJ
                                • API String ID: 3037903784-2791053824
                                • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction ID: f15a638e0ff770b44e1014bc09ed823659df114f5703885cfff10714e062d552
                                • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction Fuzzy Hash: BEE0ED72A01121DBDB089F48DA28BDEF7A4EF85768F11012EA015A7B42CBB1A8048A80
                                Function 6C76C4AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: @ K$DJ$T)K$X/K
                                • API String ID: 0-3815299647
                                • Opcode ID: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                • Instruction ID: 64f273d6c883c7a87002f00fdec9dbcdc48d0d70835b38e576376ba84af97f31
                                • Opcode Fuzzy Hash: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                • Instruction Fuzzy Hash: E391D1706053458BCF00EE76CB587EAB7B2AF4230EF108869CC669BF85CB75A949C751
                                Function 6C761E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: D)K$H)K$P)K$T)K
                                • API String ID: 0-2262112463
                                • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                • Instruction ID: ebdc9128e6d3246b2d364fc5b4f33f545d0eacc026add32374d791a383fc0f5a
                                • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                • Instruction Fuzzy Hash: 8051C370A052099BCF00DFA2DA5CADEB7B1BF0531CF108529EC11A7E90DBB5DA89C750
                                Function 6C781F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: (?K$8?K$H?K$CK
                                • API String ID: 0-3450752836
                                • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                • Instruction ID: cab8bf75da0d0ccc9f19e09efab74ac57dee3cc0d74b0106239eaef8ffaa322a
                                • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                • Instruction Fuzzy Hash: EDF030B05027009FC320CF45D54869BF7F4EB45709F50C91EE1AA97A40D3BCE5088FA8
                                Function 6C76AAAC Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2303280402.000000006C705000.00000004.00000001.01000000.00000009.sdmp, Offset: 6C705000, based on PE: true
                                • Associated: 00000007.00000002.2303888987.000000006C7D6000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c610000_Setup64v7.jbxd
                                Similarity
                                • API ID:
                                • String ID: 00K$@0K$P0K$`0K
                                • API String ID: 0-1070766156
                                • Opcode ID: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                • Instruction ID: cc08c49e7cab151d94aeeb036fe5aa8110f11b29cf5188a6292b857041db77c5
                                • Opcode Fuzzy Hash: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                • Instruction Fuzzy Hash: 2DF03FB14152408FD348DF1A9598A82BFE0AF95319B56C1DED0184F276C3B9CA48CFA8

                                Execution Graph

                                Execution Coverage:3.9%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:1.8%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:39
                                execution_graph 75485 b7adb7 75486 b7adc1 __EH_prolog 75485->75486 75501 b426dd 75486->75501 75488 b7ae1d 75504 b42e04 75488->75504 75491 b42e04 2 API calls 75492 b7ae44 75491->75492 75493 b42e04 2 API calls 75492->75493 75494 b7ae68 75493->75494 75507 b7ad29 75494->75507 75498 b7ae94 75499 b42e04 2 API calls 75498->75499 75500 b7aeb2 75499->75500 75525 b41e0c 75501->75525 75505 b41e0c ctype 2 API calls 75504->75505 75506 b42e11 75505->75506 75506->75491 75508 b7ad33 __EH_prolog 75507->75508 75509 b42e04 2 API calls 75508->75509 75510 b7ad5f 75509->75510 75511 b42e04 2 API calls 75510->75511 75512 b7ad72 75511->75512 75513 b7af2d 75512->75513 75514 b7af37 __EH_prolog 75513->75514 75530 b534f4 malloc _CxxThrowException __EH_prolog 75514->75530 75516 b7afac 75517 b42e04 2 API calls 75516->75517 75518 b7afbb 75517->75518 75519 b42e04 2 API calls 75518->75519 75520 b7afca 75519->75520 75521 b42e04 2 API calls 75520->75521 75522 b7afd9 75521->75522 75523 b42e04 2 API calls 75522->75523 75524 b7afe8 75523->75524 75524->75498 75526 b41e15 75525->75526 75527 b41e1c malloc 75525->75527 75526->75527 75528 b41e3e 75527->75528 75529 b41e2a _CxxThrowException 75527->75529 75528->75488 75529->75528 75530->75516 75531 b75475 75536 b42fec 75531->75536 75535 b754bb 75537 b42ffc 75536->75537 75538 b42ff8 75536->75538 75537->75538 75539 b41e0c ctype 2 API calls 75537->75539 75542 b7c911 75538->75542 75540 b43010 75539->75540 75587 b41e40 free 75540->75587 75543 b7c926 GetTickCount 75542->75543 75544 b7c92f 75542->75544 75543->75544 75545 b7c96d 75544->75545 75548 b7cb64 75544->75548 75613 b42ab1 strcmp 75544->75613 75545->75548 75588 b7c86a 75545->75588 75548->75535 75550 b7c9ce 75550->75548 75596 b427bb 75550->75596 75551 b7c95b 75551->75545 75614 b43542 wcscmp 75551->75614 75555 b7ca0a 75556 b7ca21 75555->75556 75557 b4286d 5 API calls 75555->75557 75564 b4286d 5 API calls 75556->75564 75581 b7cb10 75556->75581 75559 b7ca16 75557->75559 75558 b7c9e2 75558->75555 75616 b4286d 75558->75616 75623 b428fa malloc _CxxThrowException free memcpy _CxxThrowException 75559->75623 75567 b7ca40 75564->75567 75566 b7cb59 75635 b7cb92 malloc _CxxThrowException free 75566->75635 75570 b42fec 3 API calls 75567->75570 75573 b7ca4e 75570->75573 75624 b42033 75573->75624 75574 b7cb50 75577 b427bb 3 API calls 75574->75577 75575 b7cb49 75634 b41f91 fflush 75575->75634 75577->75566 75579 b7caf5 75633 b428fa malloc _CxxThrowException free memcpy _CxxThrowException 75579->75633 75602 b7cb74 75581->75602 75582 b42fec 3 API calls 75585 b7ca6a 75582->75585 75585->75579 75585->75582 75586 b42033 10 API calls 75585->75586 75631 b43599 memmove 75585->75631 75632 b43402 malloc _CxxThrowException free memmove _CxxThrowException 75585->75632 75586->75585 75587->75538 75589 b7c88c __aulldiv 75588->75589 75590 b7c8d3 strlen 75589->75590 75591 b7c900 75590->75591 75595 b7c8f1 75590->75595 75592 b428a1 5 API calls 75591->75592 75593 b7c90c 75592->75593 75593->75550 75615 b42ab1 strcmp 75593->75615 75594 b4286d 5 API calls 75594->75595 75595->75591 75595->75594 75597 b427c7 75596->75597 75601 b427e3 75596->75601 75598 b41e0c ctype 2 API calls 75597->75598 75597->75601 75599 b427da 75598->75599 75636 b41e40 free 75599->75636 75601->75558 75603 b7cb1c 75602->75603 75604 b7cb7c strcmp 75602->75604 75603->75566 75605 b7c7d7 75603->75605 75604->75603 75606 b7c849 75605->75606 75608 b7c7ea 75605->75608 75607 b7c85a fputs 75606->75607 75638 b41f91 fflush 75606->75638 75607->75574 75607->75575 75609 b7c7fe fputs 75608->75609 75637 b425cb malloc _CxxThrowException free _CxxThrowException ctype 75608->75637 75609->75606 75613->75551 75614->75545 75615->75550 75639 b41e9d 75616->75639 75619 b428a1 75620 b428b0 75619->75620 75644 b4267f 75620->75644 75622 b428bf 75622->75555 75623->75556 75625 b4203b 75624->75625 75626 b42054 75625->75626 75627 b42045 75625->75627 75655 b437ff 9 API calls 75626->75655 75654 b4421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 75627->75654 75630 b42052 75630->75585 75631->75585 75632->75585 75633->75581 75634->75574 75635->75548 75636->75601 75637->75609 75638->75607 75640 b41ead 75639->75640 75641 b41ea8 75639->75641 75640->75619 75643 b4263c malloc _CxxThrowException free memcpy _CxxThrowException 75641->75643 75643->75640 75645 b426c2 75644->75645 75646 b42693 75644->75646 75645->75622 75647 b426c8 _CxxThrowException 75646->75647 75648 b426bc 75646->75648 75649 b426dd 75647->75649 75653 b42595 malloc _CxxThrowException free memcpy ctype 75648->75653 75651 b41e0c ctype 2 API calls 75649->75651 75652 b426ea 75651->75652 75652->75622 75653->75645 75654->75630 75655->75630 75656 b88eb1 75661 b88ed1 75656->75661 75659 b88ec9 75662 b88edb __EH_prolog 75661->75662 75670 b89267 75662->75670 75666 b88efd 75675 b7e5f1 free ctype 75666->75675 75668 b88eb9 75668->75659 75669 b41e40 free 75668->75669 75669->75659 75671 b89271 __EH_prolog 75670->75671 75676 b41e40 free 75671->75676 75673 b88ef1 75674 b8922b free CloseHandle GetLastError ctype 75673->75674 75674->75666 75675->75668 75676->75673 75677 b4c3bd 75678 b4c3ca 75677->75678 75680 b4c3db 75677->75680 75678->75680 75681 b41e40 free 75678->75681 75681->75680 75682 b7993d 75766 b7b5b1 75682->75766 75685 b79963 75772 b51f33 75685->75772 75688 b79975 75689 b799b7 GetStdHandle GetConsoleScreenBufferInfo 75688->75689 75690 b799ce 75688->75690 75689->75690 75691 b41e0c ctype 2 API calls 75690->75691 75692 b799dc 75691->75692 75893 b67b48 75692->75893 75694 b79a29 75922 b7b96d _CxxThrowException 75694->75922 75696 b79a30 75923 b67018 8 API calls 2 library calls 75696->75923 75698 b79a7c 75924 b6ddb5 6 API calls 2 library calls 75698->75924 75700 b79a66 _CxxThrowException 75700->75698 75701 b79aa6 75702 b79aaa _CxxThrowException 75701->75702 75712 b79ac0 75701->75712 75702->75712 75703 b79a37 75703->75698 75703->75700 75704 b79b3a 75928 b41fa0 fputc 75704->75928 75707 b79bfa _CxxThrowException 75762 b79be6 75707->75762 75708 b79b63 fputs 75929 b41fa0 fputc 75708->75929 75711 b79b79 strlen strlen 75713 b79e25 75711->75713 75714 b79baa fputs fputc 75711->75714 75712->75704 75712->75707 75925 b67dd7 7 API calls 2 library calls 75712->75925 75926 b7c077 6 API calls 75712->75926 75927 b41e40 free 75712->75927 75937 b41fa0 fputc 75713->75937 75714->75762 75717 b79e2c fputs 75938 b41fa0 fputc 75717->75938 75719 b79f0c 75943 b41fa0 fputc 75719->75943 75722 b79f13 fputs 75944 b41fa0 fputc 75722->75944 75726 b79f9f 75728 b7ac3a 75726->75728 75729 b7ac35 75726->75729 75727 b42e04 2 API calls 75727->75762 75950 b7b96d _CxxThrowException 75728->75950 75949 b7b988 33 API calls __aulldiv 75729->75949 75733 b7ac42 75951 b41e40 free 75733->75951 75734 b7b67d 12 API calls 75734->75762 75737 b7ac4d 75952 b63247 75737->75952 75740 b79f29 75740->75726 75752 b79f77 fputs 75740->75752 75945 b7b650 fputc fputs fputs fputc 75740->75945 75946 b7b5e9 fputc fputs 75740->75946 75947 b7bde4 fputc fputs 75740->75947 75743 b79d2a fputs 75934 b421d8 fputs 75743->75934 75749 b79d5f fputs 75749->75762 75750 b431e5 malloc _CxxThrowException free _CxxThrowException 75750->75762 75948 b41fa0 fputc 75752->75948 75754 b79e42 75754->75719 75759 b79ee0 fputs 75754->75759 75939 b7b650 fputc fputs fputs fputc 75754->75939 75940 b421d8 fputs 75754->75940 75941 b7bde4 fputc fputs 75754->75941 75942 b41fa0 fputc 75759->75942 75762->75713 75762->75714 75762->75727 75762->75734 75762->75743 75762->75749 75762->75750 75930 b421d8 fputs 75762->75930 75931 b4315e malloc _CxxThrowException free _CxxThrowException 75762->75931 75932 b43221 malloc _CxxThrowException free _CxxThrowException 75762->75932 75933 b41089 malloc _CxxThrowException free _CxxThrowException 75762->75933 75935 b41fa0 fputc 75762->75935 75936 b41e40 free 75762->75936 75767 b7994a 75766->75767 75768 b7b5bc fputs 75766->75768 75767->75685 75910 b41fb3 75767->75910 75962 b41fa0 fputc 75768->75962 75770 b7b5d5 75770->75767 75771 b7b5d9 fputs 75770->75771 75771->75767 75773 b51f6c 75772->75773 75774 b51f4f 75772->75774 75963 b529eb 75773->75963 76005 b61d73 5 API calls __EH_prolog 75774->76005 75777 b51f5e _CxxThrowException 75777->75773 75779 b51fa3 75781 b51fbc 75779->75781 75783 b44fc0 5 API calls 75779->75783 75784 b51fda 75781->75784 75785 b42fec 3 API calls 75781->75785 75782 b51f95 _CxxThrowException 75782->75779 75783->75781 75786 b52022 wcscmp 75784->75786 75794 b52036 75784->75794 75785->75784 75787 b520af 75786->75787 75786->75794 76007 b61d73 5 API calls __EH_prolog 75787->76007 75789 b520be _CxxThrowException 75789->75794 75790 b520a9 76008 b5393c 6 API calls 2 library calls 75790->76008 75792 b520f4 76009 b5393c 6 API calls 2 library calls 75792->76009 75794->75790 75799 b5219a 75794->75799 75795 b52108 75796 b52135 75795->75796 76010 b52e04 62 API calls 2 library calls 75795->76010 75804 b52159 75796->75804 76011 b52e04 62 API calls 2 library calls 75796->76011 76012 b61d73 5 API calls __EH_prolog 75799->76012 75801 b521a9 _CxxThrowException 75801->75804 75802 b5227f 75968 b52aa9 75802->75968 75803 b52245 75807 b42fec 3 API calls 75803->75807 75804->75802 75804->75803 76013 b61d73 5 API calls __EH_prolog 75804->76013 75810 b5225c 75807->75810 75809 b52237 _CxxThrowException 75809->75803 75810->75802 76014 b61d73 5 API calls __EH_prolog 75810->76014 75811 b522d9 75813 b52302 75811->75813 75814 b42fec 3 API calls 75811->75814 75812 b42fec 3 API calls 75812->75811 75986 b44fc0 75813->75986 75814->75813 75818 b52271 _CxxThrowException 75818->75802 75820 b52322 75822 b526c6 75820->75822 75830 b523a1 75820->75830 75821 b528ce 75823 b5293a 75821->75823 75837 b528d5 75821->75837 75822->75821 75824 b52700 75822->75824 76027 b61d73 5 API calls __EH_prolog 75822->76027 75827 b529a5 75823->75827 75828 b5293f 75823->75828 76028 b532ec 14 API calls 2 library calls 75824->76028 75832 b529ae _CxxThrowException 75827->75832 75885 b5264d 75827->75885 76045 b44eec 16 API calls 75828->76045 75835 b5247a wcscmp 75830->75835 75854 b5248e 75830->75854 75831 b526f2 _CxxThrowException 75831->75824 75833 b52713 76029 b53a29 75833->76029 75834 b5294c 76046 b44ea1 8 API calls 75834->76046 75840 b524cf wcscmp 75835->75840 75835->75854 75837->75885 76044 b61d73 5 API calls __EH_prolog 75837->76044 75841 b524ef wcscmp 75840->75841 75840->75854 75845 b5250f 75841->75845 75841->75854 75842 b52953 75846 b44fc0 5 API calls 75842->75846 76018 b61d73 5 API calls __EH_prolog 75845->76018 75846->75885 75847 b52920 _CxxThrowException 75847->75885 75850 b5251e _CxxThrowException 75852 b5252c 75850->75852 75851 b527cf 75855 b52880 75851->75855 75860 b5281f 75851->75860 76040 b61d73 5 API calls __EH_prolog 75851->76040 75856 b52569 75852->75856 76019 b52e04 62 API calls 2 library calls 75852->76019 75853 b42fec 3 API calls 75857 b527a9 75853->75857 75854->75852 76015 b44eec 16 API calls 75854->76015 76016 b44ea1 8 API calls 75854->76016 76017 b61d73 5 API calls __EH_prolog 75854->76017 75859 b5289b 75855->75859 75865 b42fec 3 API calls 75855->75865 75863 b5258c 75856->75863 76020 b52e04 62 API calls 2 library calls 75856->76020 75857->75851 76039 b43563 memmove 75857->76039 75859->75885 76043 b61d73 5 API calls __EH_prolog 75859->76043 75860->75855 75867 b52847 75860->75867 76041 b61d73 5 API calls __EH_prolog 75860->76041 75869 b525a4 75863->75869 76021 b52a61 malloc _CxxThrowException free _CxxThrowException memcpy 75863->76021 75864 b524c1 _CxxThrowException 75864->75840 75865->75859 75866 b52811 _CxxThrowException 75866->75860 75867->75855 76042 b61d73 5 API calls __EH_prolog 75867->76042 76022 b44eec 16 API calls 75869->76022 75875 b525ad 76023 b61b07 49 API calls 75875->76023 75876 b528c0 _CxxThrowException 75876->75821 75877 b52839 _CxxThrowException 75877->75867 75880 b52872 _CxxThrowException 75880->75855 75881 b525b4 76024 b44ea1 8 API calls 75881->76024 75883 b525bb 75884 b42fec 3 API calls 75883->75884 75887 b525d6 75883->75887 75884->75887 75885->75688 75886 b5261f 75886->75885 75888 b42fec 3 API calls 75886->75888 75887->75885 75887->75886 76025 b61d73 5 API calls __EH_prolog 75887->76025 75891 b5263f 75888->75891 75890 b52611 _CxxThrowException 75890->75886 76026 b4859e malloc _CxxThrowException free _CxxThrowException 75891->76026 75894 b67b52 __EH_prolog 75893->75894 76089 b67eec 75894->76089 75897 b67ca4 75897->75694 75898 b67b63 75898->75897 75899 b42e04 malloc _CxxThrowException 75898->75899 75900 b430ea malloc _CxxThrowException free 75898->75900 75902 b41e40 free ctype 75898->75902 75904 b804d2 5 API calls 75898->75904 75908 b67c61 memcpy 75898->75908 76094 b670ea 75898->76094 76097 b67a40 75898->76097 76115 b67cc3 6 API calls 75898->76115 76116 b512a5 75898->76116 76121 b4429a 75898->76121 76127 b674eb malloc _CxxThrowException memcpy __EH_prolog ctype 75898->76127 76128 b67193 75898->76128 75899->75898 75900->75898 75902->75898 75904->75898 75908->75898 75911 b41fbd __EH_prolog 75910->75911 75912 b426dd 2 API calls 75911->75912 75913 b41fcb 75912->75913 76146 b42e47 75913->76146 75917 b41fed 76153 b41e40 free 75917->76153 75919 b41ff5 76154 b41e40 free 75919->76154 75921 b41ffd 75921->75685 75922->75696 75923->75703 75924->75701 75925->75712 75926->75712 75927->75712 75928->75708 75929->75711 75930->75762 75931->75762 75932->75762 75933->75762 75934->75762 75935->75762 75936->75762 75937->75717 75938->75754 75939->75754 75940->75754 75941->75754 75942->75754 75943->75722 75944->75740 75945->75740 75946->75740 75947->75740 75948->75740 75949->75728 75950->75733 75951->75737 75956 b6324e 75952->75956 75953 b63260 76155 b41e40 free 75953->76155 75956->75953 76156 b41e40 free 75956->76156 75957 b63267 75962->75770 76047 b42f1c 75963->76047 75965 b529fe 76050 b41e40 free 75965->76050 75967 b51f7e 75967->75779 76006 b61d73 5 API calls __EH_prolog 75967->76006 75969 b52ab3 __EH_prolog 75968->75969 75979 b52b0f 75969->75979 76054 b42e8a 75969->76054 75972 b522ad 75972->75811 75972->75812 75974 b52b04 76059 b41e40 free 75974->76059 75975 b52bc6 76064 b61d73 5 API calls __EH_prolog 75975->76064 75978 b52bd6 _CxxThrowException 75978->75972 75979->75972 75979->75975 75983 b52b9f 75979->75983 76060 b52cb4 48 API calls 2 library calls 75979->76060 76061 b52bf5 8 API calls __EH_prolog 75979->76061 76062 b52a61 malloc _CxxThrowException free _CxxThrowException memcpy 75979->76062 75983->75972 76063 b61d73 5 API calls __EH_prolog 75983->76063 75985 b52bb8 _CxxThrowException 75985->75975 75987 b44fd2 75986->75987 75989 b44fce 75986->75989 76065 b67ebb 75987->76065 75996 b5384c 75989->75996 75991 b45006 75991->75989 76070 b41524 malloc _CxxThrowException __EH_prolog ctype 75991->76070 75992 b44ffe 76069 b80551 malloc _CxxThrowException free memcpy ctype 75992->76069 75993 b44fe9 _CxxThrowException 75993->75992 75999 b53856 __EH_prolog 75996->75999 75997 b42e04 malloc _CxxThrowException 75997->75999 75998 b42fec 3 API calls 75998->75999 75999->75997 75999->75998 76003 b41e40 free ctype 75999->76003 76004 b53917 75999->76004 76071 b42f88 75999->76071 76077 b804d2 75999->76077 76083 b53b76 malloc _CxxThrowException __EH_prolog ctype 75999->76083 76003->75999 76004->75820 76005->75777 76006->75782 76007->75789 76008->75792 76009->75795 76010->75796 76011->75804 76012->75801 76013->75809 76014->75818 76015->75854 76016->75854 76017->75864 76018->75850 76019->75856 76020->75863 76021->75869 76022->75875 76023->75881 76024->75883 76025->75890 76026->75885 76027->75831 76028->75833 76030 b53a3b 76029->76030 76036 b52722 76029->76036 76086 b53bd9 free ctype 76030->76086 76032 b53a42 76033 b53a67 76032->76033 76034 b53a52 _CxxThrowException 76032->76034 76035 b53a6f 76032->76035 76087 b80551 malloc _CxxThrowException free memcpy ctype 76033->76087 76034->76033 76035->76036 76088 b53b76 malloc _CxxThrowException __EH_prolog ctype 76035->76088 76036->75851 76036->75853 76039->75851 76040->75866 76041->75877 76042->75880 76043->75876 76044->75847 76045->75834 76046->75842 76051 b42ba6 76047->76051 76050->75967 76052 b41e0c ctype 2 API calls 76051->76052 76053 b42bbb 76052->76053 76053->75965 76055 b42ea0 76054->76055 76056 b42ba6 2 API calls 76055->76056 76057 b42eaf 76056->76057 76058 b52a61 malloc _CxxThrowException free _CxxThrowException memcpy 76057->76058 76058->75974 76059->75979 76060->75979 76061->75979 76062->75979 76063->75985 76064->75978 76066 b67ec6 76065->76066 76067 b44fd9 76065->76067 76066->76067 76068 b41e40 free ctype 76066->76068 76067->75991 76067->75992 76067->75993 76068->76066 76069->75991 76070->75991 76072 b42f9a 76071->76072 76073 b41e0c ctype 2 API calls 76072->76073 76076 b42fbe 76072->76076 76074 b42fb4 76073->76074 76084 b41e40 free 76074->76084 76076->75999 76078 b804df 76077->76078 76079 b80513 76077->76079 76080 b804e8 _CxxThrowException 76078->76080 76081 b804fd 76078->76081 76079->75999 76080->76081 76085 b80551 malloc _CxxThrowException free memcpy ctype 76081->76085 76083->75999 76084->76076 76085->76079 76086->76032 76087->76035 76088->76035 76091 b67f14 76089->76091 76093 b67ef7 76089->76093 76090 b67193 free 76090->76093 76091->75898 76093->76090 76093->76091 76136 b41e40 free 76093->76136 76095 b42e04 2 API calls 76094->76095 76096 b67103 76095->76096 76096->75898 76098 b67a4a __EH_prolog 76097->76098 76137 b4361b 6 API calls 2 library calls 76098->76137 76100 b67a78 76138 b4361b 6 API calls 2 library calls 76100->76138 76102 b67b20 76140 b72db9 free ctype 76102->76140 76104 b67b2b 76141 b72db9 free ctype 76104->76141 76106 b67b37 76106->75898 76107 b42e04 malloc _CxxThrowException 76113 b67a83 76107->76113 76108 b42fec 3 API calls 76108->76113 76109 b42fec 3 API calls 76111 b67aca wcscmp 76109->76111 76110 b804d2 5 API calls 76110->76113 76111->76113 76113->76102 76113->76107 76113->76108 76113->76109 76113->76110 76114 b41e40 free ctype 76113->76114 76139 b67955 malloc _CxxThrowException __EH_prolog ctype 76113->76139 76114->76113 76115->75898 76117 b804d2 5 API calls 76116->76117 76118 b512ad 76117->76118 76119 b41e0c ctype 2 API calls 76118->76119 76120 b512b4 76119->76120 76120->75898 76122 b442a7 76121->76122 76123 b442c5 76121->76123 76124 b442b3 76122->76124 76142 b41e40 free 76122->76142 76123->75898 76124->76123 76126 b41e0c ctype 2 API calls 76124->76126 76126->76123 76127->75898 76129 b6719d __EH_prolog 76128->76129 76143 b72db9 free ctype 76129->76143 76131 b671b3 76144 b671d5 free __EH_prolog ctype 76131->76144 76133 b671bf 76145 b41e40 free 76133->76145 76135 b671c7 76135->75898 76136->76093 76137->76100 76138->76113 76139->76113 76140->76104 76141->76106 76142->76124 76143->76131 76144->76133 76145->76135 76148 b42e57 76146->76148 76147 b42ba6 2 API calls 76149 b41fda 76147->76149 76148->76147 76148->76148 76150 b42010 76149->76150 76151 b42033 10 API calls 76150->76151 76152 b42022 fputs 76151->76152 76152->75917 76153->75919 76154->75921 76155->75957 76156->75956 76160 bdffb1 __setusermatherr 76161 bdffbd 76160->76161 76166 be0068 _controlfp 76161->76166 76163 bdffc2 _initterm __getmainargs _initterm __p___initenv 76164 b7c27c 76163->76164 76165 be001d exit _XcptFilter 76164->76165 76166->76163 76167 bc69f0 free 76168 b6cefb 76169 b6d0cc 76168->76169 76170 b6cf03 76168->76170 76170->76169 76215 b6cae9 VariantClear 76170->76215 76172 b6cf59 76172->76169 76216 b6cae9 VariantClear 76172->76216 76174 b6cf71 76174->76169 76217 b6cae9 VariantClear 76174->76217 76176 b6cf87 76176->76169 76218 b6cae9 VariantClear 76176->76218 76178 b6cf9d 76178->76169 76219 b6cae9 VariantClear 76178->76219 76180 b6cfb3 76180->76169 76220 b6cae9 VariantClear 76180->76220 76182 b6cfc9 76182->76169 76221 b44504 malloc _CxxThrowException 76182->76221 76184 b6cfdc 76185 b42e04 2 API calls 76184->76185 76187 b6cfe7 76185->76187 76186 b6d009 76189 b6d07b 76186->76189 76191 b6d080 76186->76191 76192 b6d030 76186->76192 76187->76186 76188 b42f88 3 API calls 76187->76188 76188->76186 76229 b41e40 free 76189->76229 76226 b67a0c CharUpperW 76191->76226 76195 b42e04 2 API calls 76192->76195 76193 b6d0c4 76230 b41e40 free 76193->76230 76198 b6d038 76195->76198 76197 b6d08b 76227 b5fdbc 4 API calls 2 library calls 76197->76227 76199 b42e04 2 API calls 76198->76199 76201 b6d046 76199->76201 76222 b5fdbc 4 API calls 2 library calls 76201->76222 76202 b6d0a7 76204 b42fec 3 API calls 76202->76204 76206 b6d0b3 76204->76206 76205 b6d057 76207 b42fec 3 API calls 76205->76207 76228 b41e40 free 76206->76228 76209 b6d063 76207->76209 76223 b41e40 free 76209->76223 76211 b6d06b 76224 b41e40 free 76211->76224 76213 b6d073 76225 b41e40 free 76213->76225 76215->76172 76216->76174 76217->76176 76218->76178 76219->76180 76220->76182 76221->76184 76222->76205 76223->76211 76224->76213 76225->76189 76226->76197 76227->76202 76228->76189 76229->76193 76230->76169 76231 b7c2e6 76232 b7c52f 76231->76232 76235 b7544f SetConsoleCtrlHandler 76232->76235 76234 b7c53b 76235->76234 76236 b47b20 76239 b47ab2 76236->76239 76240 b47ac5 76239->76240 76247 b4759a 76240->76247 76243 b47b03 76261 b47919 76243->76261 76244 b47aeb SetFileTime 76244->76243 76248 b475a4 __EH_prolog 76247->76248 76277 b4764c 76248->76277 76250 b47632 76250->76243 76250->76244 76251 b475af 76251->76250 76252 b475d4 CreateFileW 76251->76252 76253 b475e9 76251->76253 76252->76253 76253->76250 76254 b42e04 2 API calls 76253->76254 76255 b475fb 76254->76255 76280 b48b4a 76255->76280 76257 b47611 76258 b47615 CreateFileW 76257->76258 76259 b4762a 76257->76259 76258->76259 76285 b41e40 free 76259->76285 76262 b47aac 76261->76262 76263 b4793c 76261->76263 76263->76262 76264 b47945 DeviceIoControl 76263->76264 76265 b479e6 76264->76265 76266 b47969 76264->76266 76267 b479ef DeviceIoControl 76265->76267 76270 b47a14 76265->76270 76266->76265 76272 b479a7 76266->76272 76268 b47a22 DeviceIoControl 76267->76268 76267->76270 76269 b47a44 DeviceIoControl 76268->76269 76268->76270 76269->76270 76270->76262 76404 b4780d 8 API calls ctype 76270->76404 76403 b49252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 76272->76403 76273 b47aa5 76405 b477de 76273->76405 76276 b479d0 76276->76265 76278 b47656 CloseHandle 76277->76278 76279 b47661 76277->76279 