Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3KFFG52TBI.exe

Overview

General Information

Sample name:3KFFG52TBI.exe
renamed because original name is a hash value
Original sample name:0A886C39186AD2A6D3EB9F0736D81B14.exe
Analysis ID:1581694
MD5:0a886c39186ad2a6d3eb9f0736d81b14
SHA1:8c6de9ade2663c78758eb1bbc4ed53c3bef2f306
SHA256:586f4b53ba8a17c022fd339c206e8f1fc543e9d4bd189bcc15c0f2fee899d1a0
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 3KFFG52TBI.exe (PID: 6660 cmdline: "C:\Users\user\Desktop\3KFFG52TBI.exe" MD5: 0A886C39186AD2A6D3EB9F0736D81B14)
    • 3KFFG52TBI.tmp (PID: 6708 cmdline: "C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp" /SL5="$20422,5866124,845824,C:\Users\user\Desktop\3KFFG52TBI.exe" MD5: 69B4108233326BFF72DA366C9862D2B3)
      • powershell.exe (PID: 2844 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 3512 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • 3KFFG52TBI.exe (PID: 2316 cmdline: "C:\Users\user\Desktop\3KFFG52TBI.exe" /VERYSILENT MD5: 0A886C39186AD2A6D3EB9F0736D81B14)
        • 3KFFG52TBI.tmp (PID: 6564 cmdline: "C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp" /SL5="$40410,5866124,845824,C:\Users\user\Desktop\3KFFG52TBI.exe" /VERYSILENT MD5: 69B4108233326BFF72DA366C9862D2B3)
          • 7zr.exe (PID: 5764 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 5344 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4460 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1196 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3844 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6708 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6664 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4208 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3844 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7044 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5324 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1104 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2828 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5344 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1448 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2924 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 736 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1312 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6680 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6664 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2996 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 732 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1136 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6784 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6680 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1104 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4564 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6096 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 736 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6712 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6728 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6732 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1016 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5436 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4564 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1892 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6112 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6664 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 792 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1016 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2916 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5572 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1312 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5724 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5284 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2132 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5244 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4312 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1900 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4564 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5024 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1148 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1104 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2028 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6708 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6684 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1012 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4888 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7144 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4208 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp" /SL5="$20422,5866124,845824,C:\Users\user\Desktop\3KFFG52TBI.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp, ParentProcessId: 6708, ParentProcessName: 3KFFG52TBI.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2844, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4460, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 1196, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp" /SL5="$20422,5866124,845824,C:\Users\user\Desktop\3KFFG52TBI.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp, ParentProcessId: 6708, ParentProcessName: 3KFFG52TBI.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2844, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4460, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 1196, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp" /SL5="$20422,5866124,845824,C:\Users\user\Desktop\3KFFG52TBI.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp, ParentProcessId: 6708, ParentProcessName: 3KFFG52TBI.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2844, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 47%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 56%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-3G76O.tmp\X2Wp7LmHrF.X2Wp7LmHrFReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\is-3G76O.tmp\X2Wp7LmHrF.X2Wp7LmHrFVirustotal: Detection: 56%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-HA5HP.tmp\X2Wp7LmHrF.X2Wp7LmHrFReversingLabs: Detection: 47%
Multi AV Scanner detection for submitted file
Source: 3KFFG52TBI.exeVirustotal: Detection: 12%Perma Link
Source: 3KFFG52TBI.exeReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.4% probability
Source: 3KFFG52TBI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 3KFFG52TBI.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1800381036.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1800250621.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C03E090 FindFirstFileA,FindClose,FindClose,6_2_6C03E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A86868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00A86868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A87496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00A87496
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: 3KFFG52TBI.tmp, 00000001.00000003.1766281163.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, X2Wp7LmHrF.X2Wp7LmHrF.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, X2Wp7LmHrF.X2Wp7LmHrF.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 3KFFG52TBI.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 3KFFG52TBI.exe, 00000000.00000003.1678948852.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.exe, 00000000.00000003.1679263791.000000007F58B000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000001.00000000.1680469042.0000000000DB1000.00000020.00000001.01000000.00000004.sdmp, 3KFFG52TBI.tmp, 00000006.00000000.1769996020.00000000006ED000.00000020.00000001.01000000.00000008.sdmp, 3KFFG52TBI.tmp.5.dr, 3KFFG