76278->76279 76279->76251 76286 b48b80 76280->76286 76283 b48b6e 76283->76257 76284 b42f88 3 API calls 76284->76283 76285->76250 76288 b48b8a __EH_prolog 76286->76288 76287 b48b55 76287->76283 76287->76284 76288->76287 76289 b48c7b 76288->76289 76295 b48be1 76288->76295 76290 b48d23 76289->76290 76292 b48c8f 76289->76292 76291 b48e8a 76290->76291 76294 b48d3b 76290->76294 76293 b42e47 2 API calls 76291->76293 76292->76294 76298 b48c9e 76292->76298 76296 b48e96 76293->76296 76297 b42e04 2 API calls 76294->76297 76295->76287 76299 b42e47 2 API calls 76295->76299 76304 b42e47 2 API calls 76296->76304 76300 b48d43 76297->76300 76301 b42e47 2 API calls 76298->76301 76302 b48c05 76299->76302 76383 b46332 6 API calls 2 library calls 76300->76383 76313 b48ca7 76301->76313 76308 b48c24 76302->76308 76309 b48c17 76302->76309 76306 b48eb8 76304->76306 76305 b48d52 76307 b48d56 76305->76307 76384 b4859e malloc _CxxThrowException free _CxxThrowException 76305->76384 76395 b48f57 memmove 76306->76395 76394 b41e40 free 76307->76394 76316 b42e47 2 API calls 76308->76316 76373 b41e40 free 76309->76373 76317 b42e47 2 API calls 76313->76317 76315 b48ec4 76318 b48ede 76315->76318 76319 b48ec8 76315->76319 76320 b48c35 76316->76320 76323 b48cd0 76317->76323 76398 b43221 malloc _CxxThrowException free _CxxThrowException 76318->76398 76396 b41e40 free 76319->76396 76374 b48f57 memmove 76320->76374 76378 b48f57 memmove 76323->76378 76325 b48c41 76330 b48c6b 76325->76330 76375 b431e5 malloc _CxxThrowException free _CxxThrowException 76325->76375 76326 b48eeb 76399 b431e5 malloc _CxxThrowException free _CxxThrowException 76326->76399 76328 b48ed0 76397 b41e40 free 76328->76397 76377 b41e40 free 76330->76377 76331 b48cdc 76334 b48d13 76331->76334 76379 b43221 malloc _CxxThrowException free _CxxThrowException 76331->76379 76382 b41e40 free 76334->76382 76337 b48f06 76400 b431e5 malloc _CxxThrowException free _CxxThrowException 76337->76400 76338 b48c73 76402 b41e40 free 76338->76402 76340 b42e04 2 API calls 76344 b48ddf 76340->76344 76341 b48c60 76376 b431e5 malloc _CxxThrowException free _CxxThrowException 76341->76376 76343 b48ced 76380 b431e5 malloc _CxxThrowException free _CxxThrowException 76343->76380 76349 b48e0e 76344->76349 76353 b48df1 76344->76353 76346 b48f11 76401 b41e40 free 76346->76401 76354 b42f88 3 API calls 76349->76354 76351 b48d65 76351->76307 76351->76340 76352 b48d08 76381 b431e5 malloc _CxxThrowException free _CxxThrowException 76352->76381 76385 b43199 malloc _CxxThrowException free _CxxThrowException 76353->76385 76357 b48e0c 76354->76357 76387 b48f57 memmove 76357->76387 76358 b48e03 76386 b43199 malloc _CxxThrowException free _CxxThrowException 76358->76386 76360 b48e22 76362 b48e26 76360->76362 76363 b48e3b 76360->76363 76388 b43221 malloc _CxxThrowException free _CxxThrowException 76360->76388 76393 b41e40 free 76362->76393 76389 b48f34 malloc _CxxThrowException 76363->76389 76367 b48e49 76390 b431e5 malloc _CxxThrowException free _CxxThrowException 76367->76390 76369 b48e56 76391 b41e40 free 76369->76391 76371 b48e62 76392 b431e5 malloc _CxxThrowException free _CxxThrowException 76371->76392 76373->76287 76374->76325 76375->76341 76376->76330 76377->76338 76378->76331 76379->76343 76380->76352 76381->76334 76382->76338 76383->76305 76384->76351 76385->76358 76386->76357 76387->76360 76388->76363 76389->76367 76390->76369 76391->76371 76392->76362 76393->76307 76394->76287 76395->76315 76396->76328 76397->76287 76398->76326 76399->76337 76400->76346 76401->76338 76402->76287 76403->76276 76404->76273 76408 b477c8 76405->76408 76411 b47731 76408->76411 76410 b477db 76410->76262 76412 b4775c SetFilePointer 76411->76412 76413 b47740 76411->76413 76414 b47780 GetLastError 76412->76414 76418 b477a1 76412->76418 76413->76412 76415 b4778c 76414->76415 76414->76418 76419 b476d6 SetFilePointer GetLastError 76415->76419 76417 b47796 SetLastError 76417->76418 76418->76410 76419->76417 76420 b7a42c 76421 b7a435 fputs 76420->76421 76422 b7a449 76420->76422 76578 b41fa0 fputc 76421->76578 76579 b7545d 76422->76579 76426 b42e04 2 API calls 76427 b7a4a1 76426->76427 76583 b61858 76427->76583 76429 b7a4c9 76645 b41e40 free 76429->76645 76431 b7a4d8 76432 b7a4ee 76431->76432 76433 b7c7d7 ctype 6 API calls 76431->76433 76434 b7a50e 76432->76434 76646 b757fb 76432->76646 76433->76432 76656 b7c73e 76434->76656 76439 b7ac17 76441 b7ac23 76439->76441 76812 b72db9 free ctype 76439->76812 76440 b41e0c ctype 2 API calls 76443 b7a53a 76440->76443 76444 b7ac3a 76441->76444 76446 b7ac35 76441->76446 76445 b7a54d 76443->76445 76782 b7b0fa malloc _CxxThrowException __EH_prolog 76443->76782 76814 b7b96d _CxxThrowException 76444->76814 76451 b42fec 3 API calls 76445->76451 76813 b7b988 33 API calls __aulldiv 76446->76813 76450 b7ac42 76815 b41e40 free 76450->76815 76456 b7a586 76451->76456 76453 b7ac4d 76454 b63247 free 76453->76454 76455 b7ac5d 76454->76455 76816 b41e40 free 76455->76816 76674 b7ad06 76456->76674 76459 b7ac7d 76817 b411c2 free __EH_prolog ctype 76459->76817 76463 b7ac89 76818 b7be0c free __EH_prolog ctype 76463->76818 76466 b53a29 5 API calls 76468 b7a62e 76466->76468 76467 b7ac98 76819 b72db9 free ctype 76467->76819 76469 b42e04 2 API calls 76468->76469 76471 b7a636 76469->76471 76682 b64345 76471->76682 76472 b7aca4 76475 b7a676 76688 b62096 76475->76688 76478 b7a66f 76784 b7b96d _CxxThrowException 76478->76784 76553 b7aae5 76811 b72db9 free ctype 76553->76811 76578->76422 76580 b75466 76579->76580 76581 b75473 76579->76581 76820 b4275e malloc _CxxThrowException free ctype 76580->76820 76581->76426 76584 b61862 __EH_prolog 76583->76584 76821 b6021a 76584->76821 76589 b618b9 76835 b61aa5 free __EH_prolog ctype 76589->76835 76591 b61935 76840 b61aa5 free __EH_prolog ctype 76591->76840 76592 b618c7 76836 b72db9 free ctype 76592->76836 76595 b61944 76607 b61966 76595->76607 76841 b61d73 5 API calls __EH_prolog 76595->76841 76598 b804d2 5 API calls 76602 b618db 76598->76602 76599 b61958 _CxxThrowException 76599->76607 76600 b619be 76848 b6f1f1 malloc _CxxThrowException free _CxxThrowException 76600->76848 76602->76591 76602->76598 76837 b60144 malloc _CxxThrowException free _CxxThrowException 76602->76837 76838 b41524 malloc _CxxThrowException __EH_prolog ctype 76602->76838 76839 b41e40 free 76602->76839 76604 b42e04 2 API calls 76604->76607 76606 b619d6 76609 b67ebb free 76606->76609 76607->76600 76607->76604 76611 b804d2 5 API calls 76607->76611 76842 b4631f 76607->76842 76846 b41524 malloc _CxxThrowException __EH_prolog ctype 76607->76846 76847 b41e40 free 76607->76847 76610 b619e1 76609->76610 76849 b512d4 76610->76849 76611->76607 76615 b67ebb free 76616 b619f7 76615->76616 76617 b512d4 4 API calls 76616->76617 76626 b619ff 76617->76626 76619 b61a4f 76858 b41e40 free 76619->76858 76621 b61a57 76859 b72db9 free ctype 76621->76859 76622 b41524 malloc _CxxThrowException 76622->76626 76624 b61a64 76860 b72db9 free ctype 76624->76860 76626->76619 76626->76622 76629 b61a83 76626->76629 76857 b442e3 CharUpperW 76626->76857 76627 b618d3 76627->76429 76861 b61d73 5 API calls __EH_prolog 76629->76861 76631 b61a97 _CxxThrowException 76632 b61aa5 __EH_prolog 76631->76632 76862 b41e40 free 76632->76862 76634 b61ac8 76863 b602e8 free ctype 76634->76863 76636 b61ad1 76864 b61eab free __EH_prolog ctype 76636->76864 76638 b61add 76865 b41e40 free 76638->76865 76640 b61ae5 76866 b41e40 free 76640->76866 76642 b61aed 76867 b72db9 free ctype 76642->76867 76644 b61afa 76644->76429 76645->76431 76647 b75805 __EH_prolog 76646->76647 76648 b426dd 2 API calls 76647->76648 76655 b75847 76647->76655 76649 b75819 76648->76649 77199 b75678 76649->77199 76653 b7583f 77216 b41e40 free 76653->77216 76655->76434 76657 b7c748 __EH_prolog 76656->76657 76658 b7c7d7 ctype 6 API calls 76657->76658 76659 b7c75d 76658->76659 77233 b41e40 free 76659->77233 76661 b7c768 77234 b62c0b 76661->77234 76665 b7c77d 77240 b41e40 free 76665->77240 76667 b7c785 77241 b41e40 free 76667->77241 76669 b7c78d 77242 b41e40 free 76669->77242 76671 b7c795 76672 b62c0b ctype free 76671->76672 76673 b7a51d 76672->76673 76673->76440 76673->76553 76675 b7ad29 2 API calls 76674->76675 76676 b7a5d8 76675->76676 76677 b7bf3e 76676->76677 76678 b42fec 3 API calls 76677->76678 76679 b7bf85 76678->76679 76680 b42fec 3 API calls 76679->76680 76681 b7a5ee 76680->76681 76681->76466 76683 b6434f __EH_prolog 76682->76683 76684 b42e04 2 API calls 76683->76684 76685 b6436d 76684->76685 76686 b42e04 2 API calls 76685->76686 76687 b64379 76686->76687 76687->76475 76783 b6375c 22 API calls 2 library calls 76687->76783 76689 b620a0 __EH_prolog 76688->76689 76690 b621f0 76689->76690 76694 b42e04 2 API calls 76689->76694 76699 b42f1c 2 API calls 76689->76699 76700 b46c72 44 API calls 76689->76700 76701 b41e40 free ctype 76689->76701 76703 b6224c 76689->76703 76704 b62251 76689->76704 77440 b5089e malloc _CxxThrowException free _CxxThrowException memcpy 76689->77440 76691 b62209 76690->76691 76692 b41e0c ctype 2 API calls 76690->76692 76693 b41e0c ctype 2 API calls 76691->76693 76692->76691 76694->76689 76699->76689 76700->76689 76701->76689 77441 b4757d GetLastError 76703->77441 77442 b62c6c 6 API calls 2 library calls 76704->77442 76708 b62277 76782->76445 76783->76478 76784->76475 76811->76439 76812->76441 76813->76444 76814->76450 76815->76453 76816->76459 76817->76463 76818->76467 76819->76472 76820->76581 76822 b60224 __EH_prolog 76821->76822 76868 b53d66 76822->76868 76825 b6062e 76831 b60638 __EH_prolog 76825->76831 76826 b606de 76955 b6019a malloc _CxxThrowException free memcpy 76826->76955 76828 b606e6 76956 b61453 26 API calls 2 library calls 76828->76956 76830 b606ee 76830->76589 76830->76602 76831->76826 76831->76830 76832 b601bc malloc _CxxThrowException free _CxxThrowException memcpy 76831->76832 76884 b60703 76831->76884 76954 b72db9 free ctype 76831->76954 76832->76831 76835->76592 76836->76627 76837->76602 76838->76602 76839->76602 76840->76595 76841->76599 76843 b49245 76842->76843 77146 b490da 76843->77146 76846->76607 76847->76607 76848->76606 76850 b512e7 76849->76850 76856 b51327 76849->76856 76851 b51304 76850->76851 76852 b512ef _CxxThrowException 76850->76852 77198 b41e40 free 76851->77198 76852->76851 76854 b5130b 76855 b41e0c ctype 2 API calls 76854->76855 76855->76856 76856->76615 76857->76626 76858->76621 76859->76624 76860->76627 76861->76631 76862->76634 76863->76636 76864->76638 76865->76640 76866->76642 76867->76644 76879 bdfb10 76868->76879 76870 b53d70 GetCurrentProcess 76880 b53e04 76870->76880 76872 b53d8d OpenProcessToken 76873 b53de3 76872->76873 76874 b53d9e LookupPrivilegeValueW 76872->76874 76876 b53e04 CloseHandle 76873->76876 76874->76873 76875 b53dc0 AdjustTokenPrivileges 76874->76875 76875->76873 76877 b53dd5 GetLastError 76875->76877 76878 b53def 76876->76878 76877->76873 76878->76825 76879->76870 76881 b53e11 CloseHandle 76880->76881 76882 b53e0d 76880->76882 76883 b53e21 76881->76883 76882->76872 76883->76872 76932 b6070d __EH_prolog 76884->76932 76885 b60b40 76885->76831 76886 b60e1d 76995 b60416 18 API calls 2 library calls 76886->76995 76888 b60ea6 76997 b8ec78 free ctype 76888->76997 76889 b60d11 76989 b47496 7 API calls 2 library calls 76889->76989 76890 b60c13 76986 b41e40 free 76890->76986 76892 b60c83 76892->76886 76892->76889 76897 b60de0 76991 b72db9 free ctype 76897->76991 76898 b42da9 2 API calls 76940 b60ab5 76898->76940 76899 b60e47 76899->76888 76996 b6117d 68 API calls 2 library calls 76899->76996 76900 b42f1c 2 API calls 76928 b60d29 76900->76928 76902 b60df8 76993 b41e40 free 76902->76993 76903 b42e04 2 API calls 76903->76932 76905 b42e04 2 API calls 76905->76940 76909 b60e02 76994 b72db9 free ctype 76909->76994 76910 b42e04 2 API calls 76910->76928 76912 b42fec 3 API calls 76912->76932 76916 b42fec 3 API calls 76916->76928 76917 b42fec 3 API calls 76917->76940 76921 b6050b 44 API calls 76921->76940 76923 b60df3 76992 b41e40 free 76923->76992 76927 b804d2 malloc _CxxThrowException free _CxxThrowException memcpy 76927->76932 76928->76897 76928->76900 76928->76902 76928->76910 76928->76916 76928->76923 76930 b41e40 free ctype 76928->76930 76990 b6117d 68 API calls 2 library calls 76928->76990 76929 b60c79 76988 b41e40 free 76929->76988 76930->76928 76931 b60b30 76979 b41e40 free 76931->76979 76932->76885 76932->76892 76932->76903 76932->76912 76932->76927 76936 b41e40 free ctype 76932->76936 76932->76940 76948 b60b48 76932->76948 76950 b72db9 free ctype 76932->76950 76951 b60b26 76932->76951 76952 b41524 malloc _CxxThrowException 76932->76952 76957 b42da9 76932->76957 76960 b42f4a malloc _CxxThrowException free ctype 76932->76960 76961 b41089 malloc _CxxThrowException free _CxxThrowException 76932->76961 76962 b613eb 5 API calls 2 library calls 76932->76962 76963 b6050b 76932->76963 76968 b60021 GetLastError 76932->76968 76969 b449bd 9 API calls 2 library calls 76932->76969 76970 b60306 12 API calls 76932->76970 76971 b5ff00 5 API calls 2 library calls 76932->76971 76972 b6057d 16 API calls 2 library calls 76932->76972 76973 b60f8e 24 API calls 2 library calls 76932->76973 76974 b4472e CharUpperW 76932->76974 76975 b58984 malloc _CxxThrowException free _CxxThrowException memcpy 76932->76975 76976 b60ef4 68 API calls 2 library calls 76932->76976 76933 b41e40 free ctype 76933->76940 76936->76932 76938 b60b38 76980 b41e40 free 76938->76980 76940->76890 76940->76898 76940->76905 76940->76917 76940->76921 76940->76929 76940->76933 76977 b42f4a malloc _CxxThrowException free ctype 76940->76977 76982 b41089 malloc _CxxThrowException free _CxxThrowException 76940->76982 76983 b613eb 5 API calls 2 library calls 76940->76983 76984 b60ef4 68 API calls 2 library calls 76940->76984 76985 b72db9 free ctype 76940->76985 76987 b60021 GetLastError 76940->76987 76981 b72db9 free ctype 76948->76981 76950->76932 76978 b41e40 free 76951->76978 76952->76932 76954->76831 76955->76828 76956->76830 76998 b42d4d 76957->76998 76959 b42dc6 76959->76932 76960->76932 76961->76932 76962->76932 77001 b46c72 76963->77001 76965 b60575 76965->76932 76966 b42f88 3 API calls 76966->76965 76968->76932 76969->76932 76970->76932 76971->76932 76972->76932 76973->76932 76974->76932 76975->76932 76976->76932 76977->76940 76978->76931 76979->76938 76980->76885 76981->76951 76982->76940 76983->76940 76984->76940 76985->76940 76986->76885 76987->76940 76988->76892 76989->76928 76990->76928 76991->76885 76992->76902 76993->76909 76994->76885 76995->76899 76996->76899 76997->76885 76999 b42ba6 2 API calls 76998->76999 77000 b42d68 76999->77000 77000->76959 77000->77000 77002 b46c7c __EH_prolog 77001->77002 77003 b46cd3 77002->77003 77004 b46cb7 77002->77004 77005 b46ce2 77003->77005 77007 b46d87 77003->77007 77006 b42f88 3 API calls 77004->77006 77008 b42f88 3 API calls 77005->77008 77032 b46cc7 77006->77032 77009 b42e47 2 API calls 77007->77009 77016 b46f4a 77007->77016 77011 b46cf5 77008->77011 77010 b46db0 77009->77010 77013 b42e47 2 API calls 77010->77013 77012 b46d4a 77011->77012 77014 b46d0b 77011->77014 77119 b47b41 28 API calls 77012->77119 77027 b46dc0 77013->77027 77118 b49252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 77014->77118 77017 b46fd1 77016->77017 77020 b46f7e 77016->77020 77023 b470e5 77017->77023 77024 b46fed 77017->77024 77048 b4701d 77017->77048 77019 b46d5f 77031 b4764c CloseHandle 77019->77031 77134 b46bf5 11 API calls 2 library calls 77020->77134 77021 b46d36 77021->77012 77026 b46d3a 77021->77026 77102 b46868 77023->77102 77136 b46bf5 11 API calls 2 library calls 77024->77136 77026->77032 77037 b46dfe 77027->77037 77120 b43221 malloc _CxxThrowException free _CxxThrowException 77027->77120 77029 b46f85 77029->77023 77034 b46f99 77029->77034 77031->77032 77032->76965 77032->76966 77033 b46ff2 77033->77023 77038 b47006 77033->77038 77042 b42f88 3 API calls 77034->77042 77035 b46fca 77039 b46848 FindClose 77035->77039 77036 b46e43 77040 b46c72 42 API calls 77036->77040 77037->77036 77051 b46e1e 77037->77051 77038->77035 77039->77032 77043 b46e4e 77040->77043 77047 b46fb0 77042->77047 77045 b46e41 77043->77045 77046 b46f3a 77043->77046 77053 b42f1c 2 API calls 77045->77053 77132 b41e40 free 77046->77132 77135 b4717b 13 API calls 77047->77135 77048->77023 77137 b4717b 13 API calls 77048->77137 77051->77045 77055 b42fec 3 API calls 77051->77055 77052 b47052 77057 b47064 77052->77057 77058 b47056 77052->77058 77059 b46e77 77053->77059 77054 b46f42 77133 b41e40 free 77054->77133 77055->77045 77063 b42e47 2 API calls 77057->77063 77061 b42f88 3 API calls 77058->77061 77062 b42e04 2 API calls 77059->77062 77064 b4705f 77061->77064 77090 b46e83 77062->77090 77065 b4706d 77063->77065 77068 b46848 FindClose 77064->77068 77138 b41089 malloc _CxxThrowException free _CxxThrowException 77065->77138 77068->77032 77069 b4707b 77139 b41089 malloc _CxxThrowException free _CxxThrowException 77069->77139 77070 b46ecf 77125 b41e40 free 77070->77125 77072 b46ec7 SetLastError 77072->77070 77073 b47085 77076 b46868 12 API calls 77073->77076 77078 b47095 77076->77078 77077 b46f11 77126 b41e40 free 77077->77126 77081 b470bb 77078->77081 77082 b47099 wcscmp 77078->77082 77080 b46ed3 77124 b431e5 malloc _CxxThrowException free _CxxThrowException 77080->77124 77140 b46bf5 11 API calls 2 library calls 77081->77140 77082->77081 77086 b470b1 77082->77086 77084 b46f19 77127 b46848 77084->77127 77091 b42f88 3 API calls 77086->77091 77087 b470c6 77095 b470d8 77087->77095 77101 b47129 77087->77101 77090->77070 77090->77072 77090->77080 77093 b42e04 2 API calls 77090->77093 77121 b46bb5 17 API calls 77090->77121 77122 b422bf CharUpperW 77090->77122 77123 b41e40 free 77090->77123 77096 b4714c 77091->77096 77093->77090 77141 b41e40 free 77095->77141 77143 b41e40 free 77096->77143 77097 b46f2b 77131 b41e40 free 77097->77131 77101->77086 77103 b46872 __EH_prolog 77102->77103 77104 b46848 FindClose 77103->77104 77106 b46880 77104->77106 77105 b468f6 77105->77035 77142 b4717b 13 API calls 77105->77142 77106->77105 77107 b468a9 77106->77107 77108 b4689b FindFirstFileW 77106->77108 77109 b468ee 77107->77109 77111 b42e04 2 API calls 77107->77111 77108->77107 77109->77105 77145 b46919 malloc _CxxThrowException free 77109->77145 77112 b468ba 77111->77112 77113 b48b4a 9 API calls 77112->77113 77114 b468d0 77113->77114 77115 b468d4 FindFirstFileW 77114->77115 77116 b468e2 77114->77116 77115->77116 77144 b41e40 free 77116->77144 77118->77021 77119->77019 77120->77037 77121->77090 77122->77090 77123->77090 77124->77070 77125->77077 77126->77084 77128 b46852 FindClose 77127->77128 77129 b4685d 77127->77129 77128->77129 77130 b41e40 free 77129->77130 77130->77097 77131->77032 77132->77054 77133->77016 77134->77029 77135->77035 77136->77033 77137->77052 77138->77069 77139->77073 77140->77087 77141->77033 77142->77035 77143->77064 77144->77109 77145->77105 77147 b490e4 __EH_prolog 77146->77147 77148 b42f88 3 API calls 77147->77148 77149 b490f7 77148->77149 77150 b4915d 77149->77150 77155 b49109 77149->77155 77151 b42e04 2 API calls 77150->77151 77152 b49165 77151->77152 77153 b491be 77152->77153 77156 b49174 77152->77156 77192 b46332 6 API calls 2 library calls 77153->77192 77157 b49155 77155->77157 77159 b42e47 2 API calls 77155->77159 77160 b42f88 3 API calls 77156->77160 77157->76607 77158 b4917d 77161 b491ca 77158->77161 77190 b4859e malloc _CxxThrowException free _CxxThrowException 77158->77190 77162 b49122 77159->77162 77160->77158 77197 b41e40 free 77161->77197 77187 b48f57 memmove 77162->77187 77165 b4912e 77168 b4914d 77165->77168 77188 b431e5 malloc _CxxThrowException free _CxxThrowException 77165->77188 77167 b49185 77171 b42e04 2 API calls 77167->77171 77189 b41e40 free 77168->77189 77172 b49197 77171->77172 77173 b491ce 77172->77173 77174 b4919f 77172->77174 77175 b42f88 3 API calls 77173->77175 77176 b491b9 77174->77176 77191 b41089 malloc _CxxThrowException free _CxxThrowException 77174->77191 77175->77176 77193 b43199 malloc _CxxThrowException free _CxxThrowException 77176->77193 77179 b491e6 77194 b48f57 memmove 77179->77194 77181 b491ee 77182 b491f2 77181->77182 77183 b42fec 3 API calls 77181->77183 77196 b41e40 free 77182->77196 77185 b49212 77183->77185 77195 b431e5 malloc _CxxThrowException free _CxxThrowException 77185->77195 77187->77165 77188->77168 77189->77157 77190->77167 77191->77176 77192->77158 77193->77179 77194->77181 77195->77182 77196->77161 77197->77157 77198->76854 77200 b75689 77199->77200 77201 b756b1 77199->77201 77203 b75593 6 API calls 77200->77203 77217 b75593 77201->77217 77205 b756a5 77203->77205 77207 b428a1 5 API calls 77205->77207 77207->77201 77209 b7570e fputs 77215 b41fa0 fputc 77209->77215 77211 b756ef 77212 b75593 6 API calls 77211->77212 77213 b75701 77212->77213 77214 b75711 6 API calls 77213->77214 77214->77209 77215->76653 77216->76655 77218 b755ad 77217->77218 77219 b428a1 5 API calls 77218->77219 77220 b755b8 77219->77220 77221 b4286d 5 API calls 77220->77221 77222 b755bf 77221->77222 77223 b428a1 5 API calls 77222->77223 77224 b755c7 77223->77224 77225 b75711 77224->77225 77226 b75721 77225->77226 77227 b756e0 77225->77227 77228 b428a1 5 API calls 77226->77228 77227->77209 77231 b42881 malloc _CxxThrowException free memcpy _CxxThrowException 77227->77231 77229 b7572b 77228->77229 77232 b755cd 6 API calls 77229->77232 77231->77211 77232->77227 77233->76661 77243 b41e40 free 77234->77243 77236 b62c16 77244 b41e40 free 77236->77244 77238 b62c1e 77239 b41e40 free 77238->77239 77239->76665 77240->76667 77241->76669 77242->76671 77243->77236 77244->77238 77440->76689 77441->76704 77442->76708 78559 bd7da0 WaitForSingleObject 78560 bd7dbb GetLastError 78559->78560 78561 bd7dc1 78559->78561 78560->78561 78562 bd7dce CloseHandle 78561->78562 78564 bd7ddf 78561->78564 78563 bd7dd9 GetLastError 78562->78563 78562->78564 78563->78564 78565 b51368 78568 b5136d 78565->78568 78567 b5138c 78568->78567 78571 bd7d80 WaitForSingleObject 78568->78571 78574 b7f745 78568->78574 78578 bd7ea0 SetEvent GetLastError 78568->78578 78572 bd7d8e GetLastError 78571->78572 78573 bd7d98 78571->78573 78572->78573 78573->78568 78575 b7f74f __EH_prolog 78574->78575 78579 b7f784 78575->78579 78577 b7f765 78577->78568 78578->78568 78580 b7f78e __EH_prolog 78579->78580 78581 b512d4 4 API calls 78580->78581 78582 b7f7c7 78581->78582 78583 b512d4 4 API calls 78582->78583 78584 b7f7d4 78583->78584 78585 b7f871 78584->78585 78588 bc6b23 VirtualAlloc 78584->78588 78589 b4c4d6 78584->78589 78585->78577 78588->78585 78593 b4c4e9 78589->78593 78590 b4c6f3 78590->78585 78593->78590 78594 b4c695 memmove 78593->78594 78595 b5111c 78593->78595 78600 b511b4 78593->78600 78594->78593 78596 b51130 78595->78596 78597 b5115f 78596->78597 78605 b4b668 78596->78605 78624 b4d331 78596->78624 78597->78593 78602 b511c1 78600->78602 78601 b511eb 78601->78593 78602->78601 78636 b8ae7c 78602->78636 78641 b8af27 78602->78641 78615 b4b675 78605->78615 78606 b4b864 78628 b47b7c 78606->78628 78609 b4b8aa GetLastError 78610 b4b6aa 78609->78610 78610->78596 78611 b4b81b 78611->78610 78614 b4b839 memcpy 78611->78614 78612 b4b7e7 78612->78606 78617 b47731 5 API calls 78612->78617 78613 b47731 5 API calls 78613->78615 78614->78610 78615->78606 78615->78610 78615->78611 78615->78612 78615->78613 78616 b4b811 78615->78616 78618 b4b7ad 78615->78618 78633 b47b4f ReadFile 78615->78633 78634 b4b8ec GetLastError 78616->78634 78619 b4b80d 78617->78619 78618->78615 78623 b4b8c7 78618->78623 78632 bc6a20 VirtualAlloc 78618->78632 78619->78606 78619->78616 78623->78610 78626 b4d355 78624->78626 78625 b4d374 78625->78596 78626->78625 78627 b4b668 10 API calls 78626->78627 78627->78625 78629 b47b89 78628->78629 78635 b47b4f ReadFile 78629->78635 78631 b47b9a 78631->78609 78631->78610 78632->78618 78633->78615 78634->78610 78635->78631 78637 b8ae86 78636->78637 78640 b57140 7 API calls 78637->78640 78648 b57190 78637->78648 78638 b8aebb 78638->78602 78640->78638 78644 b8af36 78641->78644 78642 b8b010 78642->78602 78643 b8ad3a 99 API calls 78643->78644 78644->78642 78644->78643 78646 b8aeeb 107 API calls 78644->78646 78719 b4bd0c 78644->78719 78724 b8aebf 107 API calls 78644->78724 78646->78644 78649 b5719a __EH_prolog 78648->78649 78650 b571b0 78649->78650 78653 b571dd 78649->78653 78651 b54d78 VariantClear 78650->78651 78658 b571b7 78651->78658 78661 b56fc5 78653->78661 78654 b572b4 78655 b54d78 VariantClear 78654->78655 78656 b572c0 78654->78656 78655->78656 78657 b57140 7 API calls 78656->78657 78656->78658 78657->78658 78658->78638 78659 b57236 78659->78654 78659->78658 78660 b572a3 SetFileSecurityW 78659->78660 78660->78654 78662 b56fcf __EH_prolog 78661->78662 78663 b544a6 2 API calls 78662->78663 78665 b56fec 78663->78665 78669 b57029 78665->78669 78677 b5706a 78665->78677 78705 b56e71 12 API calls 2 library calls 78665->78705 78667 b5709e 78711 b41e40 free 78667->78711 78669->78677 78706 b54dff 7 API calls 2 library calls 78669->78706 78670 b57051 78674 b511b4 107 API calls 78670->78674 78670->78677 78673 b570c0 78707 b46096 15 API calls 2 library calls 78673->78707 78674->78677 78675 b5712e 78675->78659 78687 b568ac 78677->78687 78678 b570d1 78679 b570e2 78678->78679 78708 b54dff 7 API calls 2 library calls 78678->78708 78683 b570e6 78679->78683 78709 b56b5e 69 API calls 2 library calls 78679->78709 78682 b570fd 78682->78683 78684 b57103 78682->78684 78683->78667 78710 b41e40 free 78684->78710 78686 b5710b 78686->78675 78688 b568b6 __EH_prolog 78687->78688 78689 b56921 78688->78689 78690 b47d4b 6 API calls 78688->78690 78704 b568c5 78688->78704 78691 b56998 78689->78691 78692 b56962 78689->78692 78714 b56a17 6 API calls 2 library calls 78689->78714 78694 b56906 78690->78694 78695 b569e1 78691->78695 78712 b47c3b SetFileTime 78691->78712 78692->78691 78715 b42dcd malloc _CxxThrowException 78692->78715 78694->78689 78713 b54dff 7 API calls 2 library calls 78694->78713 78718 b4bcf8 CloseHandle 78695->78718 78697 b5697a 78716 b56b09 13 API calls __EH_prolog 78697->78716 78702 b5698c 78717 b41e40 free 78702->78717 78704->78667 78704->78673 78705->78669 78706->78670 78707->78678 78708->78679 78709->78682 78710->78686 78711->78675 78712->78695 78713->78689 78714->78692 78715->78697 78716->78702 78717->78691 78718->78704 78725 b47ca2 78719->78725 78722 b4bd3d 78722->78644 78724->78644 78726 b47caf 78725->78726 78728 b47cdb 78726->78728 78730 b47c68 78726->78730 78728->78722 78729 b4b8ec GetLastError 78728->78729 78729->78722 78731 b47c76 78730->78731 78732 b47c79 WriteFile 78730->78732 78731->78732 78732->78726 78733 bc6ba3 VirtualFree 78734 b8bf67 78735 b8bf85 78734->78735 78736 b8bf74 78734->78736 78736->78735 78740 b8bf8c 78736->78740 78741 b8bf96 __EH_prolog 78740->78741 78757 b8d144 78741->78757 78745 b8bfd0 78764 b41e40 free 78745->78764 78747 b8bfdb 78765 b41e40 free 78747->78765 78749 b8bfe6 78766 b8c072 free ctype 78749->78766 78751 b8bff4 78767 b5aafa free VariantClear ctype 78751->78767 78753 b8c023 78768 b673d2 free VariantClear __EH_prolog ctype 78753->78768 78755 b8bf7f 78756 b41e40 free 78755->78756 78756->78735 78758 b8d14e __EH_prolog 78757->78758 78769 b8d1b7 78758->78769 78762 b8bfc5 78763 b41e40 free 78762->78763 78763->78745 78764->78747 78765->78749 78766->78751 78767->78753 78768->78755 78777 b8d23c 78769->78777 78771 b8d1ed 78784 b41e40 free 78771->78784 78773 b8d209 78785 b41e40 free 78773->78785 78775 b8d180 78776 b88e04 memset 78775->78776 78776->78762 78786 b8d2b8 78777->78786 78780 b8d25e 78803 b41e40 free 78780->78803 78783 b8d275 78783->78771 78784->78773 78785->78775 78805 b41e40 free 78786->78805 78788 b8d2c8 78806 b41e40 free 78788->78806 78790 b8d2dc 78807 b41e40 free 78790->78807 78792 b8d2e7 78808 b41e40 free 78792->78808 78794 b8d2f2 78809 b41e40 free 78794->78809 78796 b8d2fd 78810 b41e40 free 78796->78810 78798 b8d308 78811 b41e40 free 78798->78811 78800 b8d313 78801 b8d246 78800->78801 78812 b41e40 free 78800->78812 78801->78780 78804 b41e40 free 78801->78804 78803->78783 78804->78780 78805->78788 78806->78790 78807->78792 78808->78794 78809->78796 78810->78798 78811->78800 78812->78801 78813 b7acd3 78814 b7acf1 78813->78814 78815 b7ace0 78813->78815 78815->78814 78819 b7acf8 78815->78819 78820 b7c0b3 __EH_prolog 78819->78820 78821 b7c0ed 78820->78821 78824 b67193 free 78820->78824 78827 b41e40 free 78820->78827 78828 b41e40 free 78821->78828 78823 b7aceb 78826 b41e40 free 78823->78826 78824->78820 78826->78814 78827->78820 78828->78823 78829 b442d1 78830 b442bd 78829->78830 78831 b442c5 78830->78831 78832 b41e0c ctype 2 API calls 78830->78832 78832->78831 78833 b51ade 78834 b51ae8 __EH_prolog 78833->78834 78884 b413f5 78834->78884 78837 b51b32 6 API calls 78839 b51b8d 78837->78839 78848 b51bf8 78839->78848 78902 b51ea4 9 API calls 78839->78902 78840 b51b24 _CxxThrowException 78840->78837 78842 b51bdf 78843 b427bb 3 API calls 78842->78843 78844 b51bec 78843->78844 78903 b41e40 free 78844->78903 78846 b51c89 78898 b51eb9 78846->78898 78848->78846 78904 b61d73 5 API calls __EH_prolog 78848->78904 78852 b51cb2 _CxxThrowException 78852->78846 78885 b413ff __EH_prolog 78884->78885 78886 b67ebb free 78885->78886 78887 b4142b 78886->78887 78888 b41438 78887->78888 78905 b41212 free ctype 78887->78905 78889 b41e0c ctype 2 API calls 78888->78889 78895 b4144d 78889->78895 78891 b414f4 78891->78837 78901 b61d73 5 API calls __EH_prolog 78891->78901 78892 b804d2 5 API calls 78892->78895 78895->78891 78895->78892 78896 b41507 78895->78896 78906 b41265 5 API calls 2 library calls 78895->78906 78907 b41524 malloc _CxxThrowException __EH_prolog ctype 78895->78907 78897 b42fec 3 API calls 78896->78897 78897->78891 78908 b49313 GetCurrentProcess OpenProcessToken 78898->78908 78901->78840 78902->78842 78903->78848 78904->78852 78905->78888 78906->78895 78907->78895 78909 b4933a LookupPrivilegeValueW 78908->78909 78912 b49390 78908->78912 78910 b49382 78909->78910 78911 b4934c AdjustTokenPrivileges 78909->78911 78914 b49385 CloseHandle 78910->78914 78911->78910 78913 b49372 GetLastError 78911->78913 78913->78914 78914->78912 78915 bc4e90 78916 b41e0c ctype 2 API calls 78915->78916 78917 bc4ead 78916->78917 78918 bc4ed6 78917->78918 78921 bc4590 malloc _CxxThrowException _CxxThrowException ctype 78917->78921 78920 bc4ec7 78921->78920 78922 bc69d0 78923 bc69d4 78922->78923 78924 bc69d7 malloc 78922->78924 78926 b4b5d9 78927 b4b5e6 78926->78927 78928 b4b5f7 78926->78928 78927->78928 78932 b4b5fe 78927->78932 78933 b4b608 __EH_prolog 78932->78933 78939 bc6a40 VirtualFree 78933->78939 78935 b4b63d 78936 b4764c CloseHandle 78935->78936 78937 b4b5f1 78936->78937 78938 b41e40 free 78937->78938 78938->78928 78939->78935 78940 b4b144 78941 b4b153 78940->78941 78943 b4b159 78940->78943 78942 b511b4 107 API calls 78941->78942 78942->78943 78944 b6a7c5 78963 b6a7e9 78944->78963 78993 b6a96b 78944->78993 78945 b6ade3 79049 b41e40 free 78945->79049 78947 b6a952 78947->78993 79030 b6e0b0 6 API calls 78947->79030 78948 b6adeb 79050 b41e40 free 78948->79050 78952 b6ac1e 79036 b41e40 free 78952->79036 78953 b6ae99 78954 b41e0c ctype 2 API calls 78953->78954 78958 b6aea9 memset memset 78954->78958 78957 b804d2 malloc _CxxThrowException free _CxxThrowException memcpy 78960 b6adf3 78957->78960 78961 b6aedd 78958->78961 78959 b6ac26 79037 b41e40 free 78959->79037 78960->78953 78960->78957 79051 b41e40 free 78961->79051 78963->78947 78969 b804d2 5 API calls 78963->78969 79029 b6e0b0 6 API calls 78963->79029 78966 b6aee5 79052 b41e40 free 78966->79052 78969->78963 78970 b6aef0 79053 b41e40 free 78970->79053 78974 b6c430 79055 b41e40 free 78974->79055 78976 b6ac6c 79038 b41e40 free 78976->79038 78977 b6c438 79056 b41e40 free 78977->79056 78979 b6c443 79057 b41e40 free 78979->79057 78983 b6ac85 79039 b41e40 free 78983->79039 78984 b6c44e 79058 b41e40 free 78984->79058 78987 b6ac2e 79054 b41e40 free 78987->79054 78988 b6c459 78990 b6ad88 79046 b68125 free ctype 78990->79046 78993->78945 78993->78952 78993->78976 78993->78990 78995 b6ad17 78993->78995 78997 b6acbc 78993->78997 79011 b5101c 78993->79011 79014 b698f2 78993->79014 79020 b6cc6f 78993->79020 79031 b69531 5 API calls __EH_prolog 78993->79031 79032 b680c1 malloc _CxxThrowException __EH_prolog 78993->79032 79033 b6c820 5 API calls 2 library calls 78993->79033 79034 b6814d 6 API calls 78993->79034 79035 b68125 free ctype 78993->79035 79043 b68125 free ctype 78995->79043 78996 b6ad93 79047 b41e40 free 78996->79047 79040 b68125 free ctype 78997->79040 79001 b6acc7 79041 b41e40 free 79001->79041 79002 b6ad3c 79044 b41e40 free 79002->79044 79003 b6adac 79048 b41e40 free 79003->79048 79007 b6ace0 79042 b41e40 free 79007->79042 79008 b6ad55 79045 b41e40 free 79008->79045 79013 b4b95a 6 API calls 79011->79013 79012 b51028 79012->78993 79013->79012 79015 b698fc __EH_prolog 79014->79015 79059 b69987 79015->79059 79017 b69970 79017->78993 79019 b69911 79019->79017 79063 b6ef8d 12 API calls 2 library calls 79019->79063 79103 b8f445 79020->79103 79109 b85505 79020->79109 79113 b8cf91 79020->79113 79021 b6cc8b 79025 b6cccb 79021->79025 79121 b6979e VariantClear __EH_prolog 79021->79121 79023 b6ccb1 79023->79025 79122 b6cae9 VariantClear 79023->79122 79025->78993 79029->78963 79030->78993 79031->78993 79032->78993 79033->78993 79034->78993 79035->78993 79036->78959 79037->78987 79038->78983 79039->78987 79040->79001 79041->79007 79042->78987 79043->79002 79044->79008 79045->78987 79046->78996 79047->79003 79048->78987 79049->78948 79050->78960 79051->78966 79052->78970 79053->78987 79054->78974 79055->78977 79056->78979 79057->78984 79058->78988 79060 b69991 __EH_prolog 79059->79060 79064 b980aa 79060->79064 79061 b699a8 79061->79019 79063->79017 79065 b980b4 __EH_prolog 79064->79065 79066 b41e0c ctype 2 API calls 79065->79066 79067 b980bf 79066->79067 79068 b980d3 79067->79068 79070 b8bdb5 79067->79070 79068->79061 79071 b8bdbf __EH_prolog 79070->79071 79076 b8be69 79071->79076 79073 b8bdef 79074 b42e04 2 API calls 79073->79074 79075 b8be16 79074->79075 79075->79068 79077 b8be73 __EH_prolog 79076->79077 79080 b85e2b 79077->79080 79079 b8be7f 79079->79073 79081 b85e35 __EH_prolog 79080->79081 79086 b808b6 79081->79086 79083 b85e41 79091 b5dfc9 malloc _CxxThrowException __EH_prolog 79083->79091 79085 b85e57 79085->79079 79092 b49c60 79086->79092 79088 b808c4 79097 b49c8f GetModuleHandleA GetProcAddress 79088->79097 79090 b808f3 __aulldiv 79090->79083 79091->79085 79102 b49c4d GetCurrentProcess GetProcessAffinityMask 79092->79102 79094 b49c6e 79095 b49c80 GetSystemInfo 79094->79095 79096 b49c79 79094->79096 79095->79088 79096->79088 79098 b49cc4 GlobalMemoryStatusEx 79097->79098 79099 b49cef GlobalMemoryStatus 79097->79099 79098->79099 79101 b49cce 79098->79101 79100 b49d08 79099->79100 79100->79101 79101->79090 79102->79094 79104 b8f455 79103->79104 79123 b51092 79104->79123 79107 b8f478 79107->79021 79110 b8550f __EH_prolog 79109->79110 79139 b84e8a 79110->79139 79114 b8cf9b __EH_prolog 79113->79114 79115 b8f445 14 API calls 79114->79115 79116 b8d018 79115->79116 79120 b8d01f 79116->79120 79355 b91511 79116->79355 79118 b8d08b 79118->79120 79361 b92c5d 11 API calls 2 library calls 79118->79361 79120->79021 79121->79023 79122->79025 79125 b4b95a 6 API calls 79123->79125 79124 b510aa 79124->79107 79126 b8f1b2 79124->79126 79125->79124 79127 b8f1bc __EH_prolog 79126->79127 79136 b51168 79127->79136 79129 b8f1e6 79129->79107 79130 b8f1d3 79130->79129 79131 b8f21c _CxxThrowException 79130->79131 79132 b8f231 memcpy 79130->79132 79131->79132 79135 b8f24c 79132->79135 79133 b8f2f0 memmove 79133->79135 79134 b8f31a memcpy 79134->79129 79135->79129 79135->79133 79135->79134 79137 b5111c 10 API calls 79136->79137 79138 b5117b 79137->79138 79138->79130 79140 b84e94 __EH_prolog 79139->79140 79141 b42e04 2 API calls 79140->79141 79242 b84f1d 79140->79242 79142 b84ed7 79141->79142 79271 b57fc5 79142->79271 79144 b84f0a 79148 b4965d VariantClear 79144->79148 79145 b84f37 79146 b84f41 79145->79146 79147 b84f63 79145->79147 79149 b4965d VariantClear 79146->79149 79150 b42f88 3 API calls 79147->79150 79151 b84f15 79148->79151 79153 b84f4c 79149->79153 79154 b84f71 79150->79154 79292 b41e40 free 79151->79292 79293 b41e40 free 79153->79293 79156 b4965d VariantClear 79154->79156 79157 b84f80 79156->79157 79294 b55bcf malloc _CxxThrowException 79157->79294 79159 b84f9a 79160 b42e47 2 API calls 79159->79160 79161 b84fad 79160->79161 79162 b42f1c 2 API calls 79161->79162 79163 b84fbd 79162->79163 79164 b42e04 2 API calls 79163->79164 79165 b84fd1 79164->79165 79166 b42e04 2 API calls 79165->79166 79172 b84fdd 79166->79172 79167 b85404 79333 b41e40 free 79167->79333 79169 b8540c 79334 b41e40 free 79169->79334 79171 b85414 79335 b41e40 free 79171->79335 79172->79167 79295 b55bcf malloc _CxxThrowException 79172->79295 79175 b85099 79177 b42da9 2 API calls 79175->79177 79176 b8541c 79336 b41e40 free 79176->79336 79179 b850a9 79177->79179 79181 b42fec 3 API calls 79179->79181 79180 b85424 79337 b41e40 free 79180->79337 79183 b850b6 79181->79183 79296 b41e40 free 79183->79296 79184 b8542c 79338 b41e40 free 79184->79338 79187 b850be 79297 b41e40 free 79187->79297 79189 b850cd 79190 b42f88 3 API calls 79189->79190 79191 b850e3 79190->79191 79192 b85100 79191->79192 79193 b850f1 79191->79193 79298 b43044 malloc _CxxThrowException free ctype 79192->79298 79194 b430ea 3 API calls 79193->79194 79196 b850fe 79194->79196 79299 b51029 6 API calls 79196->79299 79198 b8511a 79199 b8516b 79198->79199 79200 b85120 79198->79200 79306 b5089e malloc _CxxThrowException free _CxxThrowException memcpy 79199->79306 79300 b41e40 free 79200->79300 79203 b85187 79207 b804d2 5 API calls 79203->79207 79204 b85128 79301 b41e40 free 79204->79301 79206 b85130 79302 b41e40 free 79206->79302 79209 b851ba 79207->79209 79307 b80516 malloc _CxxThrowException ctype 79209->79307 79210 b85138 79303 b41e40 free 79210->79303 79212 b851c5 79218 b8522d 79212->79218 79219 b851f5 79212->79219 79214 b85140 79304 b41e40 free 79214->79304 79216 b85148 79305 b41e40 free 79216->79305 79220 b42e04 2 API calls 79218->79220 79308 b41e40 free 79219->79308 79268 b85235 79220->79268 79222 b851fd 79309 b41e40 free 79222->79309 79225 b85205 79310 b41e40 free 79225->79310 79226 b8532e 79319 b41e40 free 79226->79319 79229 b8520d 79311 b41e40 free 79229->79311 79230 b85347 79230->79167 79232 b85358 79230->79232 79320 b41e40 free 79232->79320 79233 b85215 79312 b41e40 free 79233->79312 79235 b853a3 79326 b41e40 free 79235->79326 79237 b8521d 79313 b41e40 free 79237->79313 79238 b85360 79321 b41e40 free 79238->79321 79242->79021 79243 b85368 79322 b41e40 free 79243->79322 79246 b853bc 79327 b41e40 free 79246->79327 79248 b85370 79323 b41e40 free 79248->79323 79250 b853c4 79328 b41e40 free 79250->79328 79252 b85378 79324 b41e40 free 79252->79324 79254 b804d2 5 API calls 79254->79268 79256 b853cc 79329 b41e40 free 79256->79329 79257 b85380 79325 b41e40 free 79257->79325 79261 b853d4 79330 b41e40 free 79261->79330 79263 b853dc 79331 b41e40 free 79263->79331 79265 b853e4 79332 b41e40 free 79265->79332 79268->79226 79268->79235 79268->79254 79269 b42e04 2 API calls 79268->79269 79314 b8545c 5 API calls 2 library calls 79268->79314 79315 b51029 6 API calls 79268->79315 79316 b5089e malloc _CxxThrowException free _CxxThrowException memcpy 79268->79316 79317 b80516 malloc _CxxThrowException ctype 79268->79317 79318 b41e40 free 79268->79318 79269->79268 79272 b57fcf __EH_prolog 79271->79272 79274 b58061 79272->79274 79276 b5805c 79272->79276 79277 b58019 79272->79277 79280 b57ff4 79272->79280 79273 b5800a 79348 b49736 VariantClear 79273->79348 79274->79276 79289 b58025 79274->79289 79347 b49630 VariantClear 79276->79347 79277->79280 79281 b5801e 79277->79281 79279 b580b8 79283 b4965d VariantClear 79279->79283 79280->79273 79339 b4950d 79280->79339 79284 b58042 79281->79284 79285 b58022 79281->79285 79287 b580c0 79283->79287 79345 b49597 VariantClear 79284->79345 79288 b58032 79285->79288 79285->79289 79287->79144 79287->79145 79344 b49604 VariantClear 79288->79344 79289->79273 79346 b495df VariantClear 79289->79346 79292->79242 79293->79242 79294->79159 79295->79175 79296->79187 79297->79189 79298->79196 79299->79198 79300->79204 79301->79206 79302->79210 79303->79214 79304->79216 79305->79242 79306->79203 79307->79212 79308->79222 79309->79225 79310->79229 79311->79233 79312->79237 79313->79242 79314->79268 79315->79268 79316->79268 79317->79268 79318->79268 79319->79230 79320->79238 79321->79243 79322->79248 79323->79252 79324->79257 79325->79242 79326->79246 79327->79250 79328->79256 79329->79261 79330->79263 79331->79265 79332->79242 79333->79169 79334->79171 79335->79176 79336->79180 79337->79184 79338->79242 79349 b49767 79339->79349 79341 b49518 SysAllocStringLen 79342 b4954f 79341->79342 79343 b49539 _CxxThrowException 79341->79343 79342->79273 79343->79342 79344->79273 79345->79273 79346->79273 79347->79273 79348->79279 79350 b49770 79349->79350 79351 b49779 79349->79351 79350->79341 79354 b49686 VariantClear 79351->79354 79353 b49780 79353->79341 79354->79353 79356 b9151b __EH_prolog 79355->79356 79362 b910d3 79356->79362 79359 b91589 79359->79118 79360 b91552 _CxxThrowException 79360->79118 79360->79359 79361->79120 79363 b910dd __EH_prolog 79362->79363 79364 b8d1b7 free 79363->79364 79368 b910f2 79364->79368 79365 b912ef 79365->79359 79365->79360 79366 b911f4 79366->79365 79393 b4b95a 6 API calls 79366->79393 79367 b9139e 79367->79365 79369 b913c4 79367->79369 79372 b41e0c ctype 2 API calls 79367->79372 79368->79365 79368->79366 79371 b51168 10 API calls 79368->79371 79370 b51168 10 API calls 79369->79370 79373 b913da 79370->79373 79371->79366 79372->79369 79376 b913f9 79373->79376 79386 b913de 79373->79386 79429 b8ef67 _CxxThrowException 79373->79429 79394 b8f047 79376->79394 79379 b914ba 79433 b90943 50 API calls 2 library calls 79379->79433 79380 b91450 79398 b906ae 79380->79398 79384 b914e7 79434 b72db9 free ctype 79384->79434 79435 b41e40 free 79386->79435 79389 b9148e 79390 b8f047 _CxxThrowException 79389->79390 79391 b914ac 79390->79391 79391->79379 79432 b8ef67 _CxxThrowException 79391->79432 79393->79367 79395 b8f063 79394->79395 79396 b8f072 79395->79396 79436 b8ef67 _CxxThrowException 79395->79436 79396->79379 79396->79380 79430 b8ef67 _CxxThrowException 79396->79430 79399 b906b8 __EH_prolog 79398->79399 79437 b903f4 79399->79437 79401 b90877 79403 b8b8dc ctype free 79401->79403 79402 b512a5 5 API calls 79428 b90715 79402->79428 79404 b908a6 79403->79404 79467 b41e40 free 79404->79467 79405 b908e3 _CxxThrowException 79407 b908f7 79405->79407 79411 b8b8dc ctype free 79407->79411 79408 b908ae 79468 b41e40 free 79408->79468 79409 b4429a 3 API calls 79409->79428 79413 b90914 79411->79413 79412 b908b6 79469 b41e40 free 79412->79469 79471 b41e40 free 79413->79471 79414 b41e0c ctype 2 API calls 79414->79428 79416 b908be 79470 b8c149 free ctype 79416->79470 79419 b9091c 79472 b41e40 free 79419->79472 79420 b908d0 79420->79384 79420->79389 79431 b8ef67 _CxxThrowException 79420->79431 79422 b90924 79473 b41e40 free 79422->79473 79423 b881ec 29 API calls 79423->79428 79425 b9092c 79474 b8c149 free ctype 79425->79474 79427 b8ef67 _CxxThrowException 79427->79428 79428->79401 79428->79402 79428->79405 79428->79407 79428->79409 79428->79414 79428->79423 79428->79427 79429->79376 79430->79380 79431->79389 79432->79379 79433->79384 79434->79386 79435->79365 79436->79396 79438 b8f047 _CxxThrowException 79437->79438 79439 b90407 79438->79439 79440 b90475 79439->79440 79441 b8f047 _CxxThrowException 79439->79441 79443 b9049a 79440->79443 79478 b8fa3f 22 API calls 2 library calls 79440->79478 79450 b90421 79441->79450 79453 b904b8 79443->79453 79479 b9159a malloc _CxxThrowException free ctype 79443->79479 79444 b904e8 79481 b97c4a malloc _CxxThrowException free ctype 79444->79481 79445 b9043e 79476 b8f93c 7 API calls 2 library calls 79445->79476 79446 b90492 79451 b8f047 _CxxThrowException 79446->79451 79449 b904cd 79480 b8fff0 9 API calls 2 library calls 79449->79480 79450->79445 79475 b8ef67 _CxxThrowException 79450->79475 79451->79443 79453->79444 79453->79449 79456 b904e3 79463 b9054a 79456->79463 79483 b8ef67 _CxxThrowException 79456->79483 79457 b90446 79459 b9046d 79457->79459 79477 b8ef67 _CxxThrowException 79457->79477 79458 b904db 79460 b8f047 _CxxThrowException 79458->79460 79462 b8f047 _CxxThrowException 79459->79462 79460->79456 79461 b904f3 79461->79456 79482 b5089e malloc _CxxThrowException free _CxxThrowException memcpy 79461->79482 79462->79440 79463->79428 79467->79408 79468->79412 79469->79416 79470->79420 79471->79419 79472->79422 79473->79425 79474->79420 79475->79445 79476->79457 79477->79459 79478->79446 79479->79453 79480->79458 79481->79461 79482->79461 79483->79463 79484 b6d3c2 79485 b6d3e9 79484->79485 79486 b4965d VariantClear 79485->79486 79487 b6d42a 79486->79487 79488 b6d883 2 API calls 79487->79488 79489 b6d4b1 79488->79489 79575 b68d4a 79489->79575 79492 b68b05 VariantClear 79495 b6d4e3 79492->79495 79493 b62a72 2 API calls 79494 b6d54c 79493->79494 79496 b42fec 3 API calls 79494->79496 79495->79493 79497 b6d594 79496->79497 79498 b6d742 79497->79498 79499 b6d5cd 79497->79499 79607 b6cd49 malloc _CxxThrowException free 79498->79607 79500 b6d7d9 79499->79500 79592 b69317 79499->79592 79610 b41e40 free 79500->79610 79502 b6d754 79505 b42fec 3 API calls 79502->79505 79508 b6d763 79505->79508 79506 b6d7e1 79611 b41e40 free 79506->79611 79608 b41e40 free 79508->79608 79510 b6d5f1 79513 b804d2 5 API calls 79510->79513 79512 b6d7e9 79515 b6326b free 79512->79515 79516 b6d5f9 79513->79516 79514 b6d76b 79609 b41e40 free 79514->79609 79527 b6d69a 79515->79527 79598 b6e332 79516->79598 79519 b6d773 79521 b6326b free 79519->79521 79521->79527 79523 b6d610 79605 b41e40 free 79523->79605 79525 b6d618 79526 b6326b free 79525->79526 79528 b6d2a8 79526->79528 79528->79527 79550 b6d883 79528->79550 79531 b42fec 3 API calls 79532 b6d361 79531->79532 79533 b42fec 3 API calls 79532->79533 79534 b6d36d 79533->79534 79562 b6d0e1 79534->79562 79536 b6d380 79537 b6d665 79536->79537 79538 b6d38a 79536->79538 79540 b6d68b 79537->79540 79606 b6cd49 malloc _CxxThrowException free 79537->79606 79539 b804d2 5 API calls 79538->79539 79542 b6d392 79539->79542 79541 b6326b free 79540->79541 79541->79527 79544 b6e332 2 API calls 79542->79544 79546 b6d3a1 79544->79546 79545 b6d67c 79547 b42fec 3 API calls 79545->79547 79548 b6326b free 79546->79548 79547->79540 79549 b6d3b0 79548->79549 79551 b6d88d __EH_prolog 79550->79551 79552 b42e04 2 API calls 79551->79552 79553 b6d8c6 79552->79553 79554 b42e04 2 API calls 79553->79554 79555 b6d8d2 79554->79555 79556 b42e04 2 API calls 79555->79556 79557 b6d8de 79556->79557 79558 b62b63 2 API calls 79557->79558 79559 b6d8fa 79558->79559 79560 b62b63 2 API calls 79559->79560 79561 b6d34f 79560->79561 79561->79531 79563 b6d0eb __EH_prolog 79562->79563 79564 b6d10b 79563->79564 79565 b6d138 79563->79565 79566 b41e0c ctype 2 API calls 79564->79566 79567 b41e0c ctype 2 API calls 79565->79567 79573 b6d112 79565->79573 79566->79573 79568 b6d14b 79567->79568 79569 b42fec 3 API calls 79568->79569 79570 b6d17b 79569->79570 79612 b47b41 28 API calls 79570->79612 79572 b6d18a 79572->79573 79613 b4757d GetLastError 79572->79613 79573->79536 79576 b68d54 __EH_prolog 79575->79576 79577 b68da4 79576->79577 79614 b42b55 malloc _CxxThrowException free _CxxThrowException ctype 79576->79614 79578 b68e15 79577->79578 79579 b68e09 79577->79579 79586 b68e11 79577->79586 79581 b68e2d 79578->79581 79582 b68e5e 79578->79582 79583 b68e21 79578->79583 79580 b4965d VariantClear 79579->79580 79580->79586 79581->79582 79584 b68e2b 79581->79584 79585 b4965d VariantClear 79582->79585 79615 b43097 malloc _CxxThrowException free SysStringLen ctype 79583->79615 79588 b4965d VariantClear 79584->79588 79585->79586 79586->79492 79590 b68e47 79588->79590 79590->79586 79616 b68e7c 6 API calls __EH_prolog 79590->79616 79593 b69321 __EH_prolog 79592->79593 79597 b69360 79593->79597 79617 b49686 VariantClear 79593->79617 79594 b4965d VariantClear 79595 b693d0 79594->79595 79595->79500 79595->79510 79597->79594 79599 b6e33c __EH_prolog 79598->79599 79600 b41e0c ctype 2 API calls 79599->79600 79601 b6e34a 79600->79601 79602 b6d608 79601->79602 79618 b6e3d1 malloc _CxxThrowException __EH_prolog 79601->79618 79604 b41e40 free 79602->79604 79604->79523 79605->79525 79606->79545 79607->79502 79608->79514 79609->79519 79610->79506 79611->79512 79612->79572 79613->79573 79614->79577 79615->79584 79616->79586 79617->79597 79618->79602 79619 bc6bc6 79620 bc6bcd 79619->79620 79621 bc6bca 79619->79621 79620->79621 79622 bc6bd1 malloc 79620->79622 79622->79621 79623 b80343 79628 b8035f 79623->79628 79626 b80358 79629 b80369 __EH_prolog 79628->79629 79645 b5139e 79629->79645 79634 b80143 ctype free 79635 b8039a 79634->79635 79655 b41e40 free 79635->79655 79637 b803a2 79656 b41e40 free 79637->79656 79639 b803aa 79657 b803d8 79639->79657 79644 b41e40 free 79644->79626 79646 b513ae 79645->79646 79648 b513b3 79645->79648 79673 bd7ea0 SetEvent GetLastError 79646->79673 79649 b801c4 79648->79649 79652 b801ce __EH_prolog 79649->79652 79650 b80203 79674 b41e40 free 79650->79674 79652->79650 79675 b41e40 free 79652->79675 79653 b8020b 79653->79634 79655->79637 79656->79639 79658 b803e2 __EH_prolog 79657->79658 79659 b5139e ctype 2 API calls 79658->79659 79660 b803fb 79659->79660 79676 bd7d50 79660->79676 79662 b80403 79663 bd7d50 ctype 2 API calls 79662->79663 79664 b8040b 79663->79664 79665 bd7d50 ctype 2 API calls 79664->79665 79666 b803b7 79665->79666 79667 b8004a 79666->79667 79668 b80054 __EH_prolog 79667->79668 79682 b41e40 free 79668->79682 79670 b80067 79683 b41e40 free 79670->79683 79672 b8006f 79672->79626 79672->79644 79673->79648 79674->79653 79675->79652 79677 bd7d59 CloseHandle 79676->79677 79678 bd7d7b 79676->79678 79679 bd7d75 79677->79679 79680 bd7d64 GetLastError 79677->79680 79678->79662 79679->79678 79680->79678 79681 bd7d6e 79680->79681 79681->79662 79682->79670 79683->79672 79684 b6d948 79714 b6dac7 79684->79714 79686 b6d94f 79687 b42e04 2 API calls 79686->79687 79688 b6d97b 79687->79688 79689 b42e04 2 API calls 79688->79689 79690 b6d987 79689->79690 79693 b6d9e7 79690->79693 79722 b46404 79690->79722 79695 b6da0f 79693->79695 79712 b6da36 79693->79712 79747 b41e40 free 79695->79747 79697 b6da94 79751 b41e40 free 79697->79751 79699 b6d9bf 79745 b41e40 free 79699->79745 79701 b6da17 79748 b41e40 free 79701->79748 79703 b6d9c7 79746 b41e40 free 79703->79746 79704 b6da9c 79752 b41e40 free 79704->79752 79705 b42da9 2 API calls 79705->79712 79709 b6d9cf 79710 b804d2 5 API calls 79710->79712 79712->79697 79712->79705 79712->79710 79749 b41524 malloc _CxxThrowException __EH_prolog ctype 79712->79749 79750 b41e40 free 79712->79750 79715 b6dad1 __EH_prolog 79714->79715 79716 b42e04 2 API calls 79715->79716 79717 b6db33 79716->79717 79718 b42e04 2 API calls 79717->79718 79719 b6db3f 79718->79719 79720 b42e04 2 API calls 79719->79720 79721 b6db55 79720->79721 79721->79686 79723 b4631f 9 API calls 79722->79723 79724 b46414 79723->79724 79725 b46423 79724->79725 79726 b42f88 3 API calls 79724->79726 79727 b42f88 3 API calls 79725->79727 79726->79725 79728 b4643d 79727->79728 79729 b57e5a 79728->79729 79730 b57e64 __EH_prolog 79729->79730 79753 b58179 79730->79753 79733 b67ebb free 79734 b57e7f 79733->79734 79735 b42fec 3 API calls 79734->79735 79736 b57e9a 79735->79736 79737 b42da9 2 API calls 79736->79737 79738 b57ea7 79737->79738 79739 b46c72 44 API calls 79738->79739 79740 b57eb7 79739->79740 79758 b41e40 free 79740->79758 79742 b57ecb 79743 b57ed8 79742->79743 79759 b4757d GetLastError 79742->79759 79743->79693 79743->79699 79745->79703 79746->79709 79747->79701 79748->79709 79749->79712 79750->79712 79751->79704 79752->79709 79757 b58906 79753->79757 79754 b57e77 79754->79733 79757->79754 79760 b58804 free ctype 79757->79760 79761 b41e40 free 79757->79761 79758->79742 79759->79743 79760->79757 79761->79757

                                Executed Functions

                                Function 00B49313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1028 b49313-b49338 GetCurrentProcess OpenProcessToken 1029 b49390 1028->1029 1030 b4933a-b4934a LookupPrivilegeValueW 1028->1030 1033 b49393-b49398 1029->1033 1031 b49382 1030->1031 1032 b4934c-b49370 AdjustTokenPrivileges 1030->1032 1035 b49385-b4938e CloseHandle 1031->1035 1032->1031 1034 b49372-b49380 GetLastError 1032->1034 1034->1035 1035->1033
                                APIs
                                • GetCurrentProcess.KERNEL32(00000020,00B51EC5,?,7633AB50,?,?,?,?,00B51EC5,00B51CEF), ref: 00B49329
                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00B51EC5,00B51CEF), ref: 00B49330
                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00B49342
                                • AdjustTokenPrivileges.KERNELBASE(00B51EC5,00000000,?,00000000,00000000,00000000), ref: 00B49368
                                • GetLastError.KERNEL32 ref: 00B49372
                                • CloseHandle.KERNELBASE(00B51EC5,?,?,?,?,00B51EC5,00B51CEF), ref: 00B49388
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeRestorePrivilege
                                • API String ID: 3398352648-1684392131
                                • Opcode ID: d91627e400f09a62731379861d7d1339ede23a6f6d1885f3e5e59ec88095ea40
                                • Instruction ID: 9da3d493c598cbcee613d022aff0818d7662d7397b7216e0f22af545fa7c419c
                                • Opcode Fuzzy Hash: d91627e400f09a62731379861d7d1339ede23a6f6d1885f3e5e59ec88095ea40
                                • Instruction Fuzzy Hash: AB018076945258AFCB109FF19C89BDF7FBCEF06340F0401A4E542E6191DA748709D7A0
                                Function 00B53D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1036 b53d66-b53d9c call bdfb10 GetCurrentProcess call b53e04 OpenProcessToken 1041 b53de3-b53dfe call b53e04 1036->1041 1042 b53d9e-b53dbe LookupPrivilegeValueW 1036->1042 1042->1041 1043 b53dc0-b53dd3 AdjustTokenPrivileges 1042->1043 1043->1041 1045 b53dd5-b53de1 GetLastError 1043->1045 1045->1041
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B53D6B
                                • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,76368E30), ref: 00B53D7D
                                • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,76368E30), ref: 00B53D94
                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00B53DB6
                                • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,76368E30), ref: 00B53DCB
                                • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,76368E30), ref: 00B53DD5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeSecurityPrivilege
                                • API String ID: 3475889169-2333288578
                                • Opcode ID: 38bab2b685178650ff29d8fafd26b6113aedfcf456d648095d62eacf0c28ceb5
                                • Instruction ID: 83a470b84e8baa171fcaa9c752e4705214103c035df3e67fa3ef716c2e8f3820
                                • Opcode Fuzzy Hash: 38bab2b685178650ff29d8fafd26b6113aedfcf456d648095d62eacf0c28ceb5
                                • Instruction Fuzzy Hash: 461130B19402599FDB10DFE5CCC5AFEFBFCFB04785F0005A9E812E2291DB708A099A60
                                Function 00B881EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B881F1
                                  • Part of subcall function 00B8F749: _CxxThrowException.MSVCRT(?,00BF4A58), ref: 00B8F792
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionH_prologThrow
                                • String ID:
                                • API String ID: 461045715-3916222277
                                • Opcode ID: 33da5c81ce8f0beda0475089e62644b30a9d4715811b619b8a57ced2e1216d16
                                • Instruction ID: 2fb195e08618b44ba937c513164c976a9766cc2d50139a47a70d4d786e7e27ce
                                • Opcode Fuzzy Hash: 33da5c81ce8f0beda0475089e62644b30a9d4715811b619b8a57ced2e1216d16
                                • Instruction Fuzzy Hash: 0B926D30900259DFDB15EFA8C884BAEBBF1EF14304F6444D9E815AB2A2CB71DE45CB61
                                Function 00B46868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B4686D
                                  • Part of subcall function 00B46848: FindClose.KERNELBASE(00000000,?,00B46880), ref: 00B46853
                                • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 00B468A5
                                • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 00B468DE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: Find$FileFirst$CloseH_prolog
                                • String ID:
                                • API String ID: 3371352514-0
                                • Opcode ID: d91e5b99171cfca868d7adb11636581e435ec6380d5d8c847e603125f7bf1a22
                                • Instruction ID: 205f31961f6a9b7c03621cd1534304a848a0dc22fb0b32c5fcf8a04c770fca24
                                • Opcode Fuzzy Hash: d91e5b99171cfca868d7adb11636581e435ec6380d5d8c847e603125f7bf1a22
                                • Instruction Fuzzy Hash: 6811D031900219ABCF10EF64C8915EDB7F9EF11320F1046AAE9A197192DB318F86EB41
                                Function 00B7A013 Relevance: 56.7, APIs: 15, Strings: 17, Instructions: 690COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 b7a013-b7a01a 1 b7a020-b7a02d call b51ac8 0->1 2 b7a37a-b7a544 call b804d2 call b41524 call b804d2 call b41524 call b41e0c 0->2 7 b7a033-b7a03a 1->7 8 b7a22e-b7a235 1->8 64 b7a546-b7a54f call b7b0fa 2->64 65 b7a551 2->65 10 b7a054-b7a089 call b792d3 7->10 11 b7a03c-b7a042 7->11 13 b7a367-b7a375 call b7b55f 8->13 14 b7a23b-b7a24d call b7b4f6 8->14 28 b7a08b-b7a091 10->28 29 b7a099 10->29 11->10 15 b7a044-b7a04f call b430ea 11->15 30 b7ac23-b7ac2a 13->30 25 b7a24f-b7a253 14->25 26 b7a259-b7a2fb call b67ebb call b427bb call b426dd call b63d70 call b7ad99 call b427bb 14->26 15->10 25->26 94 b7a303-b7a362 call b7b6ab call b72db9 call b41e40 * 2 call b7bff8 26->94 95 b7a2fd 26->95 28->29 33 b7a093-b7a097 28->33 36 b7a09d-b7a0de call b42fec call b7b369 29->36 34 b7ac2c-b7ac33 30->34 35 b7ac3a-b7ac66 call b7b96d call b41e40 call b63247 30->35 33->36 34->35 39 b7ac35 34->39 68 b7ac6e-b7acb5 call b41e40 call b411c2 call b7be0c call b72db9 35->68 69 b7ac68-b7ac6a 35->69 55 b7a0e0-b7a0e4 36->55 56 b7a0ea-b7a0fa 36->56 44 b7ac35 call b7b988 39->44 44->35 55->56 60 b7a10d 56->60 61 b7a0fc-b7a102 56->61 70 b7a114-b7a19e call b42fec call b67ebb call b7ad99 60->70 61->60 67 b7a104-b7a10b 61->67 66 b7a553-b7a55c 64->66 65->66 73 b7a564-b7a5c1 call b42fec call b7b277 66->73 74 b7a55e-b7a560 66->74 67->70 69->68 104 b7a1a2 call b6f8e0 70->104 97 b7a5c3-b7a5c7 73->97 98 b7a5cd-b7a652 call b7ad06 call b7bf3e call b53a29 call b42e04 call b64345 73->98 74->73 94->30 95->94 97->98 136 b7a676-b7a6c8 call b62096 98->136 137 b7a654-b7a671 call b6375c call b7b96d 98->137 108 b7a1a7-b7a1b1 104->108 112 b7a1b3-b7a1bb call b7c7d7 108->112 113 b7a1c0-b7a1c9 108->113 112->113 114 b7a1d1-b7a229 call b7b6ab call b72db9 call b41e40 call b7bfa4 call b7940b 113->114 115 b7a1cb 113->115 114->30 115->114 143 b7a6cd-b7a6d6 136->143 137->136 146 b7a6e2-b7a6e5 143->146 147 b7a6d8-b7a6dd call b7c7d7 143->147 150 b7a6e7-b7a6ee 146->150 151 b7a72e-b7a73a 146->151 147->146 154 b7a722-b7a725 150->154 155 b7a6f0-b7a71d call b41fa0 fputs call b41fa0 call b41fb3 call b41fa0 150->155 152 b7a79e-b7a7aa 151->152 153 b7a73c-b7a74a call b41fa0 151->153 157 b7a7ac-b7a7b2 152->157 158 b7a7d9-b7a7e5 152->158 170 b7a755-b7a799 fputs call b42201 call b41fa0 fputs call b42201 call b41fa0 153->170 171 b7a74c-b7a753 153->171 154->151 159 b7a727 154->159 155->154 157->158 162 b7a7b4-b7a7d4 fputs call b42201 call b41fa0 157->162 164 b7a7e7-b7a7ed 158->164 165 b7a818-b7a81a 158->165 159->151 162->158 168 b7a899-b7a8a5 164->168 172 b7a7f3-b7a813 fputs call b42201 call b41fa0 164->172 167 b7a81c-b7a82b 165->167 165->168 176 b7a851-b7a85d 167->176 177 b7a82d-b7a84c fputs call b42201 call b41fa0 167->177 173 b7a8a7-b7a8ad 168->173 174 b7a8e9-b7a8ed 168->174 170->152 171->152 171->170 172->165 183 b7a8ef 173->183 184 b7a8af-b7a8c2 call b41fa0 173->184 174->183 188 b7a8f6-b7a8f8 174->188 176->168 187 b7a85f-b7a872 call b41fa0 176->187 177->176 183->188 184->183 207 b7a8c4-b7a8e4 fputs call b42201 call b41fa0 184->207 187->168 209 b7a874-b7a894 fputs call b42201 call b41fa0 187->209 196 b7aaaf-b7aaeb call b643b3 call b41e40 call b7c104 call b7ad82 188->196 197 b7a8fe-b7a90a 188->197 246 b7aaf1-b7aaf7 196->246 247 b7ac0b-b7ac1a call b72db9 196->247 204 b7aa73-b7aa89 call b41fa0 197->204 205 b7a910-b7a91f 197->205 204->196 222 b7aa8b-b7aaaa fputs call b42201 call b41fa0 204->222 205->204 211 b7a925-b7a929 205->211 207->174 209->168 211->196 217 b7a92f-b7a93d 211->217 218 b7a93f-b7a964 fputs call b42201 call b41fa0 217->218 219 b7a96a-b7a971 217->219 218->219 227 b7a973-b7a97a 219->227 228 b7a98f-b7a9a8 fputs call b42201 219->228 222->196 227->228 234 b7a97c-b7a982 227->234 241 b7a9ad-b7a9bd call b41fa0 228->241 234->228 239 b7a984-b7a98d 234->239 239->228 244 b7aa06-b7aa1f fputs call b42201 239->244 241->244 252 b7a9bf-b7aa01 fputs call b42201 call b41fa0 fputs call b42201 call b41fa0 241->252 251 b7aa24-b7aa29 call b41fa0 244->251 246->247 247->30 258 b7ac1e call b72db9 247->258 259 b7aa2e-b7aa4b fputs call b42201 251->259 252->244 258->30 263 b7aa50-b7aa5b call b41fa0 259->263 263->196 269 b7aa5d-b7aa71 call b41fa0 call b7710e 263->269 269->196
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$ExceptionThrow
                                • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                                • API String ID: 3665150552-429544124
                                • Opcode ID: 4c72fb674fd936ab175cdc9d55486741174bde8f02fb7ee472aaf6e820dc2ff6
                                • Instruction ID: 6de102590f9d280cabc683d300ed70c0170abcebab4130b88fc3464f2505deec
                                • Opcode Fuzzy Hash: 4c72fb674fd936ab175cdc9d55486741174bde8f02fb7ee472aaf6e820dc2ff6
                                • Instruction Fuzzy Hash: 29526831904258DFDF2AEBA4C885BEDBBF5AF84300F1484DAE45963291DB746E88DF11
                                Function 00B7A42C Relevance: 56.5, APIs: 15, Strings: 17, Instructions: 503COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 274 b7a42c-b7a433 275 b7a435-b7a444 fputs call b41fa0 274->275 276 b7a449-b7a4df call b7545d call b42e04 call b61858 call b41e40 274->276 275->276 286 b7a4e1-b7a4e9 call b7c7d7 276->286 287 b7a4ee-b7a4f1 276->287 286->287 289 b7a4f3-b7a4fa 287->289 290 b7a50e-b7a520 call b7c73e 287->290 289->290 291 b7a4fc-b7a509 call b757fb 289->291 295 b7a526-b7a544 call b41e0c 290->295 296 b7ac0b-b7ac1a call b72db9 290->296 291->290 306 b7a546-b7a54f call b7b0fa 295->306 307 b7a551 295->307 301 b7ac23-b7ac2a 296->301 302 b7ac1e call b72db9 296->302 304 b7ac2c-b7ac33 301->304 305 b7ac3a-b7ac66 call b7b96d call b41e40 call b63247 301->305 302->301 304->305 309 b7ac35 call b7b988 304->309 325 b7ac6e-b7acb5 call b41e40 call b411c2 call b7be0c call b72db9 305->325 326 b7ac68-b7ac6a 305->326 308 b7a553-b7a55c 306->308 307->308 312 b7a564-b7a5c1 call b42fec call b7b277 308->312 313 b7a55e-b7a560 308->313 309->305 327 b7a5c3-b7a5c7 312->327 328 b7a5cd-b7a652 call b7ad06 call b7bf3e call b53a29 call b42e04 call b64345 312->328 313->312 326->325 327->328 348 b7a676-b7a6d6 call b62096 328->348 349 b7a654-b7a671 call b6375c call b7b96d 328->349 355 b7a6e2-b7a6e5 348->355 356 b7a6d8-b7a6dd call b7c7d7 348->356 349->348 358 b7a6e7-b7a6ee 355->358 359 b7a72e-b7a73a 355->359 356->355 362 b7a722-b7a725 358->362 363 b7a6f0-b7a71d call b41fa0 fputs call b41fa0 call b41fb3 call b41fa0 358->363 360 b7a79e-b7a7aa 359->360 361 b7a73c-b7a74a call b41fa0 359->361 365 b7a7ac-b7a7b2 360->365 366 b7a7d9-b7a7e5 360->366 378 b7a755-b7a799 fputs call b42201 call b41fa0 fputs call b42201 call b41fa0 361->378 379 b7a74c-b7a753 361->379 362->359 367 b7a727 362->367 363->362 365->366 370 b7a7b4-b7a7d4 fputs call b42201 call b41fa0 365->370 372 b7a7e7-b7a7ed 366->372 373 b7a818-b7a81a 366->373 367->359 370->366 376 b7a899-b7a8a5 372->376 380 b7a7f3-b7a813 fputs call b42201 call b41fa0 372->380 375 b7a81c-b7a82b 373->375 373->376 384 b7a851-b7a85d 375->384 385 b7a82d-b7a84c fputs call b42201 call b41fa0 375->385 381 b7a8a7-b7a8ad 376->381 382 b7a8e9-b7a8ed 376->382 378->360 379->360 379->378 380->373 391 b7a8ef 381->391 392 b7a8af-b7a8c2 call b41fa0 381->392 382->391 396 b7a8f6-b7a8f8 382->396 384->376 395 b7a85f-b7a872 call b41fa0 384->395 385->384 391->396 392->391 415 b7a8c4-b7a8e4 fputs call b42201 call b41fa0 392->415 395->376 417 b7a874-b7a894 fputs call b42201 call b41fa0 395->417 404 b7aaaf-b7aaeb call b643b3 call b41e40 call b7c104 call b7ad82 396->404 405 b7a8fe-b7a90a 396->405 404->296 454 b7aaf1-b7aaf7 404->454 412 b7aa73-b7aa89 call b41fa0 405->412 413 b7a910-b7a91f 405->413 412->404 430 b7aa8b-b7aaaa fputs call b42201 call b41fa0 412->430 413->412 419 b7a925-b7a929 413->419 415->382 417->376 419->404 425 b7a92f-b7a93d 419->425 426 b7a93f-b7a964 fputs call b42201 call b41fa0 425->426 427 b7a96a-b7a971 425->427 426->427 435 b7a973-b7a97a 427->435 436 b7a98f-b7a9a8 fputs call b42201 427->436 430->404 435->436 442 b7a97c-b7a982 435->442 449 b7a9ad-b7a9bd call b41fa0 436->449 442->436 447 b7a984-b7a98d 442->447 447->436 452 b7aa06-b7aa4b fputs call b42201 call b41fa0 fputs call b42201 447->452 449->452 458 b7a9bf-b7aa01 fputs call b42201 call b41fa0 fputs call b42201 call b41fa0 449->458 467 b7aa50-b7aa5b call b41fa0 452->467 454->296 458->452 467->404 473 b7aa5d-b7aa71 call b41fa0 call b7710e 467->473 473->404
                                APIs
                                • fputs.MSVCRT(Scanning the drive for archives:), ref: 00B7A43E
                                  • Part of subcall function 00B41FA0: fputc.MSVCRT ref: 00B41FA7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputcfputs
                                • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                                • API String ID: 269475090-3104439828
                                • Opcode ID: 400f42ae8868bcff9e294cc05f3cddbb840ac328cb43228cb673e4f579e88762
                                • Instruction ID: b551d138c1cec7114956472ac996e2a4a67fc6f7ed32cb6bcbcc11c7478b6974
                                • Opcode Fuzzy Hash: 400f42ae8868bcff9e294cc05f3cddbb840ac328cb43228cb673e4f579e88762
                                • Instruction Fuzzy Hash: 87226A319012589FDF2AEBA4C845BEDBBF1EF94300F1484DAE459632A1DB706E84DF12
                                Function 00B7993D Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 569COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 478 b7993d-b79950 call b7b5b1 481 b79963-b7997e call b51f33 478->481 482 b79952-b7995e call b41fb3 478->482 486 b79980-b7998a 481->486 487 b7998f-b79998 481->487 482->481 486->487 488 b7999a-b799a6 487->488 489 b799a8 487->489 488->489 490 b799ab-b799b5 488->490 489->490 491 b799b7-b799cc GetStdHandle GetConsoleScreenBufferInfo 490->491 492 b799d5-b79a04 call b41e0c call b7acb6 490->492 491->492 493 b799ce-b799d2 491->493 500 b79a06-b79a08 492->500 501 b79a0c-b79a24 call b67b48 492->501 493->492 500->501 503 b79a29-b79a48 call b7b96d call b67018 call b51aa4 501->503 510 b79a7c-b79aa8 call b6ddb5 503->510 511 b79a4a-b79a4c 503->511 517 b79ac0-b79ade 510->517 518 b79aaa-b79abb _CxxThrowException 510->518 513 b79a66-b79a77 _CxxThrowException 511->513 514 b79a4e-b79a55 511->514 513->510 514->513 516 b79a57-b79a64 call b51ac8 514->516 516->510 516->513 520 b79ae0-b79b04 call b67dd7 517->520 521 b79b3a-b79b55 517->521 518->517 529 b79bfa-b79c0b _CxxThrowException 520->529 530 b79b0a-b79b0e 520->530 526 b79b57 521->526 527 b79b5c-b79ba4 call b41fa0 fputs call b41fa0 strlen * 2 521->527 526->527 539 b79e25-b79e4d call b41fa0 fputs call b41fa0 527->539 540 b79baa-b79be4 fputs fputc 527->540 533 b79c10 529->533 530->529 532 b79b14-b79b38 call b7c077 call b41e40 530->532 532->520 532->521 536 b79c12-b79c25 533->536 543 b79c27-b79c33 536->543 544 b79be6-b79bf0 536->544 556 b79e53 539->556 557 b79f0c-b79f34 call b41fa0 fputs call b41fa0 539->557 540->543 540->544 551 b79c35-b79c3d 543->551 552 b79c81-b79cb1 call b7b67d call b42e04 543->552 544->533 547 b79bf2-b79bf8 544->547 547->536 554 b79c3f-b79c4a 551->554 555 b79c6b-b79c80 call b421d8 551->555 591 b79cb3-b79cb7 552->591 592 b79d10-b79d28 call b7b67d 552->592 558 b79c54 554->558 559 b79c4c-b79c52 554->559 555->552 562 b79e5a-b79e6f call b7b650 556->562 579 b7ac23-b7ac2a 557->579 580 b79f3a 557->580 564 b79c56-b79c69 558->564 559->564 572 b79e71-b79e79 562->572 573 b79e7b-b79e7e call b421d8 562->573 564->554 564->555 583 b79e83-b79f06 call b7bde4 fputs call b41fa0 572->583 573->583 584 b7ac2c-b7ac33 579->584 585 b7ac3a-b7ac66 call b7b96d call b41e40 call b63247 579->585 586 b79f41-b79f9d call b7b650 call b7b5e9 call b7bde4 fputs call b41fa0 580->586 583->557 583->562 584->585 588 b7ac35 call b7b988 584->588 617 b7ac6e-b7acb5 call b41e40 call b411c2 call b7be0c call b72db9 585->617 618 b7ac68-b7ac6a 585->618 661 b79f9f 586->661 588->585 598 b79cc1-b79cdd call b431e5 591->598 599 b79cb9-b79cbc call b4315e 591->599 619 b79d4b-b79d53 592->619 620 b79d2a-b79d4a fputs call b421d8 592->620 613 b79d05-b79d0e 598->613 614 b79cdf-b79d00 call b43221 call b431e5 call b41089 598->614 599->598 613->591 613->592 614->613 618->617 625 b79dff-b79e1f call b41fa0 call b41e40 619->625 626 b79d59-b79d5d 619->626 620->619 625->539 625->540 632 b79d5f-b79d6d fputs 626->632 633 b79d6e-b79d82 626->633 632->633 636 b79d84-b79d88 633->636 637 b79df0-b79df9 633->637 644 b79d95-b79d9f 636->644 645 b79d8a-b79d94 636->645 637->625 637->626 651 b79da5-b79db1 644->651 652 b79da1-b79da3 644->652 645->644 659 b79db3-b79db6 651->659 660 b79db8 651->660 652->651 658 b79dd8-b79dee 652->658 658->636 658->637 664 b79dbb-b79dce 659->664 660->664 661->579 670 b79dd5 664->670 671 b79dd0-b79dd3 664->671 670->658 671->658
                                APIs
                                  • Part of subcall function 00B7B5B1: fputs.MSVCRT ref: 00B7B5CA
                                  • Part of subcall function 00B7B5B1: fputs.MSVCRT ref: 00B7B5E1
                                • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 00B799BD
                                • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 00B799C4
                                • _CxxThrowException.MSVCRT(?,00BF55B8), ref: 00B79A77
                                • _CxxThrowException.MSVCRT(?,00BF55B8), ref: 00B79ABB
                                  • Part of subcall function 00B41FB3: __EH_prolog.LIBCMT ref: 00B41FB8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                                • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$N
                                • API String ID: 377453556-3661318601
                                • Opcode ID: 2bec02f51fc80d6b38abed9afdf7caa309bbbdc4603907628fc43c11f840dc64
                                • Instruction ID: 30f3691c7d2c5819d2f5a737581a25fb55980e27c211c19f8f84c7e3d3a86afe
                                • Opcode Fuzzy Hash: 2bec02f51fc80d6b38abed9afdf7caa309bbbdc4603907628fc43c11f840dc64
                                • Instruction Fuzzy Hash: 4C227031D00208DFDF15EFA8D885BADBBF1EF44310F20449AE559AB292CB359A85DF61
                                Function 00B51ADE Relevance: 42.3, APIs: 16, Strings: 8, Instructions: 288COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 672 b51ade-b51b14 call bdfb10 call b413f5 677 b51b16-b51b2d call b61d73 _CxxThrowException 672->677 678 b51b32-b51b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->678 677->678 680 b51b9d-b51b9f 678->680 681 b51b8d-b51b91 678->681 684 b51ba0-b51bcd 680->684 681->680 683 b51b93-b51b97 681->683 683->680 687 b51b99-b51b9b 683->687 685 b51bcf-b51bf8 call b51ea4 call b427bb call b41e40 684->685 686 b51bf9-b51c12 684->686 685->686 689 b51c14-b51c18 686->689 690 b51c20 686->690 687->684 689->690 692 b51c1a-b51c1e 689->692 693 b51c27-b51c2b 690->693 692->690 692->693 695 b51c34-b51c3e 693->695 696 b51c2d 693->696 698 b51c40-b51c43 695->698 699 b51c49-b51c53 695->699 696->695 698->699 700 b51c55-b51c58 699->700 701 b51c5e-b51c68 699->701 700->701 703 b51c73-b51c79 701->703 704 b51c6a-b51c6d 701->704 706 b51cc9-b51cd2 703->706 707 b51c7b-b51c87 703->707 704->703 710 b51cd4-b51ce6 706->710 711 b51cea call b51eb9 706->711 708 b51c95-b51ca1 call b51ed1 707->708 709 b51c89-b51c93 707->709 718 b51cc0-b51cc3 708->718 719 b51ca3-b51cbb call b61d73 _CxxThrowException 708->719 709->706 710->711 714 b51cef-b51cf8 711->714 716 b51d37-b51d40 714->716 717 b51cfa-b51d0a 714->717 723 b51d46-b51d52 716->723 724 b51e93-b51ea1 716->724 720 b51d10 717->720 721 b51dc2-b51dd4 wcscmp 717->721 718->706 719->718 725 b51d17-b51d1f call b49399 720->725 721->725 727 b51dda-b51de6 call b51ed1 721->727 723->724 728 b51d58-b51d93 call b426dd call b4280c call b43221 call b43bbf 723->728 725->716 737 b51d21-b51d32 call bc6a60 call b49313 725->737 727->725 735 b51dec-b51e04 call b61d73 _CxxThrowException 727->735 756 b51d95-b51d9c 728->756 757 b51d9f-b51da3 728->757 744 b51e09-b51e0c 735->744 737->716 747 b51e31-b51e4a call b51f0c GetCurrentProcess SetProcessAffinityMask 744->747 748 b51e0e 744->748 761 b51e83-b51e92 call b43172 call b41e40 747->761 762 b51e4c-b51e82 GetLastError call b43221 call b458a9 call b431e5 call b41e40 747->762 751 b51e14-b51e2c call b61d73 _CxxThrowException 748->751 752 b51e10-b51e12 748->752 751->747 752->747 752->751 756->757 757->744 760 b51da5-b51dbd call b61d73 _CxxThrowException 757->760 760->721 761->724 762->761
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B51AE3
                                  • Part of subcall function 00B413F5: __EH_prolog.LIBCMT ref: 00B413FA
                                • _CxxThrowException.MSVCRT(?,00BF6010), ref: 00B51B2D
                                • _fileno.MSVCRT ref: 00B51B3E
                                • _isatty.MSVCRT ref: 00B51B47
                                • _fileno.MSVCRT ref: 00B51B5D
                                • _isatty.MSVCRT ref: 00B51B60
                                • _fileno.MSVCRT ref: 00B51B73
                                • _CxxThrowException.MSVCRT(?,00BF6010), ref: 00B51CBB
                                • _CxxThrowException.MSVCRT(?,00BF6010), ref: 00B51DBD
                                • wcscmp.MSVCRT ref: 00B51DCA
                                • _CxxThrowException.MSVCRT(?,00BF6010), ref: 00B51E04
                                • _isatty.MSVCRT ref: 00B51B76
                                  • Part of subcall function 00B61D73: __EH_prolog.LIBCMT ref: 00B61D78
                                • _CxxThrowException.MSVCRT(?,00BF6010), ref: 00B51E2C
                                • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00B51E3B
                                • SetProcessAffinityMask.KERNEL32(00000000), ref: 00B51E42
                                • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00B51E4C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                                • String ID: : ERROR : $@46v$SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                                • API String ID: 1826148334-3064912335
                                • Opcode ID: e1a0df282164fb6588c916d55fdf2c13bf9b98908c4a709ef3fb543f8e89ba9d
                                • Instruction ID: 61370c9448502a1fd4dfb714192448388f4c2ad619b1524c87c354bee2e21b36
                                • Opcode Fuzzy Hash: e1a0df282164fb6588c916d55fdf2c13bf9b98908c4a709ef3fb543f8e89ba9d
                                • Instruction Fuzzy Hash: 85C1C5319002859FDB11DFB8C889BD9BFF4EF19314F1488D9E895A72A2CB74AD48CB51
                                Function 00B78012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 777 b78012-b78032 call bdfb10 780 b78285 777->780 781 b78038-b7806c fputs call b78341 777->781 782 b78287-b78295 780->782 785 b7806e-b78071 781->785 786 b780c8-b780cd 781->786 789 b78073-b78089 fputs call b41fa0 785->789 790 b7808b-b7808d 785->790 787 b780d6-b780df 786->787 788 b780cf-b780d4 786->788 791 b780e2-b78110 call b78341 call b78622 787->791 788->791 789->786 793 b78096-b7809f 790->793 794 b7808f-b78094 790->794 804 b78112-b78119 call b7831f 791->804 805 b7811e-b7812f call b78565 791->805 797 b780a2-b780c7 call b42e47 call b785c6 call b41e40 793->797 794->797 797->786 804->805 805->782 812 b78135-b7813f 805->812 813 b78141-b78148 call b782bb 812->813 814 b7814d-b7815b 812->814 813->814 814->782 817 b78161-b78164 814->817 818 b781b6-b781c0 817->818 819 b78166-b78186 817->819 820 b78276-b7827f 818->820 821 b781c6-b781e1 fputs 818->821 824 b7818c-b78196 call b78565 819->824 825 b78298-b7829d 819->825 820->780 820->781 821->820 826 b781e7-b781fb 821->826 831 b7819b-b7819d 824->831 827 b782b1-b782b9 SysFreeString 825->827 829 b78273 826->829 830 b781fd-b7821f 826->830 827->782 829->820 834 b78221-b78245 830->834 835 b7829f-b782a1 830->835 831->825 832 b781a3-b781b4 SysFreeString 831->832 832->818 832->819 838 b78247-b78271 call b784a7 call b4965d SysFreeString 834->838 839 b782a3-b782ab call b4965d 834->839 836 b782ae 835->836 836->827 838->829 838->830 839->836
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B78017
                                • fputs.MSVCRT ref: 00B7804D
                                  • Part of subcall function 00B78341: __EH_prolog.LIBCMT ref: 00B78346
                                  • Part of subcall function 00B78341: fputs.MSVCRT ref: 00B7835B
                                  • Part of subcall function 00B78341: fputs.MSVCRT ref: 00B78364
                                • fputs.MSVCRT ref: 00B7807A
                                  • Part of subcall function 00B41FA0: fputc.MSVCRT ref: 00B41FA7
                                  • Part of subcall function 00B4965D: VariantClear.OLEAUT32(?), ref: 00B4967F
                                • SysFreeString.OLEAUT32(00000000), ref: 00B781AA
                                • fputs.MSVCRT ref: 00B781CD
                                • SysFreeString.OLEAUT32(00000000), ref: 00B78267
                                • SysFreeString.OLEAUT32(00000000), ref: 00B782B1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                • API String ID: 2889736305-3797937567
                                • Opcode ID: 4c3a48338b23791ddf08986486d380ccc3acafd91b7adc3345aac133f5398d30
                                • Instruction ID: dfc946e565adb2673ab1a4f809acd6293899cc5901cc43f06e49a319944eb347
                                • Opcode Fuzzy Hash: 4c3a48338b23791ddf08986486d380ccc3acafd91b7adc3345aac133f5398d30
                                • Instruction Fuzzy Hash: 4D916C31A40605EFDB14DFA4C989AAEB7F5FF48310F1081A9E52AB7291DF70AD05CB60
                                Function 00B76766 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 846 b76766-b76792 call bdfb10 EnterCriticalSection 849 b76794-b76799 call b7c7d7 846->849 850 b767af-b767b7 846->850 854 b7679e-b767ac 849->854 852 b767be-b767c3 850->852 853 b767b9 call b41f91 850->853 856 b76892-b768a8 852->856 857 b767c9-b767d5 852->857 853->852 854->850 860 b76941 856->860 861 b768ae-b768b4 856->861 858 b76817-b7682f 857->858 859 b767d7-b767dd 857->859 865 b76873-b7687b 858->865 866 b76831-b76842 call b41fa0 858->866 859->858 863 b767df-b767eb 859->863 862 b76943-b7695a 860->862 861->860 864 b768ba-b768c2 861->864 870 b767f3-b76801 863->870 871 b767ed 863->871 868 b76933-b7693f call b7c5cd 864->868 872 b768c4-b768e6 call b41fa0 fputs 864->872 865->868 869 b76881-b76887 865->869 866->865 879 b76844-b7686c fputs call b42201 866->879 868->862 869->868 875 b7688d 869->875 870->865 877 b76803-b76815 fputs 870->877 871->870 884 b768fb-b76917 call b54f2a call b41fb3 call b41e40 872->884 885 b768e8-b768f9 fputs 872->885 880 b7692e call b41f91 875->880 882 b7686e call b41fa0 877->882 879->882 880->868 882->865 889 b7691c-b76928 call b41fa0 884->889 885->889 889->880
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B7676B
                                • EnterCriticalSection.KERNEL32(00C02938), ref: 00B76781
                                • fputs.MSVCRT ref: 00B7680B
                                • LeaveCriticalSection.KERNEL32(00C02938), ref: 00B76944
                                  • Part of subcall function 00B7C7D7: fputs.MSVCRT ref: 00B7C840
                                • fputs.MSVCRT ref: 00B76851
                                  • Part of subcall function 00B42201: fputs.MSVCRT ref: 00B4221E
                                • fputs.MSVCRT ref: 00B768D9
                                • fputs.MSVCRT ref: 00B768F6
                                  • Part of subcall function 00B41FA0: fputc.MSVCRT ref: 00B41FA7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                • String ID: v$Sub items Errors:
                                • API String ID: 2670240366-2468115448
                                • Opcode ID: 31cdd1a73dc7f6070437eb6881ffb0171f10e72aefddf532792091470af535c6
                                • Instruction ID: 04332d6f9dd37d0dae4754816c35b13a75a4fcfea95b0c27c465915eacd91609
                                • Opcode Fuzzy Hash: 31cdd1a73dc7f6070437eb6881ffb0171f10e72aefddf532792091470af535c6
                                • Instruction Fuzzy Hash: 6551B131505A40CFCB259F64D894AEABBF1FF84310F5488AEE5AE8B261CB307D45DB51
                                Function 00B76359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 898 b76359-b76373 call bdfb10 901 b76375-b76385 call b7c7d7 898->901 902 b7639e-b763af call b75a4d 898->902 901->902 907 b76387-b7639b 901->907 908 b763b5-b763cd 902->908 909 b765ee-b765f1 902->909 907->902 910 b763d2-b763d4 908->910 911 b763cf 908->911 912 b76624-b7663c 909->912 913 b765f3-b765fb 909->913 916 b763d6-b763d9 910->916 917 b763df-b763e7 910->917 911->910 914 b76643-b7664b 912->914 915 b7663e call b41f91 912->915 918 b76601-b76607 call b78012 913->918 919 b766ea call b7c5cd 913->919 914->919 922 b76651-b7668f fputs call b4211a call b41fa0 call b78685 914->922 915->914 916->917 921 b764b1-b764bc call b76700 916->921 923 b76411-b76413 917->923 924 b763e9-b763f2 call b41fa0 917->924 932 b7660c-b7660e 918->932 929 b766ef-b766fd 919->929 942 b764c7-b764cf 921->942 943 b764be-b764c1 921->943 922->929 986 b76691-b76697 922->986 930 b76415-b7641d 923->930 931 b76442-b76446 923->931 924->923 947 b763f4-b7640c call b4210c call b41fa0 924->947 939 b7641f-b76425 call b76134 930->939 940 b7642a-b7643b 930->940 935 b76497-b7649f 931->935 936 b76448-b76450 931->936 932->929 941 b76614-b7661f call b41fa0 932->941 935->921 948 b764a1-b764ac call b41fa0 call b41f91 935->948 944 b76452-b7647a fputs call b41fa0 call b41fb3 call b41fa0 936->944 945 b7647f-b76490 936->945 939->940 940->931 941->919 952 b764d1-b764da call b41fa0 942->952 953 b764f9-b764fb 942->953 943->942 951 b765a2-b765a6 943->951 944->945 945->935 947->923 948->921 966 b765da-b765e6 951->966 967 b765a8-b765b6 951->967 952->953 983 b764dc-b764f4 call b4210c call b41fa0 952->983 963 b764fd-b76505 953->963 964 b7652a-b7652e 953->964 977 b76507-b7650d call b76134 963->977 978 b76512-b76523 963->978 968 b76530-b76538 964->968 969 b7657f-b76587 964->969 966->908 974 b765ec 966->974 970 b765d3 967->970 971 b765b8-b765ca call b76244 967->971 980 b76567-b76578 968->980 981 b7653a-b76562 fputs call b41fa0 call b41fb3 call b41fa0 968->981 969->951 985 b76589-b76595 call b41fa0 969->985 970->966 971->970 996 b765cc-b765ce call b41f91 971->996 974->909 977->978 978->964 980->969 981->980 983->953 985->951 1005 b76597-b7659d call b41f91 985->1005 993 b766df-b766e5 call b41f91 986->993 994 b76699-b7669f 986->994 993->919 1000 b766b3-b766ce call b54f2a call b41fb3 call b41e40 994->1000 1001 b766a1-b766b1 fputs 994->1001 996->970 1006 b766d3-b766da call b41fa0 1000->1006 1001->1006 1005->951 1006->993
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B7635E
                                • fputs.MSVCRT ref: 00B7645F
                                  • Part of subcall function 00B7C7D7: fputs.MSVCRT ref: 00B7C840
                                • fputs.MSVCRT ref: 00B76547
                                • fputs.MSVCRT ref: 00B7665F
                                • fputs.MSVCRT ref: 00B766AE
                                  • Part of subcall function 00B41F91: fflush.MSVCRT ref: 00B41F93
                                  • Part of subcall function 00B41FB3: __EH_prolog.LIBCMT ref: 00B41FB8
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog$fflushfree
                                • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                • API String ID: 1750297421-1898165966
                                • Opcode ID: 2ed672fd8c46b745627515eca1e168a748a3a0224eb286635df1d8a42d76ad6b
                                • Instruction ID: 41cc8bd06e8e916cc16476e03a80ea9bf10944f70c32ad5d4e054929e3393b02
                                • Opcode Fuzzy Hash: 2ed672fd8c46b745627515eca1e168a748a3a0224eb286635df1d8a42d76ad6b
                                • Instruction Fuzzy Hash: 2EB15130A01B058FDB24EF64C9A1BAAB7F1FF44304F4489ADE56E57251CB70AD89DB50
                                Function 00B49C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1016 b49c8f-b49cc2 GetModuleHandleA GetProcAddress 1017 b49cc4-b49ccc GlobalMemoryStatusEx 1016->1017 1018 b49cef-b49d06 GlobalMemoryStatus 1016->1018 1017->1018 1019 b49cce-b49cd7 1017->1019 1020 b49d08 1018->1020 1021 b49d0b-b49d0d 1018->1021 1022 b49ce5 1019->1022 1023 b49cd9 1019->1023 1020->1021 1024 b49d11-b49d15 1021->1024 1027 b49ce8-b49ced 1022->1027 1025 b49ce0-b49ce3 1023->1025 1026 b49cdb-b49cde 1023->1026 1025->1027 1026->1022 1026->1025 1027->1024
                                APIs
                                • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00B49CB3
                                • GetProcAddress.KERNEL32(00000000), ref: 00B49CBA
                                • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00B49CC8
                                • GlobalMemoryStatus.KERNEL32(?), ref: 00B49CFA
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                                • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                • API String ID: 180289352-802862622
                                • Opcode ID: 5387cf5617b28b42954d2e2d8c8c5e56ba795c1d032cb138a1ecd04193edfc06
                                • Instruction ID: 1f6e6387eb9aaa395bec7db4f7fd1a3cdcae420aa2f1173591fd583377b87c5f
                                • Opcode Fuzzy Hash: 5387cf5617b28b42954d2e2d8c8c5e56ba795c1d032cb138a1ecd04193edfc06
                                • Instruction Fuzzy Hash: 0B115770900309AFDF20DFA4D889BAEBBF4FF14305F100458E442AB241DB78EA80DB54
                                Function 00BDFF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                                • String ID:
                                • API String ID: 4012487245-0
                                • Opcode ID: e0c1cd872462662af5aac023d1e15b8611f2d201f0890ea6a09ef5f247b63dba
                                • Instruction ID: a71ada78ee65461b73b7d5ed7ed2a32d5e7a691f902cb1cd4d134e69f48a33b2
                                • Opcode Fuzzy Hash: e0c1cd872462662af5aac023d1e15b8611f2d201f0890ea6a09ef5f247b63dba
                                • Instruction Fuzzy Hash: 0221F971900748AFCB14AFA4DC89BAEBBB8FB09724F114259F511A72F2DB745441CF21
                                Function 00BDFFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                                • String ID:
                                • API String ID: 279829931-0
                                • Opcode ID: 2af569f07d55dbb1ce168af443e3af5968d4d3f57593b63911f4bd2d5ba9d023
                                • Instruction ID: 6961b22f6237827f32ec494aaab1cbe77c25cb19e6c5bd0833a73f44cb30b841
                                • Opcode Fuzzy Hash: 2af569f07d55dbb1ce168af443e3af5968d4d3f57593b63911f4bd2d5ba9d023
                                • Instruction Fuzzy Hash: 3001E971910748AFDF04ABA0DC89DEEBBB9FB08314B104059F501B62A2DB759441CB21
                                Function 00B61858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • __EH_prolog.LIBCMT ref: 00B6185D
                                  • Part of subcall function 00B6021A: __EH_prolog.LIBCMT ref: 00B6021F
                                  • Part of subcall function 00B6062E: __EH_prolog.LIBCMT ref: 00B60633
                                • _CxxThrowException.MSVCRT(?,00BF6010), ref: 00B61961
                                  • Part of subcall function 00B61AA5: __EH_prolog.LIBCMT ref: 00B61AAA
                                Strings
                                • Duplicate archive path:, xrefs: 00B61A8D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrow
                                • String ID: Duplicate archive path:
                                • API String ID: 2366012087-4000988232
                                • Opcode ID: 8088d096c018f4a7b982b836fd948d7b2776bcf5bb0700dc0849ae64dd63a042
                                • Instruction ID: 28eaf7727b8178011340783fb5fc330e5abf3d8c1c60003ea6bc86c305d0ae05
                                • Opcode Fuzzy Hash: 8088d096c018f4a7b982b836fd948d7b2776bcf5bb0700dc0849ae64dd63a042
                                • Instruction Fuzzy Hash: A4816735D00259DBCF25EFA8D891ADDBBF5AF08310F1444EAE416772A2DB34AE05DB60
                                Function 00B8F1B2 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1520 b8f1b2-b8f1ce call bdfb10 call b51168 1524 b8f1d3-b8f1d5 1520->1524 1525 b8f36a-b8f378 1524->1525 1526 b8f1db-b8f1e4 call b8f3e4 1524->1526 1529 b8f1ed-b8f1f2 1526->1529 1530 b8f1e6-b8f1e8 1526->1530 1531 b8f203-b8f21a 1529->1531 1532 b8f1f4-b8f1f9 1529->1532 1530->1525 1535 b8f21c-b8f22c _CxxThrowException 1531->1535 1536 b8f231-b8f248 memcpy 1531->1536 1532->1531 1533 b8f1fb-b8f1fe 1532->1533 1533->1525 1535->1536 1537 b8f24c-b8f257 1536->1537 1538 b8f259 1537->1538 1539 b8f25c-b8f25e 1537->1539 1538->1539 1540 b8f260-b8f26f 1539->1540 1541 b8f281-b8f299 1539->1541 1542 b8f279-b8f27b 1540->1542 1543 b8f271 1540->1543 1549 b8f29b-b8f2a0 1541->1549 1550 b8f311-b8f313 1541->1550 1542->1541 1547 b8f315-b8f318 1542->1547 1545 b8f273-b8f275 1543->1545 1546 b8f277 1543->1546 1545->1542 1545->1546 1546->1542 1548 b8f357-b8f368 1547->1548 1548->1525 1549->1547 1551 b8f2a2-b8f2b5 call b8f37b 1549->1551 1550->1548 1555 b8f2f0-b8f30c memmove 1551->1555 1556 b8f2b7-b8f2cf call bde1a0 1551->1556 1555->1537 1559 b8f31a-b8f355 memcpy 1556->1559 1560 b8f2d1-b8f2eb call b8f37b 1556->1560 1559->1548 1560->1556 1564 b8f2ed 1560->1564 1564->1555
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 2a51871b6fbdf00cd663610a5894601e5225d0eb6c2b09fd7627f6b2fa7cf869
                                • Instruction ID: 852182d367fee91be34c84a0e9832bff58a5fe1e31e37551e1ff5df6dae89b3d
                                • Opcode Fuzzy Hash: 2a51871b6fbdf00cd663610a5894601e5225d0eb6c2b09fd7627f6b2fa7cf869
                                • Instruction Fuzzy Hash: 00514F76A002069FDB14EFA4C8C5BBEB3F5FF88354F1484A9E901AB251D774E945CB60
                                Function 00B46C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1565 b46c72-b46c8e call bdfb10 1568 b46c96-b46c9e 1565->1568 1569 b46c90-b46c94 1565->1569 1570 b46ca6-b46cae 1568->1570 1571 b46ca0-b46ca4 1568->1571 1569->1568 1572 b46cd3-b46cdc call b48664 1569->1572 1570->1572 1573 b46cb0-b46cb5 1570->1573 1571->1570 1571->1572 1578 b46d87-b46d92 call b488c6 1572->1578 1579 b46ce2-b46d02 call b467f0 call b42f88 call b487df 1572->1579 1573->1572 1575 b46cb7-b46cce call b467f0 call b42f88 1573->1575 1591 b4715d-b4715f 1575->1591 1586 b46f4c-b46f62 call b487fa 1578->1586 1587 b46d98-b46d9e 1578->1587 1602 b46d04-b46d09 1579->1602 1603 b46d4a-b46d61 call b47b41 1579->1603 1600 b46f64-b46f66 1586->1600 1601 b46f67-b46f74 call b485e2 1586->1601 1587->1586 1590 b46da4-b46dc7 call b42e47 * 2 1587->1590 1614 b46dd4-b46dda 1590->1614 1615 b46dc9-b46dcf 1590->1615 1595 b47118-b47126 1591->1595 1600->1601 1610 b46f76-b46f7c 1601->1610 1611 b46fd1-b46fd8 1601->1611 1602->1603 1606 b46d0b-b46d38 call b49252 1602->1606 1618 b46d67-b46d6b 1603->1618 1619 b46d63-b46d65 1603->1619 1606->1603 1629 b46d3a-b46d45 1606->1629 1610->1611 1616 b46f7e-b46f8a call b46bf5 1610->1616 1622 b46fe4-b46feb 1611->1622 1623 b46fda-b46fde 1611->1623 1620 b46df1-b46df9 call b43221 1614->1620 1621 b46ddc-b46def call b42407 1614->1621 1615->1614 1625 b470e5-b470ea call b46868 1616->1625 1644 b46f90-b46f93 1616->1644 1631 b46d6d-b46d75 1618->1631 1632 b46d78 1618->1632 1630 b46d7a-b46d82 call b4764c 1619->1630 1634 b46dfe-b46e0b call b487df 1620->1634 1621->1620 1621->1634 1626 b4701d-b47024 call b48782 1622->1626 1627 b46fed-b46ff7 call b46bf5 1622->1627 1623->1622 1623->1625 1646 b470ef-b470f3 1625->1646 1626->1625 1651 b4702a-b47035 1626->1651 1627->1625 1649 b46ffd-b47000 1627->1649 1629->1591 1647 b47116 1630->1647 1631->1632 1632->1630 1655 b46e43-b46e50 call b46c72 1634->1655 1656 b46e0d-b46e10 1634->1656 1644->1625 1650 b46f99-b46fb6 call b467f0 call b42f88 1644->1650 1652 b470f5-b470f7 1646->1652 1653 b4710c 1646->1653 1647->1595 1649->1625 1657 b47006-b4701b call b467f0 1649->1657 1686 b46fc2-b46fc5 call b4717b 1650->1686 1687 b46fb8-b46fbd 1650->1687 1651->1625 1659 b4703b-b47044 call b48578 1651->1659 1652->1653 1660 b470f9-b47102 1652->1660 1654 b4710e-b47111 call b46848 1653->1654 1654->1647 1676 b46e56 1655->1676 1677 b46f3a-b46f4b call b41e40 * 2 1655->1677 1662 b46e12-b46e15 1656->1662 1663 b46e1e-b46e36 call b467f0 1656->1663 1678 b46fca-b46fcc 1657->1678 1659->1625 1681 b4704a-b47054 call b4717b 1659->1681 1660->1653 1668 b47104-b47107 call b4717b 1660->1668 1662->1655 1669 b46e17-b46e1c 1662->1669 1683 b46e58-b46e7e call b42f1c call b42e04 1663->1683 1685 b46e38-b46e41 call b42fec 1663->1685 1668->1653 1669->1655 1669->1663 1676->1683 1677->1586 1678->1654 1693 b47064-b47097 call b42e47 call b41089 * 2 call b46868 1681->1693 1694 b47056-b4705f call b42f88 1681->1694 1703 b46e83-b46e99 call b46bb5 1683->1703 1685->1683 1686->1678 1687->1686 1727 b470bf-b470cc call b46bf5 1693->1727 1728 b47099-b470af wcscmp 1693->1728 1705 b47155-b47158 call b46848 1694->1705 1711 b46ecf-b46ed1 1703->1711 1712 b46e9b-b46e9f 1703->1712 1705->1591 1714 b46f09-b46f35 call b41e40 * 2 call b46848 call b41e40 * 2 1711->1714 1715 b46ec7-b46ec9 SetLastError 1712->1715 1716 b46ea1-b46eae call b422bf 1712->1716 1714->1647 1715->1711 1725 b46eb0-b46ec5 call b41e40 call b42e04 1716->1725 1726 b46ed3-b46ed9 1716->1726 1725->1703 1730 b46eec-b46f07 call b431e5 1726->1730 1731 b46edb-b46ee0 1726->1731 1742 b470ce-b470d1 1727->1742 1743 b47129-b47133 call b467f0 1727->1743 1734 b470b1-b470b6 1728->1734 1735 b470bb 1728->1735 1730->1714 1731->1730 1738 b46ee2-b46ee8 1731->1738 1736 b47147-b47154 call b42f88 call b41e40 1734->1736 1735->1727 1736->1705 1738->1730 1750 b470d3-b470d6 1742->1750 1751 b470d8-b470e4 call b41e40 1742->1751 1760 b47135-b47138 1743->1760 1761 b4713a 1743->1761 1750->1743 1750->1751 1751->1625 1764 b47141-b47144 1760->1764 1761->1764 1764->1736
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B46C77
                                • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00B46EC9
                                  • Part of subcall function 00B46C72: wcscmp.MSVCRT ref: 00B470A5
                                  • Part of subcall function 00B46BF5: __EH_prolog.LIBCMT ref: 00B46BFA
                                  • Part of subcall function 00B46BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00B46C1A
                                  • Part of subcall function 00B46BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00B46C49
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                • String ID: :$DATA
                                • API String ID: 3316598575-2587938151
                                • Opcode ID: 48c0637d1de952251dd0d558e1d48fd90a550f17fb3e81dfcc51bf8762cc4a4e
                                • Instruction ID: c2232a5c8ea91e298476e049651ba12296dbfb1915fb3a2e75a05416de159680
                                • Opcode Fuzzy Hash: 48c0637d1de952251dd0d558e1d48fd90a550f17fb3e81dfcc51bf8762cc4a4e
                                • Instruction Fuzzy Hash: 46E105309402099ACF25EFA8C891BEDB7F1EF16314F104599E886672D2DF709F49EB52
                                Function 00B56FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B56FCA
                                  • Part of subcall function 00B56E71: __EH_prolog.LIBCMT ref: 00B56E76
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                                • API String ID: 3519838083-394804653
                                • Opcode ID: 602f6f963521ae56691b8016fe5d45b16fb19e1e2b34fa81dda3c4758784eacd
                                • Instruction ID: dcd86373cfc8bd5eb2fcfea59e7170bc14b461b5a6486eb1a9a6b04eae129cb3
                                • Opcode Fuzzy Hash: 602f6f963521ae56691b8016fe5d45b16fb19e1e2b34fa81dda3c4758784eacd
                                • Instruction Fuzzy Hash: BC41C632A486849BCF21DFA59490BEEFBF5EF45301F5844EED886B3241CA706E48C761
                                Function 00B784A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: =
                                • API String ID: 2614055831-2525689732
                                • Opcode ID: b81211681a75038847bcc736cc0c0c478ad530a215257ac0118ec4e4f1c84b68
                                • Instruction ID: b9a5bef206cca2f06d1fd9c1fc1c39eb71e1a284ed1ace4151606cbeaa136ca2
                                • Opcode Fuzzy Hash: b81211681a75038847bcc736cc0c0c478ad530a215257ac0118ec4e4f1c84b68
                                • Instruction Fuzzy Hash: F121AE32904118ABCF0AEB94D942BEDBBF5EF44310F2040AAF405721A2DF715E45EB90
                                Function 00B78341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B78346
                                • fputs.MSVCRT ref: 00B7835B
                                • fputs.MSVCRT ref: 00B78364
                                  • Part of subcall function 00B783BF: __EH_prolog.LIBCMT ref: 00B783C4
                                  • Part of subcall function 00B783BF: fputs.MSVCRT ref: 00B78401
                                  • Part of subcall function 00B783BF: fputs.MSVCRT ref: 00B78437
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: =
                                • API String ID: 2614055831-2525689732
                                • Opcode ID: 6a6950661a121c8028b7edf696ee4aeca9544b5968c1b0f8a68648c4072087c6
                                • Instruction ID: 8de28c20c2af40bc74d2c1449ab0230722d9612a53605b37781dc15b74b53239
                                • Opcode Fuzzy Hash: 6a6950661a121c8028b7edf696ee4aeca9544b5968c1b0f8a68648c4072087c6
                                • Instruction Fuzzy Hash: 7101D631A00004ABCF05BBA8C856AEDBFF5EF84750F00849AF405622A2CF744A46EBD5
                                Function 00BD7DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,00B5AB57), ref: 00BD7DAA
                                • GetLastError.KERNEL32(?,00000000,00B5AB57), ref: 00BD7DBB
                                • CloseHandle.KERNELBASE(00000000,?,00000000,00B5AB57), ref: 00BD7DCF
                                • GetLastError.KERNEL32(?,00000000,00B5AB57), ref: 00BD7DD9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLast$CloseHandleObjectSingleWait
                                • String ID:
                                • API String ID: 1796208289-0
                                • Opcode ID: 48f0ccbdc4b421098e91e172802f612876bfacbc370bc74cbdf8ad6016552c4a
                                • Instruction ID: 207a5ed2e7f3179ff447e9fe8974ac438cac0a1a85f2b12744293a069c6f5bb2
                                • Opcode Fuzzy Hash: 48f0ccbdc4b421098e91e172802f612876bfacbc370bc74cbdf8ad6016552c4a
                                • Instruction Fuzzy Hash: B1F0F4B13482414BDB205A7D9C84BB6A6D9EF55374720077BE561D73D0FF60CC418610
                                Function 00B62096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B6209B
                                  • Part of subcall function 00B4757D: GetLastError.KERNEL32(00B4D14C), ref: 00B4757D
                                  • Part of subcall function 00B62C6C: __EH_prolog.LIBCMT ref: 00B62C71
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ErrorLastfree
                                • String ID: Cannot find archive file$The item is a directory
                                • API String ID: 683690243-1569138187
                                • Opcode ID: 658dd5fe77782b814d035838f29d039711651a7d054d08a083c58d93a28c8b36
                                • Instruction ID: 8d1fda3b2e98a2f443c51b1934584ee78d2c6a542ced64958dc9b43737827981
                                • Opcode Fuzzy Hash: 658dd5fe77782b814d035838f29d039711651a7d054d08a083c58d93a28c8b36
                                • Instruction Fuzzy Hash: 3A722274D006589FDB25DFA8C884ADDBBF1EF59300F1480DAE859AB252CB749E81CF91
                                Function 00B7C911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CountTickfputs
                                • String ID: .
                                • API String ID: 290905099-4150638102
                                • Opcode ID: b22f2fad015634289d49972860e8457a05c35c997f9f5837b90ed878727a4676
                                • Instruction ID: def98c6057e001f24c4d50693be25e9876535f8c31245b226cbba6dd9f4dc80f
                                • Opcode Fuzzy Hash: b22f2fad015634289d49972860e8457a05c35c997f9f5837b90ed878727a4676
                                • Instruction Fuzzy Hash: 79713930600B049FCB61EF68C591AAEBBF5EF81704F40889DE5AB97641DB70FA49DB11
                                Function 00B808B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B49C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00B49CB3
                                  • Part of subcall function 00B49C8F: GetProcAddress.KERNEL32(00000000), ref: 00B49CBA
                                  • Part of subcall function 00B49C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00B49CC8
                                • __aulldiv.LIBCMT ref: 00B8093F
                                • __aulldiv.LIBCMT ref: 00B8094B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                • String ID: 3333
                                • API String ID: 3520896023-2924271548
                                • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                • Instruction ID: 7e3ad381c263b4cef26eee7c77442ea42f250fa346f4b4e9c0ac94ea9d8a62b3
                                • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                • Instruction Fuzzy Hash: B621B7B09007046FE730EF6E8881A6BFAF9EB84750F04896FF186D3352D670A904CB65
                                Function 00B6A7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                • memset.MSVCRT ref: 00B6AEBA
                                • memset.MSVCRT ref: 00B6AECD
                                  • Part of subcall function 00B804D2: _CxxThrowException.MSVCRT(?,00BF4A58), ref: 00B804F8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: memset$ExceptionThrowfree
                                • String ID: Split
                                • API String ID: 1404239998-1882502421
                                • Opcode ID: 2d9c7fea124e3ba3cf89e71910c1d9c5ffd97ceb9af60f10e7f9add19ba5bfcf
                                • Instruction ID: 970f742e15d8259677059db4746c4f5c8c90b5504b7c0530f3ee21b54d8e3d79
                                • Opcode Fuzzy Hash: 2d9c7fea124e3ba3cf89e71910c1d9c5ffd97ceb9af60f10e7f9add19ba5bfcf
                                • Instruction Fuzzy Hash: 59421730A002599FDF25DBA8C994BADBBF5EF05304F2440E9E449B7252CB79AE85CF11
                                Function 00B4759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B4759F
                                  • Part of subcall function 00B4764C: CloseHandle.KERNELBASE(00000000,?,00B475AF,00000002,?,00000000,00000000), ref: 00B47657
                                • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 00B475E5
                                • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00B47626
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CreateFile$CloseH_prologHandle
                                • String ID:
                                • API String ID: 449569272-0
                                • Opcode ID: 6a98985bef5973be2ac19dfc87dbd96cae034585196e7ecb90c911ccee92b153
                                • Instruction ID: 381bc7f2e1c086116833b6e43dbe6a62474750937769b5cd5e8885e8d6ce906e
                                • Opcode Fuzzy Hash: 6a98985bef5973be2ac19dfc87dbd96cae034585196e7ecb90c911ccee92b153
                                • Instruction Fuzzy Hash: 8A11967280021AEFCF11AFA8DC418EEBBFAFF14354B108569F961561A1CB719E61EB50
                                Function 00B783BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00B78437
                                • fputs.MSVCRT ref: 00B78401
                                  • Part of subcall function 00B41FB3: __EH_prolog.LIBCMT ref: 00B41FB8
                                • __EH_prolog.LIBCMT ref: 00B783C4
                                  • Part of subcall function 00B41FA0: fputc.MSVCRT ref: 00B41FA7
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfputs$fputc
                                • String ID:
                                • API String ID: 678540050-0
                                • Opcode ID: 80e5a4235db85cec9dce6deb745e947b325c933c0ef5e4e34e15015a48c7ae13
                                • Instruction ID: 565f43c0b5724be0a5c4217d5ddfd531f8df5e6f2a4acb0667e902f210f5c13d
                                • Opcode Fuzzy Hash: 80e5a4235db85cec9dce6deb745e947b325c933c0ef5e4e34e15015a48c7ae13
                                • Instruction Fuzzy Hash: 2C112531F441159BCF09BBA4DC13AAEBBF6DF80790F4004AAF402A33D1CF651A46AAD4
                                Function 00B47731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,00B477DB,?,?,00000000,?,00B47832,?), ref: 00B47773
                                • GetLastError.KERNEL32(?,00B477DB,?,?,00000000,?,00B47832,?,?,?,?,00000000), ref: 00B47780
                                • SetLastError.KERNEL32(00000000,?,?,00B477DB,?,?,00000000,?,00B47832,?,?,?,?,00000000), ref: 00B47797
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLast$FilePointer
                                • String ID:
                                • API String ID: 1156039329-0
                                • Opcode ID: 02d559dae260b01cd1b6ff742ef9c0fb636bda800983f231a9a4d54c567be956
                                • Instruction ID: 16eeb6647dde2ab9e87e9e113968f6fd26c3e4e788fcd656578d8007a49f4ed8
                                • Opcode Fuzzy Hash: 02d559dae260b01cd1b6ff742ef9c0fb636bda800983f231a9a4d54c567be956
                                • Instruction Fuzzy Hash: F911C131604305AFEF15CF68DC85BAE7BE5EF04360F148469F92697291DBB09E14EB50
                                Function 00B45A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B45A91
                                • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00B45AB7
                                • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00B45AEC
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: AttributesFile$H_prolog
                                • String ID:
                                • API String ID: 3790360811-0
                                • Opcode ID: 62da38345dff6fc63c2513cee8ca079be512e43664ce2b7f91c1ad53958f94c4
                                • Instruction ID: 9e84cafcdc1a7093fcadbf22638699988d8a59e6148e4de0117451ea93e977fb
                                • Opcode Fuzzy Hash: 62da38345dff6fc63c2513cee8ca079be512e43664ce2b7f91c1ad53958f94c4
                                • Instruction Fuzzy Hash: 7801B532D00A25ABCF25AFA498C16BEB7F5EF40750F1444A6ED1163253CB354E01F660
                                Function 00B75883 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(00C02938), ref: 00B7588B
                                • LeaveCriticalSection.KERNEL32(00C02938), ref: 00B758BC
                                  • Part of subcall function 00B7C911: GetTickCount.KERNEL32 ref: 00B7C926
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$CountEnterLeaveTick
                                • String ID: v
                                • API String ID: 1056156058-3261393531
                                • Opcode ID: 7b48c129c39948a612cdf184219bb9c1e90d9632c204eaaebebe289c39f225dd
                                • Instruction ID: 37527b072c96f5ab2eaa9f99db7d73b76788391b8f68fe5943830ad6e18e4e91
                                • Opcode Fuzzy Hash: 7b48c129c39948a612cdf184219bb9c1e90d9632c204eaaebebe289c39f225dd
                                • Instruction Fuzzy Hash: EBE0E575609250DFC304DF18D949E9A7BE5AF98311F0545AEF4598B3A2CB309849CBA2
                                Function 00B55BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B55BEF
                                  • Part of subcall function 00B554C0: __EH_prolog.LIBCMT ref: 00B554C5
                                  • Part of subcall function 00B55630: __EH_prolog.LIBCMT ref: 00B55635
                                  • Part of subcall function 00B636EA: __EH_prolog.LIBCMT ref: 00B636EF
                                  • Part of subcall function 00B557C1: __EH_prolog.LIBCMT ref: 00B557C6
                                  • Part of subcall function 00B558BE: __EH_prolog.LIBCMT ref: 00B558C3
                                Strings
                                • Cannot seek to begin of file, xrefs: 00B5610F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Cannot seek to begin of file
                                • API String ID: 3519838083-2298593816
                                • Opcode ID: b8182a4ee5c7ec0352194c5808efa46692c877ea3827c8da4b39fddad2f9680e
                                • Instruction ID: 96a097719e6abf3714d39190fa70626ae3b120dec3e875a13c3dcfc7cf73968d
                                • Opcode Fuzzy Hash: b8182a4ee5c7ec0352194c5808efa46692c877ea3827c8da4b39fddad2f9680e
                                • Instruction Fuzzy Hash: 7C1200319046859FDB21DFA4C494BEEBBF5EF04316F0404EDE84667292DB70AE88CB51
                                Function 00B84E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B84E8F
                                  • Part of subcall function 00B4965D: VariantClear.OLEAUT32(?), ref: 00B4967F
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ClearH_prologVariantfree
                                • String ID: file
                                • API String ID: 904627215-2359244304
                                • Opcode ID: d6a1604967de162b6ea642f92cf5a26f9f461beae3ad6d1d3d73957ac79fe8c5
                                • Instruction ID: 71c1d4f391ef941b5841d904a7a611d392e5055c18ee4ccb9646b58f860fa2a7
                                • Opcode Fuzzy Hash: d6a1604967de162b6ea642f92cf5a26f9f461beae3ad6d1d3d73957ac79fe8c5
                                • Instruction Fuzzy Hash: 03125B34900209DFCF25EFA8C995AEDBBF6EF44344F2444A8E405AB262DB31AE45DB10
                                Function 00B62CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B62CE0
                                  • Part of subcall function 00B45E10: __EH_prolog.LIBCMT ref: 00B45E15
                                  • Part of subcall function 00B541EC: _CxxThrowException.MSVCRT(?,00BF4A58), ref: 00B5421A
                                  • Part of subcall function 00B4965D: VariantClear.OLEAUT32(?), ref: 00B4967F
                                Strings
                                • Cannot create output directory, xrefs: 00B63070
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ClearExceptionThrowVariant
                                • String ID: Cannot create output directory
                                • API String ID: 814188403-1181934277
                                • Opcode ID: ad1253a8697da2236246c3ee8b289bc19b28eb24078a74b48d9488bdb7fb42c1
                                • Instruction ID: 1f124544d0b0bcf29c633945f628eef5143d5c194ea04994b4696ecf2c028d94
                                • Opcode Fuzzy Hash: ad1253a8697da2236246c3ee8b289bc19b28eb24078a74b48d9488bdb7fb42c1
                                • Instruction Fuzzy Hash: AEF1AB30901289AFDF25EFA4C890AEDBBF1FF19300F1444E9E84567252DB35AE49DB51
                                Function 00B7C7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00B7C840
                                  • Part of subcall function 00B425CB: _CxxThrowException.MSVCRT(?,00BF4A58), ref: 00B425ED
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrowfputs
                                • String ID:
                                • API String ID: 1334390793-399585960
                                • Opcode ID: c3cea586a4134205cc7ade2b54eb30dc8bf2eca15eed465ad77af889db2abb1e
                                • Instruction ID: f79c4c0d8dbbf608530a556478ac124149f8985d9ececfafeaa129f827339760
                                • Opcode Fuzzy Hash: c3cea586a4134205cc7ade2b54eb30dc8bf2eca15eed465ad77af889db2abb1e
                                • Instruction Fuzzy Hash: D011BF716047449FDB25CF59C8D1BAABBE6EF49304F0484AEE18A8B251CBB1BD44CB61
                                Function 00B76086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: Open
                                • API String ID: 1795875747-71445658
                                • Opcode ID: 44f1bf20adc6adb462e1d7f1ae8ab91a76c5443f1615d4bb31108b31903c6eaa
                                • Instruction ID: c97df893418cc1c99baff879f479b2e30b987f80b93bcf187517284c130184bf
                                • Opcode Fuzzy Hash: 44f1bf20adc6adb462e1d7f1ae8ab91a76c5443f1615d4bb31108b31903c6eaa
                                • Instruction Fuzzy Hash: 2911A032501B449FC720EF34D891AEABBE1EF54310F40C9AEE5AA97212DB31A944CF50
                                Function 00B558BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B558C3
                                  • Part of subcall function 00B46C72: __EH_prolog.LIBCMT ref: 00B46C77
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: e6f6fcdbc89465766eb0380ebf7bc548efcf7a217e2ede7f98db92aab1de54af
                                • Instruction ID: fa004530b33bcbc736d8da4857a9c3d0b0f0a33d1925f0822c546bd18607d3e4
                                • Opcode Fuzzy Hash: e6f6fcdbc89465766eb0380ebf7bc548efcf7a217e2ede7f98db92aab1de54af
                                • Instruction Fuzzy Hash: B091DF319005099BCF35EFA4C8A5BEEBBF2EF44352F1444E8E942A7252DB315E48DB61
                                Function 00B906AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B906B3
                                • _CxxThrowException.MSVCRT(?,00BFD480), ref: 00B908F2
                                  • Part of subcall function 00B41E0C: malloc.MSVCRT ref: 00B41E1F
                                  • Part of subcall function 00B41E0C: _CxxThrowException.MSVCRT(?,00BF4B28), ref: 00B41E39
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrow$H_prologmalloc
                                • String ID:
                                • API String ID: 3044594480-0
                                • Opcode ID: 397447279d5697bc0dbd8f7ef7d95421610c282e4baa354962a6aa6125a0c353
                                • Instruction ID: f6acd8f0a1ba5d81842b99b604b37f2f99e0ac66814d307805b6c67f320d638e
                                • Opcode Fuzzy Hash: 397447279d5697bc0dbd8f7ef7d95421610c282e4baa354962a6aa6125a0c353
                                • Instruction Fuzzy Hash: 97911875D00259DFCF21EFA8C881AEEBBF5AF09304F1480E9E455A7252D730AE45DB61
                                Function 00B57190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: ae8503b0f20a0849f29051ae96b550947c6ebbe7851ab2a5d7b7dc8bd3e630a8
                                • Instruction ID: 0916c07056018975e647c06e65f921e912f7a1f8296cf576851ea6766ca33e87
                                • Opcode Fuzzy Hash: ae8503b0f20a0849f29051ae96b550947c6ebbe7851ab2a5d7b7dc8bd3e630a8
                                • Instruction Fuzzy Hash: 5E51A170648B409FDB25DB64D494BEABBF1FF45301F1488DDE8DA4B201DB31A989DB50
                                Function 00B67B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B67B4D
                                • memcpy.MSVCRT(00000000,00C027DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 00B67C65
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologmemcpy
                                • String ID:
                                • API String ID: 2991061955-0
                                • Opcode ID: aca1fe26a57a1018912785b49c0979198d8707130543c2ab3ed455a5de1b1aa5
                                • Instruction ID: e5e5decdb3a38580de236ceb9c249c826448b4895e1b7eab160b322e17dd995a
                                • Opcode Fuzzy Hash: aca1fe26a57a1018912785b49c0979198d8707130543c2ab3ed455a5de1b1aa5
                                • Instruction Fuzzy Hash: 92418C71904219DBCF20EFA4C951BEEBBF4FF04304F2445A9E446A7292DB35AE09DB50
                                Function 00B91511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B91516
                                  • Part of subcall function 00B910D3: __EH_prolog.LIBCMT ref: 00B910D8
                                • _CxxThrowException.MSVCRT(?,00BFD480), ref: 00B91561
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrow
                                • String ID:
                                • API String ID: 2366012087-0
                                • Opcode ID: 2eb2426405a88bb2b9eb603d972ed3dfff74ac2afa65663dc118948aa9e00809
                                • Instruction ID: cf28e83c02eb07e58026082ea6a5f45ee4caca937831e110f92649f2c6e8ed78
                                • Opcode Fuzzy Hash: 2eb2426405a88bb2b9eb603d972ed3dfff74ac2afa65663dc118948aa9e00809
                                • Instruction Fuzzy Hash: 9901F23250428AAEDF118F98C815BEE7FF8EF91350F0444AAF4455B251C3B6A95197A0
                                Function 00B757FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B75800
                                • fputs.MSVCRT ref: 00B75830
                                  • Part of subcall function 00B41FA0: fputc.MSVCRT ref: 00B41FA7
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfputcfputsfree
                                • String ID:
                                • API String ID: 195749403-0
                                • Opcode ID: e26ff2625ec92ceb3aa56b5a0862da06b983ee8a430fe88018dbc123f4f4f446
                                • Instruction ID: af65a98375f13ede6ee7ad1ae89de530ac3ced98d219ab0d3e1422cc538924f4
                                • Opcode Fuzzy Hash: e26ff2625ec92ceb3aa56b5a0862da06b983ee8a430fe88018dbc123f4f4f446
                                • Instruction Fuzzy Hash: 50F05E32914514DFCB15AB94E4027EEBBF1EF04750F0088AAE916A7191CF746A95DB84
                                Function 00B4950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocStringLen.OLEAUT32(?,?), ref: 00B4952C
                                • _CxxThrowException.MSVCRT(?,00BF55B8), ref: 00B4954A
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: AllocExceptionStringThrow
                                • String ID:
                                • API String ID: 3773818493-0
                                • Opcode ID: 77a664125fdd11bb728a9d3f07c7cb41bc779f1cca3c8079bf2f0a13ad1836dc
                                • Instruction ID: 7d3e0fb6d58af9c0a489299d56da49e0c5083f410f18ebb906456288ae0fdc97
                                • Opcode Fuzzy Hash: 77a664125fdd11bb728a9d3f07c7cb41bc779f1cca3c8079bf2f0a13ad1836dc
                                • Instruction Fuzzy Hash: 5BF06D72650304ABC710EFA8D886E97BBECEF14380740846AFA49CF210EB70E9008790
                                Function 00B7B5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID:
                                • API String ID: 1185151155-0
                                • Opcode ID: 36f1fd46c34bcac37bb5a7008ecb23ecceb18a4c7691383436ef99fcdd5698a6
                                • Instruction ID: a89fa47e674337102e68955d0ec98947205ec8cbb7bebe39e3c52933fbb674dd
                                • Opcode Fuzzy Hash: 36f1fd46c34bcac37bb5a7008ecb23ecceb18a4c7691383436ef99fcdd5698a6
                                • Instruction Fuzzy Hash: 65E0C2376091106F97162B48BC01D6437E5EBC9361325006FEA40E7370AF233D1AAEA4
                                Function 00BD7E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLast_beginthreadex
                                • String ID:
                                • API String ID: 4034172046-0
                                • Opcode ID: 7c0113db84d2b488ef0fc84a8e7486cb2fc9aebe3c1dec4c76a9fc0176b91b30
                                • Instruction ID: ad005f34ea386a398512b20429fd7784f5e5773ffd385190f5ff4cde387c7f49
                                • Opcode Fuzzy Hash: 7c0113db84d2b488ef0fc84a8e7486cb2fc9aebe3c1dec4c76a9fc0176b91b30
                                • Instruction Fuzzy Hash: D2E086B22492126BE3109B508C01FB7B6DCDB90741F4044AEF945C6280FA60CD00C361
                                Function 00B49C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(?,?,00B49C6E), ref: 00B49C52
                                • GetProcessAffinityMask.KERNEL32(00000000), ref: 00B49C59
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: Process$AffinityCurrentMask
                                • String ID:
                                • API String ID: 1231390398-0
                                • Opcode ID: 002e9534dc8fc4f166c84acc2588a4d57da56f9568eefc7b7de177c1509c3116
                                • Instruction ID: db6e80910fedd2f2766d4e6bb8e6d100021cc2d36aa340fb8b62ff2c86ee2962
                                • Opcode Fuzzy Hash: 002e9534dc8fc4f166c84acc2588a4d57da56f9568eefc7b7de177c1509c3116
                                • Instruction Fuzzy Hash: 79B002B6450284EBDE14DBA09D8CD567F6CAA452053154655F509CB012DA3AD4468B64
                                Function 00B4B668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                                Download Yara Rule
                                APIs
                                • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 00B4B843
                                • GetLastError.KERNEL32 ref: 00B4B8AA
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorLastmemcpy
                                • String ID:
                                • API String ID: 2523627151-0
                                • Opcode ID: c8cba14141705b6073cea6892ecc5c1e06f16dcd938d9c93f272deb12981b374
                                • Instruction ID: 0916ca1d38f1e2da3f0bfdf2b6e4e777f70a2d99e0248c6bde6b7560bd9d4693
                                • Opcode Fuzzy Hash: c8cba14141705b6073cea6892ecc5c1e06f16dcd938d9c93f272deb12981b374
                                • Instruction Fuzzy Hash: 69812A31A007059FDB64CE25C980E6AB7F6FF84314F1589AEEA8687A40D734FE45EB50
                                Function 00B41E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 2436765578-0
                                • Opcode ID: 154951a29cb806aba6607f988d9c3da8292e5da761524fd7fbc621665f49b79d
                                • Instruction ID: fcfbdbba3b09009368d93e2ad3e73530af69d28533f76cb035e2e470d7215a36
                                • Opcode Fuzzy Hash: 154951a29cb806aba6607f988d9c3da8292e5da761524fd7fbc621665f49b79d
                                • Instruction Fuzzy Hash: 02E0C23414428CAACF105FA0D8447A93FE89F00355F00D096FD0C9F212D770C7D59740
                                Function 00B8B05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 23e11c8b46a7206fcdddf124e79e711931df9ef483fcc057cc7255b0618b5aaf
                                • Instruction ID: 9c2d0a1fa10d7be6617b7efed68f2c5fb3009a8ed1d472029254e0d9cd0da287
                                • Opcode Fuzzy Hash: 23e11c8b46a7206fcdddf124e79e711931df9ef483fcc057cc7255b0618b5aaf
                                • Instruction Fuzzy Hash: C5525B30900249DFDF11EFA8C598FADBBF5AF49304F284099E805AB2A1DB759E45CB21
                                Function 00B56305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 3b64280e1d78d489d6b5fa3c4318cab4c58671b8f111ab59c47a564d8ca7a6bf
                                • Instruction ID: bed79f187935cb1ceda59f053471fa23014784f6dc60c02563bd3c3a5e07deeb
                                • Opcode Fuzzy Hash: 3b64280e1d78d489d6b5fa3c4318cab4c58671b8f111ab59c47a564d8ca7a6bf
                                • Instruction Fuzzy Hash: 8EF19B71A04785DFCB21CF64C490BAABBE1FF28305F9448EEE89A97211D730AD48CB51
                                Function 00B910D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: a613dd7892534d4790b4f2ff99f5789c5e8af83eae1f92b2ce9141201b08f4ed
                                • Instruction ID: 42eeec6cbf9bcfbff35d355429f51ef498c8ee0d2f50b3562849b12d889524af
                                • Opcode Fuzzy Hash: a613dd7892534d4790b4f2ff99f5789c5e8af83eae1f92b2ce9141201b08f4ed
                                • Instruction Fuzzy Hash: F7D17A70A04646AFDF28DFA8C880BEEBBF1BF09300F1049BDE555A7661D775A844DB90
                                Function 00B8CF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B8CF96
                                  • Part of subcall function 00B91511: __EH_prolog.LIBCMT ref: 00B91516
                                  • Part of subcall function 00B91511: _CxxThrowException.MSVCRT(?,00BFD480), ref: 00B91561
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrow
                                • String ID:
                                • API String ID: 2366012087-0
                                • Opcode ID: 6142d2dadbc094a3efffcfb13096d1b5dc1d3bf2f4de7a84f8d8e510ba59fda9
                                • Instruction ID: f66711f86019e8a8b7596222f98fb13615b44e6d219d940ed8ab095c1349f6b7
                                • Opcode Fuzzy Hash: 6142d2dadbc094a3efffcfb13096d1b5dc1d3bf2f4de7a84f8d8e510ba59fda9
                                • Instruction Fuzzy Hash: 98515B70900289DFCB11EFA8C8D8AAEBBF4EF49304F1444EEE45A97252C7759E45CB21
                                Function 00B7F784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 457ea0cfba7f6ac921299e74d18d747ea805598dd64c04dbb54c02772b353311
                                • Instruction ID: 358a65b7d2d06f614e82b63b3e869f13614a96aef538b0d448cbac839df170cd
                                • Opcode Fuzzy Hash: 457ea0cfba7f6ac921299e74d18d747ea805598dd64c04dbb54c02772b353311
                                • Instruction Fuzzy Hash: BA515D74A00606DFCB14CFA8C4809BAFBF2FF49340B1089ADD5A6AB750D731A906CF94
                                Function 00B8AD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: b0c248f78524986998f552fd54f36a604049af49492f2b0123c05d420cfef5a7
                                • Instruction ID: 19d47e2e1c1f58e2c1af64e315a727ecc0846a7db07783c99a624a837381acdc
                                • Opcode Fuzzy Hash: b0c248f78524986998f552fd54f36a604049af49492f2b0123c05d420cfef5a7
                                • Instruction Fuzzy Hash: 9B419070A00746EFEB24DF54C484B6ABBE4FF44311F248AAED496976A1D370ED81CB91
                                Function 00B54250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B54255
                                  • Part of subcall function 00B5440B: __EH_prolog.LIBCMT ref: 00B54410
                                  • Part of subcall function 00B41E0C: malloc.MSVCRT ref: 00B41E1F
                                  • Part of subcall function 00B41E0C: _CxxThrowException.MSVCRT(?,00BF4B28), ref: 00B41E39
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 3744649731-0
                                • Opcode ID: 2a8113fab1d008b148c4899b44382b3bed475cc54d0aa2d8eed2b4d6445dd702
                                • Instruction ID: 4ff4dcde8e5ed35d14e948483a3b3efe7ff6b445330d6b1db77fbb97a719f450
                                • Opcode Fuzzy Hash: 2a8113fab1d008b148c4899b44382b3bed475cc54d0aa2d8eed2b4d6445dd702
                                • Instruction Fuzzy Hash: 9551F6B1801784CFC325DF6AC18469AFBF0BF19304F5488AED49A9B752D7B0A648DB61
                                Function 00B6D0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B6D0E6
                                  • Part of subcall function 00B41E0C: malloc.MSVCRT ref: 00B41E1F
                                  • Part of subcall function 00B41E0C: _CxxThrowException.MSVCRT(?,00BF4B28), ref: 00B41E39
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionH_prologThrowmalloc
                                • String ID:
                                • API String ID: 3978722251-0
                                • Opcode ID: f79cc7d684eae64b28ebc6c80b891d7bda0d98f1d6f6becfa1c99db55326f893
                                • Instruction ID: 7f1d465f7f6be0419601dc4dc48fa850b96221f26675012617211487c21c0e0a
                                • Opcode Fuzzy Hash: f79cc7d684eae64b28ebc6c80b891d7bda0d98f1d6f6becfa1c99db55326f893
                                • Instruction Fuzzy Hash: 9E418F71E002559FCB10DBA8C984AAEBBF8EF55710F2445D9E446E7282CBB4DE44CB90
                                Function 00B57FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B57FCA
                                  • Part of subcall function 00B4950D: SysAllocStringLen.OLEAUT32(?,?), ref: 00B4952C
                                  • Part of subcall function 00B4950D: _CxxThrowException.MSVCRT(?,00BF55B8), ref: 00B4954A
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: AllocExceptionH_prologStringThrow
                                • String ID:
                                • API String ID: 1940201546-0
                                • Opcode ID: 9b4c2f39cde0e31f8904daa91c16253ae22b5016015deaba31255511f3b28fe5
                                • Instruction ID: 186fc3cfa7395b5448e2530101cb12fb353b47bc1e36fcda40c3f6273f9c2adc
                                • Opcode Fuzzy Hash: 9b4c2f39cde0e31f8904daa91c16253ae22b5016015deaba31255511f3b28fe5
                                • Instruction Fuzzy Hash: ED318072820109DADF15AFA4C891AFE77F0FF24316F5840E9E812B71A2DE359A0DDB51
                                Function 00B7ADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B7ADBC
                                  • Part of subcall function 00B7AD29: __EH_prolog.LIBCMT ref: 00B7AD2E
                                  • Part of subcall function 00B7AF2D: __EH_prolog.LIBCMT ref: 00B7AF32
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: b2c6252a1b6b3f126ceb2f50bda6a416a48af29999254d2208299e7c70ca0770
                                • Instruction ID: 39f41c65122b62cb3558d2e62b26922247435e18924f6c098b28d37345cff376
                                • Opcode Fuzzy Hash: b2c6252a1b6b3f126ceb2f50bda6a416a48af29999254d2208299e7c70ca0770
                                • Instruction Fuzzy Hash: 0B41BC7144ABC0DEC326DF7881656CAFFE0AF25200F94C99ED4EA43752D670A60CD766
                                Function 00B6062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: c8f4611e054163c4392b475633c88a2ed677184a250f2b001a8972193b57662d
                                • Instruction ID: 978e48abf26d5630e28c60ea7b963e24f757c3fb65fc9155eb634dea6968b3c6
                                • Opcode Fuzzy Hash: c8f4611e054163c4392b475633c88a2ed677184a250f2b001a8972193b57662d
                                • Instruction Fuzzy Hash: 69312AB0D10209DFCB14EF96C8918AFBBF5FF95364B20859EE52A67241D7349E00CBA0
                                Function 00B698F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B698F7
                                  • Part of subcall function 00B69987: __EH_prolog.LIBCMT ref: 00B6998C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 3b226132748355e6e20ba501e351b1f28087b42141bef6cc7f0201734292e90a
                                • Instruction ID: b02d824dc109059c0a4dbe1958708b11c948a6fed544699e83bbb674c9db4ab5
                                • Opcode Fuzzy Hash: 3b226132748355e6e20ba501e351b1f28087b42141bef6cc7f0201734292e90a
                                • Instruction Fuzzy Hash: 681179357002059FDB10CF69C884BAAB3F9FF99350F1489ACE852DB2A1CB35E801CB20
                                Function 00B6021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B6021F
                                  • Part of subcall function 00B53D66: __EH_prolog.LIBCMT ref: 00B53D6B
                                  • Part of subcall function 00B53D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,76368E30), ref: 00B53D7D
                                  • Part of subcall function 00B53D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,76368E30), ref: 00B53D94
                                  • Part of subcall function 00B53D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00B53DB6
                                  • Part of subcall function 00B53D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,76368E30), ref: 00B53DCB
                                  • Part of subcall function 00B53D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,76368E30), ref: 00B53DD5
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID:
                                • API String ID: 1532160333-0
                                • Opcode ID: 47ce39df47f0d2f3d2d6e1664a50e4c4b84c050b8d04a46ec5c692c58593e11f
                                • Instruction ID: 0e55a68e47b3367eb4e576c93a5226b16f85c4e548e9ad583fc7a23d2c0b842e
                                • Opcode Fuzzy Hash: 47ce39df47f0d2f3d2d6e1664a50e4c4b84c050b8d04a46ec5c692c58593e11f
                                • Instruction Fuzzy Hash: 6B2138B1846B90CFC321CF6A82D0686FFF4BB19604B9499AEC0DA83B12C374A548CB55
                                Function 00B61C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B61C74
                                  • Part of subcall function 00B46C72: __EH_prolog.LIBCMT ref: 00B46C77
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: c45557a92513a8c97632b4f8e2b9375100cf6525ef15d7220ff508f2055d4499
                                • Instruction ID: 83d3e43668fc081e5941aba0a14ceedf10eae95c56e6a75779d40db0a25e72a6
                                • Opcode Fuzzy Hash: c45557a92513a8c97632b4f8e2b9375100cf6525ef15d7220ff508f2055d4499
                                • Instruction Fuzzy Hash: 8811ED319002049BCF18FBE8C852BEEBBF8EF04354F0404E8E84237292DB651E49E690
                                Function 00B57E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B57E5F
                                  • Part of subcall function 00B46C72: __EH_prolog.LIBCMT ref: 00B46C77
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                  • Part of subcall function 00B4757D: GetLastError.KERNEL32(00B4D14C), ref: 00B4757D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ErrorLastfree
                                • String ID:
                                • API String ID: 683690243-0
                                • Opcode ID: 2b0d9ab9d9f64c0867bb62fef354c008e38a95e096a6b0f8c12448622dad4f2b
                                • Instruction ID: 5ef660070f734b594d22561a42d1bc6ce6b3938db9d91fc552bb7986fbacd2a7
                                • Opcode Fuzzy Hash: 2b0d9ab9d9f64c0867bb62fef354c008e38a95e096a6b0f8c12448622dad4f2b
                                • Instruction Fuzzy Hash: FE01E132A847009FC721EF74D492ADABBF5EF45310B0046AEE88363692CB346A0CDA50
                                Function 00B8BF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B8BF91
                                  • Part of subcall function 00B8D144: __EH_prolog.LIBCMT ref: 00B8D149
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: 9585a8218992bc1249b974134841561586fac9f0142b1d7efb170da66dc53cc7
                                • Instruction ID: e18d6c472a4d23762526958097fd4b24e1fc947a948d80b6826b6eca614dcd21
                                • Opcode Fuzzy Hash: 9585a8218992bc1249b974134841561586fac9f0142b1d7efb170da66dc53cc7
                                • Instruction Fuzzy Hash: 67115E71801715DBC724EF68C905BDABBF4BF00344F108D9DE4A6A3692DBB1AA08DB80
                                Function 00B8BDB5 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B8BDBA
                                  • Part of subcall function 00B8BE69: __EH_prolog.LIBCMT ref: 00B8BE6E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: e1b4f75fd83963df004ef4d2022eeaf377a9df7c52091174334423888567a4db
                                • Instruction ID: d127a3d4d29fdcdc63dac7f65c78e2a46d14339ed7decbf2ead5dbfc356022b0
                                • Opcode Fuzzy Hash: e1b4f75fd83963df004ef4d2022eeaf377a9df7c52091174334423888567a4db
                                • Instruction Fuzzy Hash: B511D4B2501785CFC324DF6AC588696FBE4BB18304F54CCAED0AA57712D7B0A548CB61
                                Function 00B47AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                Download Yara Rule
                                APIs
                                • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00B41AD1,00000000,00000002,00000002,?,00B47B3E,?,00000000), ref: 00B47AFD
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: FileTime
                                • String ID:
                                • API String ID: 1425588814-0
                                • Opcode ID: c4277c1c131fa851e952b94d16e60d823d6c4587c28710bd99090a65c45f35de
                                • Instruction ID: 8e131fadac807361286f2d1534f78ce945c4919cfb116984c2d0098fdfd5a5df
                                • Opcode Fuzzy Hash: c4277c1c131fa851e952b94d16e60d823d6c4587c28710bd99090a65c45f35de
                                • Instruction Fuzzy Hash: 61018F70144288BFDF268F54CC09BEE3FE5DB05320F148189B8A6562E1CB709F51E750
                                Function 00B7ACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B7C0B8
                                  • Part of subcall function 00B67193: __EH_prolog.LIBCMT ref: 00B67198
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: 3db420c82f9a50011894321ed6e22706463e612835fc63d82e6bdcdf6ca929e3
                                • Instruction ID: 5bb8b2071013f814dd5c3487b2c0be7ed3af9d65e1128fd51e86d423c9dc0d0c
                                • Opcode Fuzzy Hash: 3db420c82f9a50011894321ed6e22706463e612835fc63d82e6bdcdf6ca929e3
                                • Instruction Fuzzy Hash: 81F02E32A40221DBC721AF59E881BAEF7E9EF10320F1044AFE416A7602CFB19D008680
                                Function 00B8035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B80364
                                  • Part of subcall function 00B801C4: __EH_prolog.LIBCMT ref: 00B801C9
                                  • Part of subcall function 00B80143: __EH_prolog.LIBCMT ref: 00B80148
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                  • Part of subcall function 00B803D8: __EH_prolog.LIBCMT ref: 00B803DD
                                  • Part of subcall function 00B8004A: __EH_prolog.LIBCMT ref: 00B8004F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: b8944ddad0f417c12514f738575b976febcc2994ec38f9d28067e4943e276d90
                                • Instruction ID: 3a0662350895efb4962b785e73f5028d1b0e2e6c8359332d6c868e36382b249f
                                • Opcode Fuzzy Hash: b8944ddad0f417c12514f738575b976febcc2994ec38f9d28067e4943e276d90
                                • Instruction Fuzzy Hash: 5DF0D131924A54DACB19FF68C4263ADBBE5AF04314F104ADDE452632E2CBB46B088748
                                Function 00B78565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 3f4855b35e68bb834d425cb91ca168dbe56f23777181864f025b8e99929bc648
                                • Instruction ID: f515bd0b9e4bef22ed5b25970d3205ab6ca6527290d4cbe850f446dcc8190d0d
                                • Opcode Fuzzy Hash: 3f4855b35e68bb834d425cb91ca168dbe56f23777181864f025b8e99929bc648
                                • Instruction Fuzzy Hash: 23F0C232E0001AEBCB00DF98D8449EFBBB4FF54750B00809AF42AE7250CB348A01CB90
                                Function 00B85505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B8550A
                                  • Part of subcall function 00B84E8A: __EH_prolog.LIBCMT ref: 00B84E8F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 1b23b670988edde6ed86905d8392bc10264fc43648f31d85a1013458aa8a9a38
                                • Instruction ID: 03209dad694f03400ccafbe9cede2e9d184acefb77fab018486b9acc9944a8d0
                                • Opcode Fuzzy Hash: 1b23b670988edde6ed86905d8392bc10264fc43648f31d85a1013458aa8a9a38
                                • Instruction Fuzzy Hash: E0F03976600915ABCB16AF48D811BEEBBFAEF85361F1044AAF80697251DB71DD01CBA0
                                Function 00B69987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 017f21249581362a14ee5ed638b8b32359f7e9dc203ce2f14e591c372bb385d5
                                • Instruction ID: 3408d3d4d518f2efaeb9a433bdd82da86faa2dd4f347dc3fc7918649ab7352a5
                                • Opcode Fuzzy Hash: 017f21249581362a14ee5ed638b8b32359f7e9dc203ce2f14e591c372bb385d5
                                • Instruction Fuzzy Hash: 93E06D72600208EFC700EF98D855FAAB7F8EB48350F10849AB00A97241C774D900CA60
                                Function 00B85E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B85E30
                                  • Part of subcall function 00B808B6: __aulldiv.LIBCMT ref: 00B8093F
                                  • Part of subcall function 00B5DFC9: __EH_prolog.LIBCMT ref: 00B5DFCE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$__aulldiv
                                • String ID:
                                • API String ID: 604474441-0
                                • Opcode ID: f61280a6c5c64a487336992ef6c03a1d9462cbea3ff204f7c8c8921d9349f11a
                                • Instruction ID: 5b5e6261b21cc938d161e6ac9cfaa1666e9c6c66573eabf5ef4640e3a2e89045
                                • Opcode Fuzzy Hash: f61280a6c5c64a487336992ef6c03a1d9462cbea3ff204f7c8c8921d9349f11a
                                • Instruction Fuzzy Hash: 56E03971A10B50DFC795EBA8915129EB6E4BB08740F0049AFA046D3B41DBB4A904CB80
                                Function 00B88ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B88ED6
                                  • Part of subcall function 00B89267: __EH_prolog.LIBCMT ref: 00B8926C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 5b1aa61cdd6fc8f48bc6b70aa109af1e3242f8769e01a28df0cf2af269eadeb4
                                • Instruction ID: ba43d4c93da9189fd39104a8a5dcd014e85c163bf4df69e0146562d3140acd33
                                • Opcode Fuzzy Hash: 5b1aa61cdd6fc8f48bc6b70aa109af1e3242f8769e01a28df0cf2af269eadeb4
                                • Instruction Fuzzy Hash: 35E092729149649ACB09FF64D522BEDB7E8EF04704F04069DA45393682DBB4A604C781
                                Function 00B47C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00B47C8B
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: FileWrite
                                • String ID:
                                • API String ID: 3934441357-0
                                • Opcode ID: 24133b94fa20dd99254863ea2ad74c1d9bf2b35c88406c2713d6cc1bbf828620
                                • Instruction ID: 1b127870cc349c7ee7021d2828e106892e40e9af6276a75c5d52d0a524505807
                                • Opcode Fuzzy Hash: 24133b94fa20dd99254863ea2ad74c1d9bf2b35c88406c2713d6cc1bbf828620
                                • Instruction Fuzzy Hash: 6CE09A35600209FBCF00CFA1C800B8E7BF9EB09354F20C06AF808AA260C739DA10EF00
                                Function 00B8BE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B8BE6E
                                  • Part of subcall function 00B85E2B: __EH_prolog.LIBCMT ref: 00B85E30
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 5d8727a2430f4db016410ad7e6ceeea46a3d5efec4aced4b23ac7cac25f14078
                                • Instruction ID: 26b0a5ab4b2119376e85b2bd6fae1d94d1f17f549366ad4148c80304e486415b
                                • Opcode Fuzzy Hash: 5d8727a2430f4db016410ad7e6ceeea46a3d5efec4aced4b23ac7cac25f14078
                                • Instruction Fuzzy Hash: 09E09B71914A6087D315F724C4117DDB7E4BB14704F00849FE496D3281DFB49604C751
                                Function 00B42201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID:
                                • API String ID: 1795875747-0
                                • Opcode ID: ef64d67499bc0837ca6bd85d4c233e1c87453c6e995a7fa04058ffe8a1d25b82
                                • Instruction ID: c473151542e4b1519255166d57232656ca1470fb73cb45009025bfb62823095d
                                • Opcode Fuzzy Hash: ef64d67499bc0837ca6bd85d4c233e1c87453c6e995a7fa04058ffe8a1d25b82
                                • Instruction Fuzzy Hash: 1CD01232504119ABCF156B98DC45CDD7BBCEF08214700441AF941F2150EA75E6159794
                                Function 00B7F745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B7F74A
                                  • Part of subcall function 00B7F784: __EH_prolog.LIBCMT ref: 00B7F789
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 15c01aaba1f48d4f09c5a2502d3fb672be1bf2153d29e461af29d295b11b8ae7
                                • Instruction ID: dd5c96a7370413f26832c0580a8740495a076f92bc9e9431fb44d0b57fb18c82
                                • Opcode Fuzzy Hash: 15c01aaba1f48d4f09c5a2502d3fb672be1bf2153d29e461af29d295b11b8ae7
                                • Instruction Fuzzy Hash: 32D012B2A54245BFD7149B45DC13BAEB7B8EB40754F10456FF00171241D7B5590086A4
                                Function 00B47B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                Download Yara Rule
                                APIs
                                • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,00B4785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00B47B65
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: 3fb8230eff336438ad90a11f100600c71c4fa8656d2de5846eddc5e9534c33f3
                                • Instruction ID: 76c5ba9835d206be58c6db924352978083ba944256349bbbfd1857dfb472d39c
                                • Opcode Fuzzy Hash: 3fb8230eff336438ad90a11f100600c71c4fa8656d2de5846eddc5e9534c33f3
                                • Instruction Fuzzy Hash: 1AE0EC75200308FBDF01CF90CC41F8E7BB9AB49754F208058E905AA160C775AA54EB50
                                Function 00B980AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B980AF
                                  • Part of subcall function 00B41E0C: malloc.MSVCRT ref: 00B41E1F
                                  • Part of subcall function 00B41E0C: _CxxThrowException.MSVCRT(?,00BF4B28), ref: 00B41E39
                                  • Part of subcall function 00B8BDB5: __EH_prolog.LIBCMT ref: 00B8BDBA
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 3744649731-0
                                • Opcode ID: 4b66e1aa04fda62634206734c6442ec5e5f185f8b1ada53c17393a3d34d88add
                                • Instruction ID: 322b3321c795022583c01f2aa6a8f0be3e9949f353ee39f7ef5ce832d9b01661
                                • Opcode Fuzzy Hash: 4b66e1aa04fda62634206734c6442ec5e5f185f8b1ada53c17393a3d34d88add
                                • Instruction Fuzzy Hash: 11D01771B05201AEDB08ABB8942276EB6E1EB44300F0049BEA016E3781EF749A008720
                                Function 00B46848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                • FindClose.KERNELBASE(00000000,?,00B46880), ref: 00B46853
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CloseFind
                                • String ID:
                                • API String ID: 1863332320-0
                                • Opcode ID: 26ab46fab837c165f1bcf9c33718becba29276f8bba8e72d5688c6ed73eb7350
                                • Instruction ID: 202ae738f1087c3752d6a805b9e78eb5f602b77ecb64d674aff3ca31f18abd64
                                • Opcode Fuzzy Hash: 26ab46fab837c165f1bcf9c33718becba29276f8bba8e72d5688c6ed73eb7350
                                • Instruction Fuzzy Hash: 54D0123110426146CA645E3D78449C537D8AE17334321079AF0B0D71E1D7608C836651
                                Function 00B42010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID:
                                • API String ID: 1795875747-0
                                • Opcode ID: 6bf8384ff5d96fd34c41707788ed1c8f0b33424da8a24ed0e712bef1c31a47db
                                • Instruction ID: 29994e4d667a3fe1746a9547f1cf9ce0e6116583ab72b1e7405ee7864a60afba
                                • Opcode Fuzzy Hash: 6bf8384ff5d96fd34c41707788ed1c8f0b33424da8a24ed0e712bef1c31a47db
                                • Instruction Fuzzy Hash: 27D0C936008251AF96256F05EC09C8BFFE5FFD5320721082FF480921609B626925EAA5
                                Function 00B41FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputc
                                • String ID:
                                • API String ID: 1992160199-0
                                • Opcode ID: 254f757d58e4c16f28cc176fe58806a4ef9c91905e152eb4a5cafa4df9cd5c12
                                • Instruction ID: 381da7f722268820c0b94ecf7f120aef9f890d453621bbb7f9cec9ab9428e1c0
                                • Opcode Fuzzy Hash: 254f757d58e4c16f28cc176fe58806a4ef9c91905e152eb4a5cafa4df9cd5c12
                                • Instruction Fuzzy Hash: 72B092323082209FE6181A9CBC0AAC06B94DB09732B21005BF544D61909E915C824A96
                                Function 00B47C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                Download Yara Rule
                                APIs
                                • SetFileTime.KERNELBASE(?,?,?,?,00B47C65,00000000,00000000,?,00B4F238,?,?,?,?), ref: 00B47C49
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: FileTime
                                • String ID:
                                • API String ID: 1425588814-0
                                • Opcode ID: f3260bcb750e7d04bfd6e7c20276aa52a13976572e77443ddce106b7f487ae36
                                • Instruction ID: 7ccba240d2fe5cabe38e42620779ccd528c480861b2e54e425aedba408047b94
                                • Opcode Fuzzy Hash: f3260bcb750e7d04bfd6e7c20276aa52a13976572e77443ddce106b7f487ae36
                                • Instruction Fuzzy Hash: 9CC04C36158105FF8F020F70CC45C1ABFA2ABA5711F10C918F15AC5070CB328424EB02
                                Function 00B47D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                                Download Yara Rule
                                APIs
                                • SetEndOfFile.KERNELBASE(?,00B47D81,?,?,?), ref: 00B47D3E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: File
                                • String ID:
                                • API String ID: 749574446-0
                                • Opcode ID: c3c636658839a99efd731d7b67c28ba432fef82b9021ecca3b22c4f27096bfad
                                • Instruction ID: 0aebaa9803d7f1d26f51ed28ad927c3c399ef92a19be4531dfcf0babb9c0d529
                                • Opcode Fuzzy Hash: c3c636658839a99efd731d7b67c28ba432fef82b9021ecca3b22c4f27096bfad
                                • Instruction Fuzzy Hash: 84A002702E515B8F8F111F34DC498243EA1BB5370777027A8B113DF4F5DF22441AAA02
                                Function 00B4C4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: memmove
                                • String ID:
                                • API String ID: 2162964266-0
                                • Opcode ID: 160358ba6358c6624f67b1f5ae7b13c2389ada0a446b1685fada350c137c8b22
                                • Instruction ID: 091cdc36d93eec7fc1477421d0d2ea34f2c90b342ddce9ce66d13a283c980ed3
                                • Opcode Fuzzy Hash: 160358ba6358c6624f67b1f5ae7b13c2389ada0a446b1685fada350c137c8b22
                                • Instruction Fuzzy Hash: 04815A71E012499FCF94CFA8C4C0AAEBFF1EB48B00F1484AAD911B7241D731AE80DB64
                                Function 00B53E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(00000000,00000000,00B53D8D,?,00000000,?,?,00000000,00000000,76368E30), ref: 00B53E12
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: b6bcfd7a19a527413271425ffbf1b37fd0b315047f08b6674599b16d65d2ee43
                                • Instruction ID: 67acba2d6c0c5197ae6bc33c7eba72f7151f99e01238158609e4dbb9bdba86cb
                                • Opcode Fuzzy Hash: b6bcfd7a19a527413271425ffbf1b37fd0b315047f08b6674599b16d65d2ee43
                                • Instruction Fuzzy Hash: B8D0123151421147DB705E2CFC467D163DDAF14762B1544DDFC90DB240EB64CCD75A60
                                Function 00BC6BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID:
                                • API String ID: 2803490479-0
                                • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                • Instruction ID: 9071a2843c2bcd108aa88ccf866624a96e24a6a74cc00409a74ab721e6a82540
                                • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                • Instruction Fuzzy Hash: FFD012B161360626DF484A304C4BF6B72D56F5035AF2C85FDE893CB291FB19CA199258
                                Function 00B4764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(00000000,?,00B475AF,00000002,?,00000000,00000000), ref: 00B47657
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: e7b2d0f0a0676fc6bc7e44c81cf934052efbde0c55307e06da8d647a843f7f62
                                • Instruction ID: 0ed4d9e918d22eaaae3db3c924f0f443e609c0f708a59c1b4562b0961eaff4eb
                                • Opcode Fuzzy Hash: e7b2d0f0a0676fc6bc7e44c81cf934052efbde0c55307e06da8d647a843f7f62
                                • Instruction Fuzzy Hash: 1BD01231148662468A645E3C78469C237DA9A233343620799F0B5D72E1DB708C839650
                                Function 00BC6B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000), ref: 00BC6B31
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 034db79b98c0347bdde2121f347f5b7b4daf34cb3252f218044b4d95a9bc18b9
                                • Instruction ID: 032935c0e42731b322668159e437f138496668a026dd00a0c6ce6abc6798f3ef
                                • Opcode Fuzzy Hash: 034db79b98c0347bdde2121f347f5b7b4daf34cb3252f218044b4d95a9bc18b9
                                • Instruction Fuzzy Hash: F3C08CE1A4D280DFDF0213108C807603F208B83300F0A00C1E8045B093C6041C09C722
                                Function 00BC69D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID:
                                • API String ID: 2803490479-0
                                • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                • Instruction ID: 0b999ed7ea53bb16bf049894a44739e7fcfd4015a0fd9b840460925c2ecd5fdb
                                • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                • Instruction Fuzzy Hash: A5A024C55130C101DD1C13303C01D3710C117503077C404FD7403C0301F735C5041005
                                Function 00BC6AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID:
                                • API String ID: 2803490479-0
                                • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                • Instruction ID: 2c57c4c4c6e5e7f5c1fa85948e5b16d41d1f0b80f8e4540f48025bea351a05c3
                                • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                • Instruction Fuzzy Hash: E2A012CCE01041019D0410343801D23109366E06057D8C4F8740180205FA14C0042003
                                Function 00BC6BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00BC6BAC
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-0
                                • Opcode ID: 8eb9a083cb6839cdb86f13d8d31012bd50bd0f226c7532bbe79db6fb6643645c
                                • Instruction ID: 0b32648758b0cece5c220a590c90685571e74a9d2ad79711cda8df25ea204d1a
                                • Opcode Fuzzy Hash: 8eb9a083cb6839cdb86f13d8d31012bd50bd0f226c7532bbe79db6fb6643645c
                                • Instruction Fuzzy Hash: 5EA00278680740B7ED7067306D8FF593B247780F05F308544B2516E0D15EE475459A5C
                                Function 00B41E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: a150d7000742cffc96b66169ec5edaa6c84b539fd540f9f38b096068a261e046
                                • Instruction ID: d4468a40b67f839b2fe188cea7a722200609394e1bf13733d24228cb3135f011
                                • Opcode Fuzzy Hash: a150d7000742cffc96b66169ec5edaa6c84b539fd540f9f38b096068a261e046
                                • Instruction Fuzzy Hash: 89A00271405281DBDA051B10ED494897F61EF85627B214459F057654718F314C61BA02
                                Function 00BC69F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                • Instruction ID: 8b1df5d25df2fa6047cf6f6d4bf35e4c0026e010b5a139f559ebd2323dca4568
                                • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                • Instruction Fuzzy Hash:
                                Function 00BC6B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                • Instruction ID: a2c94e73fc136733ed5f0b12e549b367d388fec2a15e3d917331901cb97b9944
                                • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                • Instruction Fuzzy Hash:

                                Non-executed Functions

                                Function 00BC57D0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32(?,00C031C8,?,00000000), ref: 00BC57EA
                                  • Part of subcall function 00BDF050: memcpy.MSVCRT(?,?,?,00000000,?,?,?,00BD8202,?,?,?,00BD932B,?,?,00000000,00000000), ref: 00BDF07F
                                • GetCurrentThreadId.KERNEL32 ref: 00BC5803
                                  • Part of subcall function 00BDF050: memcpy.MSVCRT(?,?,00000040,00000000,?,?,?,00BD8202,?,?,?,00BD932B,?,?,00000000,00000000), ref: 00BDF09B
                                  • Part of subcall function 00BDF050: memcpy.MSVCRT(?,?,?,?,?,?), ref: 00BDF0D0
                                • LoadLibraryW.KERNEL32(advapi32.dll,00000004,?,00000000), ref: 00BC5821
                                • GetProcAddress.KERNEL32(00000000,SystemFunction036), ref: 00BC5833
                                • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00BC5865
                                • QueryPerformanceCounter.KERNEL32(?,?,00000000), ref: 00BC5876
                                • GetTickCount.KERNEL32 ref: 00BC588F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: memcpy$CurrentLibrary$AddressCountCounterFreeLoadPerformanceProcProcessQueryThreadTick
                                • String ID: SystemFunction036$advapi32.dll
                                • API String ID: 3940253874-1354007664
                                • Opcode ID: 74b655537cf6a689c0d51feff6a83468e035c2136cbbc2b92eda0a6709f73af5
                                • Instruction ID: 64f2619f01ea1eef64901991270e81712fd3612e93863e49491521c404633d6f
                                • Opcode Fuzzy Hash: 74b655537cf6a689c0d51feff6a83468e035c2136cbbc2b92eda0a6709f73af5
                                • Instruction Fuzzy Hash: 063170312083479BD720EF20E895B6EB7E4EB84704F04496DB58667296EF74EA09C763
                                Function 00B49252 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,7591F5D0,00000002,00000000,?,?,?,?,?,?,00B479D0,00B41AD1,00B47B3E,?,00000002), ref: 00B4926E
                                • GetProcAddress.KERNEL32(00000000), ref: 00B49275
                                • GetDiskFreeSpaceW.KERNEL32(00000002,?,00B47B3E,00B479D0,00B41AD1,?,?,?,?,?,?,00B479D0,00B41AD1,00B47B3E,?,00000002), ref: 00B492C5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: AddressDiskFreeHandleModuleProcSpace
                                • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                • API String ID: 1197914913-1127948838
                                • Opcode ID: 79556abafe8ed4fd5f7eea01ba4a76c65d8c4152ac7431b18273e2cc7f5e02c7
                                • Instruction ID: 4bd6c5caebf0fe528cd69d13d636d82e366e9291782c10d1184647cf06634e46
                                • Opcode Fuzzy Hash: 79556abafe8ed4fd5f7eea01ba4a76c65d8c4152ac7431b18273e2cc7f5e02c7
                                • Instruction Fuzzy Hash: 702128B1900209AFDB11CF94C885EEEBFF8FF58300F1484AAE555E7251E730AA55DB60
                                Function 00B482FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B48300
                                • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 00B4834F
                                • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 00B4837C
                                • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 00B4839B
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                                • String ID:
                                • API String ID: 1689166341-0
                                • Opcode ID: 0f5a9e63cbc5b6d09a8086f85b83e0636581bb66f3e6304e070a6ec4cfa91907
                                • Instruction ID: 5efd4a7dcc83583693c712421849fb330a275dd05138e9b0fa1aabd0311cb648
                                • Opcode Fuzzy Hash: 0f5a9e63cbc5b6d09a8086f85b83e0636581bb66f3e6304e070a6ec4cfa91907
                                • Instruction Fuzzy Hash: 6121C172940104AFDF209F94DC81AEEBBF9EB54740F1000AEF905A7241CB314F44DA64
                                Function 00B8D496 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 333COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B8D49B
                                  • Part of subcall function 00B8EBC9: __EH_prolog.LIBCMT ref: 00B8EBCE
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Copy$LZMA2
                                • API String ID: 3519838083-1006940721
                                • Opcode ID: 82042c04b87cc6db808f4b83c9caa0d52e3d65997a7bb13fd88ac60e6ee2dbf1
                                • Instruction ID: 351558c8907c8aa5e00acf0ca828faaa79bdea5528509ddc2efe890ef544815c
                                • Opcode Fuzzy Hash: 82042c04b87cc6db808f4b83c9caa0d52e3d65997a7bb13fd88ac60e6ee2dbf1
                                • Instruction Fuzzy Hash: 87D19C71E002099BDF25EBA8C485BADB7F2FB84314F1480ABE415AB2E5DB749D81CB54
                                Function 00BE0090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: Version
                                • String ID:
                                • API String ID: 1889659487-0
                                • Opcode ID: ee3077aa1f182aaae5d50f5a351702b2cee49ddcf5dcce208f4394cc8d51a4ac
                                • Instruction ID: 9b634043819493cdfd0d26412c2f7805c46cfd4fb4222033a269713c30bb5d7b
                                • Opcode Fuzzy Hash: ee3077aa1f182aaae5d50f5a351702b2cee49ddcf5dcce208f4394cc8d51a4ac
                                • Instruction Fuzzy Hash: B2D0127293144547D700766DC84625977E1F760300FC809D4D865C2153FBADC6D68296
                                Function 00B9C7ED Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 373COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: ERROR$GNU$LongLink$LongName$PAX$PAX_error$PAX_overflow$PAX_unsupported_line$POSIX$SignedChecksum$WARNING$atime$bin_mtime$bin_psize$bin_size$ctime$mtime$pax_linkpath$pax_path$pax_size
                                • API String ID: 3519838083-1011227609
                                • Opcode ID: fdbf96230504cffea4a93b9c30d0a6c1903d792606ab6551b8f8d6e63e0586a1
                                • Instruction ID: 8264d8b7557d8443621123a641a7a76a86295f77cd18fc686ab6725d1ecf2c7c
                                • Opcode Fuzzy Hash: fdbf96230504cffea4a93b9c30d0a6c1903d792606ab6551b8f8d6e63e0586a1
                                • Instruction Fuzzy Hash: 96D1D43184474AAADF25DBA0C8919FEBFF0EF11300F5449F9F09A631A2D7206E4AE751
                                Function 00BA07B3 Relevance: 31.9, APIs: 1, Strings: 17, Instructions: 406COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00BA07B8
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                  • Part of subcall function 00B4297F: memcpy.MSVCRT(?,?,?,?,?,00B650A5,?,?), ref: 00B429B2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfreememcpy
                                • String ID: @PathCut/_pc_$L$PaxHeader/@PaxHeader$atime$crc32/$ctime$devmajor$devminor$gid$gname$linkpath$mtime$path$root$size$uid$uname
                                • API String ID: 2037215848-4204487407
                                • Opcode ID: c053131c513178941ab2487b2b8e398279fb3c6f8dcf24173cf343c80b0fa8c8
                                • Instruction ID: 84fe3a542e918e9db142360c44d9c13da489253b1c133f56c097345a4029b97c
                                • Opcode Fuzzy Hash: c053131c513178941ab2487b2b8e398279fb3c6f8dcf24173cf343c80b0fa8c8
                                • Instruction Fuzzy Hash: 2A02AD31919249DFDB24EF54C890AAEBBF5FF16310F5481EED04AA7252D730AE88CB51
                                Function 00B4C085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00BF48A0,00000010), ref: 00B4C09E
                                • memcmp.MSVCRT(?,00BF0258,00000010), ref: 00B4C0BB
                                • memcmp.MSVCRT(?,00BF0348,00000010), ref: 00B4C0CE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: df913f6070f78f0b396420b58bc2efc018668a09add45d08fd00fda733f9651c
                                • Instruction ID: d583c684f19467a7f9d6c242fea4fc63c662a51335529e6999f24b03b5045bcb
                                • Opcode Fuzzy Hash: df913f6070f78f0b396420b58bc2efc018668a09add45d08fd00fda733f9651c
                                • Instruction Fuzzy Hash: AB915C71651615ABD7A09A21DC41FBB7BE8EF65B10F0480A8FD4AE7211F730AF08D794
                                Function 00B75A74 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog$fputcfree
                                • String ID: Modified: $Path: $Size:
                                • API String ID: 2632947726-3207571042
                                • Opcode ID: 022ac27e798e39e0e13be532be8a12c27595128f471615263045317dc5aebcfd
                                • Instruction ID: 0ea7a90e5790b9a77931fc5c13b8e474cb3e46910c09ea85fba7a6bb9eede261
                                • Opcode Fuzzy Hash: 022ac27e798e39e0e13be532be8a12c27595128f471615263045317dc5aebcfd
                                • Instruction Fuzzy Hash: 3121A131A00105ABCF12AFA5CCC1EBEBFB2EF44350F1441A6F9049A1B1EB714A61EF91
                                Function 00BA447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                                • API String ID: 3519838083-1909666238
                                • Opcode ID: b9d804cbe7ae4c3c44265cac0201e06ab8d396c065d4ab7dfd9e27b526bb52cd
                                • Instruction ID: 2fd79b4570606e02ad17973324707fd211fff6a9c31e78c90ae02b31dc7652a3
                                • Opcode Fuzzy Hash: b9d804cbe7ae4c3c44265cac0201e06ab8d396c065d4ab7dfd9e27b526bb52cd
                                • Instruction Fuzzy Hash: 67C1B031908289AFCB15DF64D491AFE7BF1EF93300F5980E9E0496B162D7B49E49EB40
                                Function 00BA49BF Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 437COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: -Cert$:eos$AES$Central$Descriptor_ERROR$Local$StrongCrypto$ZipCrypto
                                • API String ID: 3519838083-2591855172
                                • Opcode ID: 9e2c5ed5e5b3f3919bf7bdcfae3e9100d5a8e617d8f82cf88a785b93a7d7b2e6
                                • Instruction ID: f41b222e2849b0c27da14873fac00fc027ccc4d31c5e8f572ed1d20f0453d3f0
                                • Opcode Fuzzy Hash: 9e2c5ed5e5b3f3919bf7bdcfae3e9100d5a8e617d8f82cf88a785b93a7d7b2e6
                                • Instruction Fuzzy Hash: D9F115319082089ACF25DBA4C981AFEBBF4EF97310F5404D9F54273192DBB19E49E760
                                Function 00B8C8B2 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 347COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $ $.$:mem$Delta$LZMA$LZMA2$o
                                • API String ID: 3519838083-3806607069
                                • Opcode ID: 5d2594d37b62c493f971f801c7b581791ae459d14033f1cbafddad7b8cdb3889
                                • Instruction ID: fbea4bdd3f9625952c77fecfc4f1f1ea4944a239759618f2d5cdc19e095ff6fa
                                • Opcode Fuzzy Hash: 5d2594d37b62c493f971f801c7b581791ae459d14033f1cbafddad7b8cdb3889
                                • Instruction Fuzzy Hash: B8D1BFB190025E8ACF15EFA8C8946EEBFF2FF09300F2445E9D495AB261D7719D05CBA0
                                Function 00B785C6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                                • API String ID: 1795875747-657955069
                                • Opcode ID: 2b62a1a26aa3a460e3e386d13506455cab8bda3642e5751bcd5e667fd03acab9
                                • Instruction ID: b56553bc02215293736d724280d2cd8f8263e1916601566884cc8b806f11afa9
                                • Opcode Fuzzy Hash: 2b62a1a26aa3a460e3e386d13506455cab8bda3642e5751bcd5e667fd03acab9
                                • Instruction Fuzzy Hash: 67F02732A051493FCA1027966C84D3EFFDADFC53A0B2400A7F90443291EF210861AEF1
                                Function 00B75914 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(00C02938), ref: 00B7591F
                                • fputs.MSVCRT ref: 00B7595E
                                • fputs.MSVCRT ref: 00B75983
                                • LeaveCriticalSection.KERNEL32(00C02938), ref: 00B75A1F
                                Strings
                                • v, xrefs: 00B75A1F
                                • Would you like to replace the existing file:, xrefs: 00B75959
                                • with the file from archive:, xrefs: 00B7597E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSectionfputs$EnterLeave
                                • String ID: v$Would you like to replace the existing file:$with the file from archive:
                                • API String ID: 3346953513-622108208
                                • Opcode ID: 1261e62ae0ac00dcb38e9c425905a7a6eb53e2107968daeedd8bd8f49449789a
                                • Instruction ID: 1149296f6798763b64755f28b3df64fc6d4d8d029700a50c2f9c8a3ec2aab128
                                • Opcode Fuzzy Hash: 1261e62ae0ac00dcb38e9c425905a7a6eb53e2107968daeedd8bd8f49449789a
                                • Instruction Fuzzy Hash: 3C31C336200A44DFDB219F64DCC1BA937E5EF48360F1182A9F96E9B261CB70AC41DB55
                                Function 00B64B5C Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 278COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B64B61
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfree
                                • String ID: -----$-----BEGIN PGP SIGNED MESSAGE$Hash: $cksum
                                • API String ID: 1978129608-4104380264
                                • Opcode ID: a14ad8781ca2e375f23c4c6bc9d7e61e26d3e06589979a1acb560fc6d4cd8090
                                • Instruction ID: 30f54fb38582b4ab81c9829d30842c76cb371c5255977015361a225fdd209499
                                • Opcode Fuzzy Hash: a14ad8781ca2e375f23c4c6bc9d7e61e26d3e06589979a1acb560fc6d4cd8090
                                • Instruction Fuzzy Hash: 7FB1CE31804689DECF21DFA4C581BEEBBF1EF15304F1444D9E48667282CB7A9E89DB61
                                Function 00B41265 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 137COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
                                • API String ID: 3519838083-2104980125
                                • Opcode ID: 2c8015ba32e4537bb12ed5b17730e11416a4e5b8dc8e5be40bfb67c170d552c1
                                • Instruction ID: d3daccff7ac6d09de340e6f7325c6a2493be5e911ddbd2cf6450c035e1b83e0d
                                • Opcode Fuzzy Hash: 2c8015ba32e4537bb12ed5b17730e11416a4e5b8dc8e5be40bfb67c170d552c1
                                • Instruction Fuzzy Hash: F451BA30A0024AEBCF24DF58C480AADBBF1EF11304F1489DAE4559B692D770EB81EB95
                                Function 00BC8AC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: exit$CriticalSection$EnterLeave
                                • String ID: v
                                • API String ID: 43521-3261393531
                                • Opcode ID: 816490dbd6bf937398de5b34450605e2c0040a4d64f39a9d36e6ac4514a4e4b7
                                • Instruction ID: ad7d1680abc6321a3f178c313467cb6ce2223ffe75a62e92e20a48aa36546141
                                • Opcode Fuzzy Hash: 816490dbd6bf937398de5b34450605e2c0040a4d64f39a9d36e6ac4514a4e4b7
                                • Instruction Fuzzy Hash: 5511E2B5501B018FC730EF61C881AA6F7F5BF44301B404AAFE18746A82EB71B98ACF51
                                Function 00B7CC07 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00B7CCC2
                                  • Part of subcall function 00B7C7D7: fputs.MSVCRT ref: 00B7C840
                                • fputs.MSVCRT ref: 00B7CE43
                                  • Part of subcall function 00B41F91: fflush.MSVCRT ref: 00B41F93
                                • fputs.MSVCRT ref: 00B7CD75
                                  • Part of subcall function 00B41FA0: fputc.MSVCRT ref: 00B41FA7
                                  • Part of subcall function 00B41FB3: __EH_prolog.LIBCMT ref: 00B41FB8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prologfflushfputc
                                • String ID: ERRORS:$WARNINGS:
                                • API String ID: 1876658717-3472301450
                                • Opcode ID: 76b5b48ed48f9e34e7d1b8fab2b9fe9d655114b4e254494c4d06e912e53bb172
                                • Instruction ID: 7eca5e67cbab63b34ec69b32a47940f6b390a0d154263e9412eb034b8e83f46f
                                • Opcode Fuzzy Hash: 76b5b48ed48f9e34e7d1b8fab2b9fe9d655114b4e254494c4d06e912e53bb172
                                • Instruction Fuzzy Hash: 67714B34A017019FDB29AF75D891BAABBE2EF44340F0488BDA86E57251CB30AD85DB51
                                Function 00B7D824 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B7D829
                                • EnterCriticalSection.KERNEL32(00C02960,?,00000001,?,?,00B7DBB0,?,0000006F,0000006F,?,?,00000000), ref: 00B7D83D
                                • fputs.MSVCRT ref: 00B7D88E
                                • LeaveCriticalSection.KERNEL32(00C02960,?,00000001,?,?,00B7DBB0,?,0000006F,0000006F,?,?,00000000), ref: 00B7D95F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterH_prologLeavefputs
                                • String ID: v
                                • API String ID: 2174113412-3261393531
                                • Opcode ID: bc32be2a9c77dbf02ff37d17aec1c08b1dc10ddec6a8c8940fda2c523acf0c96
                                • Instruction ID: d6df086a043b1e7fb3e9ae661ab4909eb2237bcb7dee9e35e806d059b2a279f9
                                • Opcode Fuzzy Hash: bc32be2a9c77dbf02ff37d17aec1c08b1dc10ddec6a8c8940fda2c523acf0c96
                                • Instruction Fuzzy Hash: 7F418E316007859FCB21AF64C4907AEBBF2FF45340F4488AEF5AA97252CB316945EB52
                                Function 00B7D2DD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: Archive size: $Files read from disk$Volumes:
                                • API String ID: 2614055831-73833580
                                • Opcode ID: 83310836ef7d406acd2a8ac2df4e872d4b353c7a0aa0a6f08ef044716f4bcf00
                                • Instruction ID: 5d46f8ba9fc3e4cc5203d4e86c04f8cf895485eaefa94516a203b4bec7a18e98
                                • Opcode Fuzzy Hash: 83310836ef7d406acd2a8ac2df4e872d4b353c7a0aa0a6f08ef044716f4bcf00
                                • Instruction Fuzzy Hash: E521717190060ADFCB14EB64C852BEEBBF1BF14340F408569B516630E1DF706A89DB91
                                Function 00B746CF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B746D4
                                • EnterCriticalSection.KERNEL32(00C02918), ref: 00B746E8
                                • CompareFileTime.KERNEL32(?,?), ref: 00B74712
                                • LeaveCriticalSection.KERNEL32(00C02918), ref: 00B7476A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$CompareEnterFileH_prologLeaveTime
                                • String ID: v
                                • API String ID: 3800395459-3261393531
                                • Opcode ID: edfc3311c47298e967a0ac124aa7ea3b75a373963d46b4adf5c03d5fec63516d
                                • Instruction ID: 103ea164145cdcb0b15e36f3af3ff3eed94391f78b8729f3cc93a71c3ca1d907
                                • Opcode Fuzzy Hash: edfc3311c47298e967a0ac124aa7ea3b75a373963d46b4adf5c03d5fec63516d
                                • Instruction Fuzzy Hash: A521AC71600645AFDB24CF28C484B9ABBF4FF41306F108499E86A97612D730EE48CB90
                                Function 00B7463D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B74642
                                • EnterCriticalSection.KERNEL32(00C02918), ref: 00B74656
                                • LeaveCriticalSection.KERNEL32(00C02918), ref: 00B74685
                                • LeaveCriticalSection.KERNEL32(00C02918), ref: 00B746C5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$Leave$EnterH_prolog
                                • String ID: v
                                • API String ID: 2532973370-3261393531
                                • Opcode ID: 7366b774066c86fea737a6fd0a4dbcbd935ac8299d56720f3a08048bbc3e5032
                                • Instruction ID: a3fdc711bff2903d6a6dd45955cb99c79b27648c2f999c5539eb538c13e0cca4
                                • Opcode Fuzzy Hash: 7366b774066c86fea737a6fd0a4dbcbd935ac8299d56720f3a08048bbc3e5032
                                • Instruction Fuzzy Hash: 67115E75B00201AFC710DF15C8C496EBBE9FF8A711B1082ADE82ADB701DB74ED058B90
                                Function 00B7D406 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B7D40B
                                • fputs.MSVCRT ref: 00B7D42E
                                  • Part of subcall function 00B41FB3: __EH_prolog.LIBCMT ref: 00B41FB8
                                • fputs.MSVCRT ref: 00B7D46A
                                  • Part of subcall function 00B41FA0: fputc.MSVCRT ref: 00B41FA7
                                  • Part of subcall function 00B41E40: free.MSVCRT ref: 00B41E44
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfputs$fputcfree
                                • String ID: : $Write SFX:
                                • API String ID: 1941438168-2530961540
                                • Opcode ID: 07fa527ace3628ae67a63b49ac65debad390c66a88e7e74308ff11e516c4cc46
                                • Instruction ID: 2af73ccba3b57d8c43700b651e4f285fa4a246c19983bea0fb2784861deb9488
                                • Opcode Fuzzy Hash: 07fa527ace3628ae67a63b49ac65debad390c66a88e7e74308ff11e516c4cc46
                                • Instruction Fuzzy Hash: BF018432A042059FCB05AFA4EC02BDDBBF6EF54350F10446AF515A31A1DF716955DB44
                                Function 00BDD290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetVersion.KERNEL32(00B7C2E1), ref: 00BDD290
                                • GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 00BDD2A6
                                • GetProcAddress.KERNEL32(00000000), ref: 00BDD2AD
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProcVersion
                                • String ID: SetDefaultDllDirectories$kernel32.dll
                                • API String ID: 3310240892-2102062458
                                • Opcode ID: 2701baadd6e99d84ab4a69f6267b04b531dc2505ec211e82f3edc88cf79491df
                                • Instruction ID: 62cb1030aa3f871cd4d9941fbea741f10f4a6407893ea337a37ef367dc070733
                                • Opcode Fuzzy Hash: 2701baadd6e99d84ab4a69f6267b04b531dc2505ec211e82f3edc88cf79491df
                                • Instruction Fuzzy Hash: 70C0123024124597E61027F49D4EF262D969F10B42F4641C5FD41EA1F5DF98C4438523
                                Function 00B59194 Relevance: 8.0, APIs: 5, Instructions: 477COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B59199
                                • memcpy.MSVCRT(?,?,?,?,00000000,?,?), ref: 00B5921D
                                • memcpy.MSVCRT(?,?,?,?,?,?,00000000,?,?), ref: 00B5933B
                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B5934F
                                • memset.MSVCRT ref: 00B5955C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: memcpy$H_prologmemset
                                • String ID:
                                • API String ID: 2371260246-0
                                • Opcode ID: 1ec3a66120cb49d808b04532a4940442000a4ecbd02279c65b47a4d44d20fc94
                                • Instruction ID: eaef75ff06f8b092cda1b4b7459d6a0716ec2bffc94c2bce16d5e8cc40e8eb1e
                                • Opcode Fuzzy Hash: 1ec3a66120cb49d808b04532a4940442000a4ecbd02279c65b47a4d44d20fc94
                                • Instruction Fuzzy Hash: CE124771A00246DFDB20CFA4C884BAEB7F5EF49301F2488E9E95ADB251D775AD49CB10
                                Function 00B44B36 Relevance: 7.7, APIs: 5, Instructions: 234COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: wcscmp$ExceptionH_prologThrow
                                • String ID:
                                • API String ID: 2750596395-0
                                • Opcode ID: 1d65555b319866076f5fc94fec7b201c20d4ca3dda63882742e6d56309614e40
                                • Instruction ID: 1cc961ad48e956993fa3fe6c0dce28462d0b7688bedce2672dc3bcec56bd745c
                                • Opcode Fuzzy Hash: 1d65555b319866076f5fc94fec7b201c20d4ca3dda63882742e6d56309614e40
                                • Instruction Fuzzy Hash: 64918931D012499FCF25DFA8C885BEDBBF1EF54304F1880A9E811A7292CB709B45EB91
                                Function 00BA03D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00BA03F5
                                • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 00BA0490
                                • memset.MSVCRT ref: 00BA0618
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: memset$memcpy
                                • String ID: $@
                                • API String ID: 368790112-1077428164
                                • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                • Instruction ID: f986be1edf459eb7ab92b9d64f12f1cdd1c9c791e4f170bdd27409ddfeb51244
                                • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                • Instruction Fuzzy Hash: 6E91B430914709AFDF20EF24C881BDAB7F1FF56304F048599E55A56252DB70BA99CF90
                                Function 00BC9220 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 115COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00BD7D80: WaitForSingleObject.KERNEL32(?,000000FF,00B5AFD6,?), ref: 00BD7D83
                                  • Part of subcall function 00BD7D80: GetLastError.KERNEL32(?,000000FF,00B5AFD6,?), ref: 00BD7D8E
                                • EnterCriticalSection.KERNEL32(?), ref: 00BC926B
                                • EnterCriticalSection.KERNEL32(?), ref: 00BC9274
                                • LeaveCriticalSection.KERNEL32(?), ref: 00BC9296
                                • LeaveCriticalSection.KERNEL32(?), ref: 00BC9299
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleWait
                                • String ID: v
                                • API String ID: 2116739831-3261393531
                                • Opcode ID: 7a6f50a3a0acc5335545c87c58454f01584c172c4b4ef27ce2bd5dc8264309cc
                                • Instruction ID: 038415894af791e5018ad504fb06590972fbd40484aa7cb2c2d073ac63300ef3
                                • Opcode Fuzzy Hash: 7a6f50a3a0acc5335545c87c58454f01584c172c4b4ef27ce2bd5dc8264309cc
                                • Instruction Fuzzy Hash: 0F414A31600B05AFD718DF79C984BAAF3E9FF48310F00866EE4AA47681DB75B955CB90
                                Function 00B544C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00BF48A0,00000010), ref: 00B544DB
                                • memcmp.MSVCRT(?,00BF0128,00000010), ref: 00B544EE
                                • memcmp.MSVCRT(?,00BF0228,00000010), ref: 00B5450B
                                • memcmp.MSVCRT(?,00BF0248,00000010), ref: 00B54528
                                • memcmp.MSVCRT(?,00BF01C8,00000010), ref: 00B54545
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 074020a5405478dde48660180829e5f776d339c84b503a8acec8cc01a2ee7306
                                • Instruction ID: 4fbe4a11dca50344fdec0a606f6d72cc25df9233932ff17ac487a2cd56c35383
                                • Opcode Fuzzy Hash: 074020a5405478dde48660180829e5f776d339c84b503a8acec8cc01a2ee7306
                                • Instruction Fuzzy Hash: 6B2183727502096BE7049E10AC81F7E73E8DB607A9B0481F5FE0A9B256F764DE488690
                                Function 00B689BC Relevance: 7.6, APIs: 6, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00BF48A0,00000010), ref: 00B689D5
                                • memcmp.MSVCRT(?,00BF0258,00000010), ref: 00B689F2
                                • memcmp.MSVCRT(?,00BF0328,00000010), ref: 00B68A05
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 3fe55c3d44c465b294e95ce2e5a4c3fa30cf73419cfca9d133d4c84bfbe05e1a
                                • Instruction ID: 016ba0b72e26569c28fc9f80aa3dcd9dea3e5bdaaecbec209039c50b3472a25b
                                • Opcode Fuzzy Hash: 3fe55c3d44c465b294e95ce2e5a4c3fa30cf73419cfca9d133d4c84bfbe05e1a
                                • Instruction Fuzzy Hash: 7E21C6716502096BE7049A20CC82F7E73ECDB60794F0442AAFE4ADB352FA78DD4497A1
                                Function 00B459BF Relevance: 7.6, APIs: 5, Instructions: 72filetimeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B459C4
                                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000000,?,?,?,?,?), ref: 00B45A03
                                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,00000000,?,?,00000000,?,?,?,?,?), ref: 00B45A43
                                • SetFileTime.KERNEL32(000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 00B45A65
                                • CloseHandle.KERNEL32(000000FF,?,00000000,?,?,?,?,?,?,?), ref: 00B45A73
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: File$Create$CloseH_prologHandleTime
                                • String ID:
                                • API String ID: 213185242-0
                                • Opcode ID: 3d89cda2cbc05fbf70963ef0584ea3cd17c708efa7c0a535905e1a371700af53
                                • Instruction ID: 46e0d5f3e59a918ec36980bf1ca7a3cd25155ecaa8eeb38ac93ae235c9e63442
                                • Opcode Fuzzy Hash: 3d89cda2cbc05fbf70963ef0584ea3cd17c708efa7c0a535905e1a371700af53
                                • Instruction Fuzzy Hash: B0218B31D4061AABDF219FA4DC46BEEBBB9FF04724F10066AE520761E2C7714B41EB90
                                Function 00B8C414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: !$LZMA2:$LZMA:
                                • API String ID: 3519838083-3332058968
                                • Opcode ID: f6cb681e1a4817c67bd21de1054b99f2eb8f13c61ddfa1ba55b3d4b68c342182
                                • Instruction ID: 1a84312ba53ebe95bd079f0fd4c3322be8453c94276aa6dc4d671da0ed5ce17b
                                • Opcode Fuzzy Hash: f6cb681e1a4817c67bd21de1054b99f2eb8f13c61ddfa1ba55b3d4b68c342182
                                • Instruction Fuzzy Hash: CE619AB090014A9ADF25EB64C59ABFD7FE1EF25344F2840F9E40667172EB70AE80D760
                                Function 00B7D490 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID: : Removing files after including to archive$Removing
                                • API String ID: 1185151155-1218467041
                                • Opcode ID: fea6d11ab966189fbe777e2843ce6f8368a505b6a45981dbc17531c661c4685b
                                • Instruction ID: c2bd6a776b878462634234c8db7667d7bd440709cbc5e73252274721674ed942
                                • Opcode Fuzzy Hash: fea6d11ab966189fbe777e2843ce6f8368a505b6a45981dbc17531c661c4685b
                                • Instruction Fuzzy Hash: B43171325047019FC765AF74D891ABAB7F6AF54350F4088AEE1AF03162DF217A89EB11
                                Function 00BAD8EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00BAD8F0
                                • EnterCriticalSection.KERNEL32(?), ref: 00BAD904
                                • LeaveCriticalSection.KERNEL32(?), ref: 00BAD994
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterH_prologLeave
                                • String ID: v
                                • API String ID: 367238759-3261393531
                                • Opcode ID: e01d788feda9fd172eed1e186195b8e03bb7ff427d198985e5ed4d52baf6eb73
                                • Instruction ID: c425bd46eb2fbe71e1748f6536d6726aa15b873b06f61867f9eae81e26d56808
                                • Opcode Fuzzy Hash: e01d788feda9fd172eed1e186195b8e03bb7ff427d198985e5ed4d52baf6eb73
                                • Instruction Fuzzy Hash: 3C31BFB9A00701DFCB24DF68C984A6BBBF4FF49751B0449ADE89A97B11D730E904CB50
                                Function 00B507DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B507E0
                                • EnterCriticalSection.KERNEL32(?), ref: 00B507F2
                                • LeaveCriticalSection.KERNEL32(?), ref: 00B5086B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterH_prologLeave
                                • String ID: v
                                • API String ID: 367238759-3261393531
                                • Opcode ID: b299526ae8b2a2bac918b2ddd50e3919482d562989b02235448f28a023e5896c
                                • Instruction ID: 079952cd27d0c54f0bb6f30dd4e27b6b7154fb0fcb5a1e05dadad9590d19d7d2
                                • Opcode Fuzzy Hash: b299526ae8b2a2bac918b2ddd50e3919482d562989b02235448f28a023e5896c
                                • Instruction Fuzzy Hash: 06213935A00615DFD724CF29C584E6ABBF5FF88725B1586AED84A8B321D730ED05CB90
                                Function 00B7DA49 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: :
                                • API String ID: 2614055831-3653984579
                                • Opcode ID: baec54c2ae8a5aad7441d4b26b51be57a3f235aca6874afc36cf1e74880a90dc
                                • Instruction ID: d95f35384b7673e71fd4911cac636444fbc00d480131c597bba6f4b6f5a6226c
                                • Opcode Fuzzy Hash: baec54c2ae8a5aad7441d4b26b51be57a3f235aca6874afc36cf1e74880a90dc
                                • Instruction Fuzzy Hash: 4711D631900205DFCB15BF64C892EBEB7F2EF84350F10885EE81A57251DB316982DB51
                                Function 00B506F6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B506FB
                                • EnterCriticalSection.KERNEL32(?), ref: 00B5070B
                                • LeaveCriticalSection.KERNEL32(?,?), ref: 00B50786
                                  • Part of subcall function 00B5089E: _CxxThrowException.MSVCRT(?,00BF4A58), ref: 00B508C4
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterExceptionH_prologLeaveThrow
                                • String ID: v
                                • API String ID: 4150843469-3261393531
                                • Opcode ID: 18bbff0043fa9d9971e229cd29571d29ff75cfdc0e9c55a92276cd8844d749f4
                                • Instruction ID: 25b53fb37538c6a09e04c9a41c5b34352ffb70c41b273631a31b718d8c9e3c2b
                                • Opcode Fuzzy Hash: 18bbff0043fa9d9971e229cd29571d29ff75cfdc0e9c55a92276cd8844d749f4
                                • Instruction Fuzzy Hash: 5C214AB1A10605DFCB24EF28C584B6ABBF0FF08315F1089AEE84A8B642D731E915CF40
                                Function 00B49399 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00B493A7
                                • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00B493B7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: RtlGetVersion$ntdll.dll
                                • API String ID: 1646373207-1489217083
                                • Opcode ID: b40d423c253b1015d88a419a65e15d9e564bc7e601d84e99392d4de035f05223
                                • Instruction ID: a6e811863438b04d49e2697a3affb1218d04c47cb188d0f23afc740494548cc7
                                • Opcode Fuzzy Hash: b40d423c253b1015d88a419a65e15d9e564bc7e601d84e99392d4de035f05223
                                • Instruction Fuzzy Hash: 7BF09631A00218C6EF346B71DC477D737E49B50705F0005D4E605E2181DBB8DBC3D992
                                Function 00B7D082 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B7D087
                                • EnterCriticalSection.KERNEL32(00C02960), ref: 00B7D09A
                                  • Part of subcall function 00B7CF20: __EH_prolog.LIBCMT ref: 00B7CF25
                                  • Part of subcall function 00B7CF20: fputs.MSVCRT ref: 00B7CF92
                                • LeaveCriticalSection.KERNEL32(00C02960,?,?,00000001), ref: 00B7D0D6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalH_prologSection$EnterLeavefputs
                                • String ID: v
                                • API String ID: 347903205-3261393531
                                • Opcode ID: 9378e794a93c5476228a1f4e0a3ecac8d06f9d887c97f02b006f9bdd890aea29
                                • Instruction ID: 7a72d442ec23583561df2454df1b410b87574b34d28bbe2a3bf18caf4409ba6d
                                • Opcode Fuzzy Hash: 9378e794a93c5476228a1f4e0a3ecac8d06f9d887c97f02b006f9bdd890aea29
                                • Instruction Fuzzy Hash: 55F06D32A00108FFDB099F54DC19FDDBBB9FF44310F00816AF5299A151CBB5AA55CB90
                                Function 00B7D7B8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B7D7BD
                                • EnterCriticalSection.KERNEL32(00C02960), ref: 00B7D7D0
                                • LeaveCriticalSection.KERNEL32(00C02960), ref: 00B7D804
                                  • Part of subcall function 00B7C911: GetTickCount.KERNEL32 ref: 00B7C926
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$CountEnterH_prologLeaveTick
                                • String ID: v
                                • API String ID: 2547919631-3261393531
                                • Opcode ID: 0b5ef3c126ad6c5d9e0713df9e79d375830f37af7a0ea83007c7ae5a0ca99f4b
                                • Instruction ID: ca543585ae390cb06f1c9df7afcca5f3316747a49ea83dd78e2c703088dbf93e
                                • Opcode Fuzzy Hash: 0b5ef3c126ad6c5d9e0713df9e79d375830f37af7a0ea83007c7ae5a0ca99f4b
                                • Instruction Fuzzy Hash: 38F06D35610611EFCB14DB69C849B99BBF8EF45350F0484BAE819D7351DBB4E902CBA0
                                Function 00B7D0EF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B7D0F4
                                • EnterCriticalSection.KERNEL32(00C02960), ref: 00B7D108
                                  • Part of subcall function 00B7CF20: __EH_prolog.LIBCMT ref: 00B7CF25
                                  • Part of subcall function 00B7CF20: fputs.MSVCRT ref: 00B7CF92
                                • LeaveCriticalSection.KERNEL32(00C02960,?,?,00000000), ref: 00B7D133
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalH_prologSection$EnterLeavefputs
                                • String ID: v
                                • API String ID: 347903205-3261393531
                                • Opcode ID: abdf7152a356e1ebd2982595f844b5c6f8f0b6a7f400837b7ee82dd10f5ee60e
                                • Instruction ID: 5e11e064e907be08893918ef0147ba4deb5608f89478512653bafdb5ddd8c5ea
                                • Opcode Fuzzy Hash: abdf7152a356e1ebd2982595f844b5c6f8f0b6a7f400837b7ee82dd10f5ee60e
                                • Instruction Fuzzy Hash: 5AF0E236B00200ABC7005B08CC45BAEBAA9EF84320F20407AF819E7241C7B89D058664
                                Function 00B7CFF4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B7CFF9
                                • EnterCriticalSection.KERNEL32(00C02960,?,?,?,00B76A2C,?,?), ref: 00B7D00C
                                  • Part of subcall function 00B7CF20: __EH_prolog.LIBCMT ref: 00B7CF25
                                  • Part of subcall function 00B7CF20: fputs.MSVCRT ref: 00B7CF92
                                • LeaveCriticalSection.KERNEL32(00C02960,?,?,00000001,?,?,?,?,?,00B76A2C,?,?), ref: 00B7D037
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalH_prologSection$EnterLeavefputs
                                • String ID: v
                                • API String ID: 347903205-3261393531
                                • Opcode ID: 5a3592eb88732b442ba08bd84d9d30febf9b752f5555f66eaff1236a79b8d0f2
                                • Instruction ID: 74daadb31fbad9c9e7f623ff9b4cd3b4000ae71d61990c5a46ade6b5b48a05d7
                                • Opcode Fuzzy Hash: 5a3592eb88732b442ba08bd84d9d30febf9b752f5555f66eaff1236a79b8d0f2
                                • Instruction Fuzzy Hash: 7AF05832610114BFCB05AF54DC19FDEBBA9FF48320F00816AF819AA151CBB5AA11CB90
                                Function 00B7D760 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B7D765
                                • EnterCriticalSection.KERNEL32(00C02960), ref: 00B7D778
                                • LeaveCriticalSection.KERNEL32(00C02960), ref: 00B7D7A0
                                  • Part of subcall function 00B7C911: GetTickCount.KERNEL32 ref: 00B7C926
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: CriticalSection$CountEnterH_prologLeaveTick
                                • String ID: v
                                • API String ID: 2547919631-3261393531
                                • Opcode ID: 330a9fddf75bb1cef86f56a654355dd798a499afb4892563b40abe2699ed35db
                                • Instruction ID: 944d066ed3fa2075f8247746f80e2d24dfd3c44dea8d78730e0770d1d382f137
                                • Opcode Fuzzy Hash: 330a9fddf75bb1cef86f56a654355dd798a499afb4892563b40abe2699ed35db
                                • Instruction Fuzzy Hash: 9AF05836A00615EFCB05DF68D849B99FBF8FF04320F00856AE42A97241DBB4AA55CB91
                                Function 00B60306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 00B60359
                                • GetLastError.KERNEL32(?,?,00000000,?), ref: 00B60382
                                • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 00B603DA
                                • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 00B603F0
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorFileLastSecurity
                                • String ID:
                                • API String ID: 555121230-0
                                • Opcode ID: e00e1bd96c41056cdaf4a9d8b11dc3fb7971b02adf3769852ada1d8d8dc67eb4
                                • Instruction ID: a89cf32ea03ca2363267aabb7c1230b4a2d62ea1161b118b03b0dae4d0dfb9ec
                                • Opcode Fuzzy Hash: e00e1bd96c41056cdaf4a9d8b11dc3fb7971b02adf3769852ada1d8d8dc67eb4
                                • Instruction Fuzzy Hash: 73315870910209EFDB10EFA5C880BAFBBF5FB48305F108999E466A7351D774AE41DB60
                                Function 00B7D6F7 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prologfputcfree
                                • String ID:
                                • API String ID: 3247574066-0
                                • Opcode ID: 5210d6dd8614d7d17cb1d60cc037c630ba979fe895fe0cf7cd60d1c7cae0a1db
                                • Instruction ID: e7dc2b0c0296bf6d385d72702a187eebcc11d7562683345289a3b55e07e18a38
                                • Opcode Fuzzy Hash: 5210d6dd8614d7d17cb1d60cc037c630ba979fe895fe0cf7cd60d1c7cae0a1db
                                • Instruction Fuzzy Hash: E2F09632D000199BCB057B98DC52AAEBFB2EF50360F0040A7F90563161DF710A65EBC0
                                Function 00B988D8 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 441COMMON
                                Download Yara Rule
                                APIs
                                • wcscmp.MSVCRT ref: 00B98CC6
                                • __EH_prolog.LIBCMT ref: 00B988DD
                                  • Part of subcall function 00B98E31: __EH_prolog.LIBCMT ref: 00B98E36
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$wcscmp
                                • String ID: Can't open volume:
                                • API String ID: 3232955128-72083580
                                • Opcode ID: 6f8f16859ec1f33ff86b752fc2aa752f3abaf049de280e86bb317219ed1a34cd
                                • Instruction ID: be0f8123696f9e9bb8506f990a2258cd8fccd1f6c365ea9b92721a7e8f39ff73
                                • Opcode Fuzzy Hash: 6f8f16859ec1f33ff86b752fc2aa752f3abaf049de280e86bb317219ed1a34cd
                                • Instruction Fuzzy Hash: 97029D70900249DFCF15DBA8C494BEDBBF1EF56304F1880E9E44AA7292DB759E85CB11
                                Function 00B69531 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00B69536
                                  • Part of subcall function 00B4965D: VariantClear.OLEAUT32(?), ref: 00B4967F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ClearH_prologVariant
                                • String ID: Unknown error$Unknown warning
                                • API String ID: 1166855276-4291957651
                                • Opcode ID: ead0bb9302d1798046cad91657504a4e8e055997b1fc0be59b969178b024e455
                                • Instruction ID: 371b1e2a3aaf2423e6a9d38715b9aa3881b9f7ff8d65ff3d23796a380096c603
                                • Opcode Fuzzy Hash: ead0bb9302d1798046cad91657504a4e8e055997b1fc0be59b969178b024e455
                                • Instruction Fuzzy Hash: 82812571900709DBCB15DFA4C5909EEB7F4FF48304F5089AEE46AA7290DB74AE09CB64
                                Function 00B80982 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$crc
                                • API String ID: 3519838083-849529298
                                • Opcode ID: 2b799e8d2dfc6e33c591228cb358e5a830ec64a206fa17be773acde4c0fde0ba
                                • Instruction ID: 291896acd74468a96ae0162a6b2a8125ac6aa278a3537a0fc45e33f48d73f2f0
                                • Opcode Fuzzy Hash: 2b799e8d2dfc6e33c591228cb358e5a830ec64a206fa17be773acde4c0fde0ba
                                • Instruction Fuzzy Hash: 65519D3190020ADFCF54FF94D8819EEB7F5EF04384F1084A9E816672A2DB74AE49EB50
                                Function 00B44DE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: wcscmp
                                • String ID: UNC
                                • API String ID: 3392835482-337201128
                                • Opcode ID: b93b8f546d028b69fec0f9adcde63463a8b82ca8e1c33c0f4b983c4652e44242
                                • Instruction ID: a15d87dc1c90d08e60f385a1f23f2ff0de389ea372c0a6d52dc86aa60b020e3b
                                • Opcode Fuzzy Hash: b93b8f546d028b69fec0f9adcde63463a8b82ca8e1c33c0f4b983c4652e44242
                                • Instruction Fuzzy Hash: 37211D353806109FDA28CF58D894F26B3E5FB45724B2488E9E6568B2A1C731ED52EB40
                                Function 00B64F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prologstrlen
                                • String ID: sums
                                • API String ID: 1633371453-329994169
                                • Opcode ID: 4b865941ad8582fda3f63d31c58b82d1e65e6ba2d302e13ae34c534e07b0e332
                                • Instruction ID: 56fb60af193646f7b0015c09f8d03f76ff841d9d10fd8bf8311353ac8504a5c2
                                • Opcode Fuzzy Hash: 4b865941ad8582fda3f63d31c58b82d1e65e6ba2d302e13ae34c534e07b0e332
                                • Instruction Fuzzy Hash: B621AB329041589BCF04EBA8D492AEEF7F5EF84300F1440EAE40673292CBB51F41DB91
                                Function 00B7C86A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: __aulldivstrlen
                                • String ID: M
                                • API String ID: 1892184250-3664761504
                                • Opcode ID: e40119c0635b6d839feff1b5c6c5846a9c1e8e09341b1f83b9f9535c25550f02
                                • Instruction ID: d3d58cfdcbf4884b54c7001d2d22536584e977e2aee9295f7b8a42979db30cc0
                                • Opcode Fuzzy Hash: e40119c0635b6d839feff1b5c6c5846a9c1e8e09341b1f83b9f9535c25550f02
                                • Instruction Fuzzy Hash: 05110A326043445BDB25DBA9C891EBEBBE9DF88310F1448BEE297972C1D931AC058360
                                Function 00B8D3D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: BT2$LZMA
                                • API String ID: 3519838083-1343681682
                                • Opcode ID: 61aab1889218f4e38c2e1f88d32d42c742a87c60a852d480c5ab80862dead1fd
                                • Instruction ID: 2f9db7aa42fb3ea4cbf1f03a2bedb928fb7eb2f5ac1b237ae5c86e6b2b001ca9
                                • Opcode Fuzzy Hash: 61aab1889218f4e38c2e1f88d32d42c742a87c60a852d480c5ab80862dead1fd
                                • Instruction Fuzzy Hash: EC116D31A64258AADB18FBA4DC52FEDB7F0AF24B40F0041A9B512661E2EBF06E04D741
                                Function 00B54DFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: ErrorH_prologLast
                                • String ID: :
                                • API String ID: 1057991267-3653984579
                                • Opcode ID: ab3c6456fa87e96b3d2eca873c08714647b0133b88851e5f27e7876aebd6d013
                                • Instruction ID: 4f8f6252937db93c8712d76f8c9d1204fa5c46aff6cc148b164241594bf44c2b
                                • Opcode Fuzzy Hash: ab3c6456fa87e96b3d2eca873c08714647b0133b88851e5f27e7876aebd6d013
                                • Instruction Fuzzy Hash: A6118E369001059BCB05EBE4D846BEEBBF1AF54314F1040A9E802B7292DB719F45EB90
                                Function 00B78685 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Cannot open encrypted archive. Wrong password?, xrefs: 00B78698
                                • Cannot open the file as archive, xrefs: 00B786D0
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
                                • API String ID: 1795875747-1623556331
                                • Opcode ID: 0bf70551854a2e17eee38e674ba1daeff6180e7f798fccf349ba763b88f3bddb
                                • Instruction ID: 12967cebecdf3f849a209b18030ebab05644b7638e7bb78890eefa6cf7dbf153
                                • Opcode Fuzzy Hash: 0bf70551854a2e17eee38e674ba1daeff6180e7f798fccf349ba763b88f3bddb
                                • Instruction Fuzzy Hash: 2101D6317412006BCB04E754D499A7EB3E7AFC8340F54849EF506876D5DF74E942AB51
                                Function 00B4596C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageW.KERNEL32(00001300,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00B458D6,00000000,00000000), ref: 00B45999
                                Strings
                                • Internal Error: The failure in hardware (RAM or CPU), OS or program, xrefs: 00B4597B
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: FormatMessage
                                • String ID: Internal Error: The failure in hardware (RAM or CPU), OS or program
                                • API String ID: 1306739567-2427807339
                                • Opcode ID: 01698914e8e0dd4bbf37f393278929971ac92d252937e640f0d10b7ba7117927
                                • Instruction ID: 31eb49f445938b6e1c031f649112d2f8deed96ff5fd782df433eb502ca63243f
                                • Opcode Fuzzy Hash: 01698914e8e0dd4bbf37f393278929971ac92d252937e640f0d10b7ba7117927
                                • Instruction Fuzzy Hash: 5FE02271200A81FFAF1527208C43CFF7BEDEA90B2035002D8F802A6252FA614F0236B8
                                Function 00B782DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: =
                                • API String ID: 1795875747-2525689732
                                • Opcode ID: d71d19d7e66a46333c298ebc6faf597ab9d4a219da2c439844d493aafb985c79
                                • Instruction ID: db944976fef590bfaf987330e8a71294cc64d06cd9a9e5b0140dad2eb84b7540
                                • Opcode Fuzzy Hash: d71d19d7e66a46333c298ebc6faf597ab9d4a219da2c439844d493aafb985c79
                                • Instruction Fuzzy Hash: E4E0DF31E001559BDB00BBED9C858BE7FA9EBC0354B0008A2F820DB211EB70DA21CBD0
                                Function 00B79587 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00B79594
                                • fputs.MSVCRT ref: 00B7959D
                                  • Part of subcall function 00B42201: fputs.MSVCRT ref: 00B4221E
                                  • Part of subcall function 00B41FA0: fputc.MSVCRT ref: 00B41FA7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID: Archives
                                • API String ID: 1185151155-454332015
                                • Opcode ID: 99ba3ccffca9d0d57e35415f500bc2f9b7f3fc779db87159ec2dccdb252aa136
                                • Instruction ID: f0c8ac3008605f370ee090921498725fa3d58ca942b118dbc16d002102c93f71
                                • Opcode Fuzzy Hash: 99ba3ccffca9d0d57e35415f500bc2f9b7f3fc779db87159ec2dccdb252aa136
                                • Instruction Fuzzy Hash: D6D02B326002046BCB117FA89C01C6FBAE6EFD43107010C5FF98053131CF614865BF91
                                Function 00BA41C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00BF48A0,00000010), ref: 00BA41D6
                                • memcmp.MSVCRT(?,00BF0168,00000010), ref: 00BA41F1
                                • memcmp.MSVCRT(?,00BF01E8,00000010), ref: 00BA4205
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: e16344fbf45faca5182a59f4069ef9b47bf40bd9aeedc12dc21b4b2295e42213
                                • Instruction ID: e662ae3a0ec36859ee9da3f2e0207f1c7d6c67e7a31ba3eae6eb4bdaf9744654
                                • Opcode Fuzzy Hash: e16344fbf45faca5182a59f4069ef9b47bf40bd9aeedc12dc21b4b2295e42213
                                • Instruction Fuzzy Hash: 8501043136430967D7105B14CC42F7EB7E4DBA6751F0444A9FE4AEB292F3F4AA549240
                                Function 00B6CDD7 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,00BF48A0,00000010), ref: 00B6CDED
                                • memcmp.MSVCRT(?,00BF0108,00000010), ref: 00B6CE08
                                • memcmp.MSVCRT(?,00BF0138,00000010), ref: 00B6CE1C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2168508847.0000000000B41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B40000, based on PE: true
                                • Associated: 0000000A.00000002.2168485296.0000000000B40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168590312.0000000000BEC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168621049.0000000000C02000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000A.00000002.2168644820.0000000000C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_b40000_7zr.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 5a7cbddbb504909ce1a003961ee3f5ba87a697d9c67d7fd7287428e846db91f7
                                • Instruction ID: 7469945d35993ced29613350f13d5450cd968031e0381e2f80bec89397c3d6d8
                                • Opcode Fuzzy Hash: 5a7cbddbb504909ce1a003961ee3f5ba87a697d9c67d7fd7287428e846db91f7
                                • Instruction Fuzzy Hash: 4F01E53135020967D7105F14CC42F7EB7E4DB54B50F0444B9FEC9EB252F2AAB9149690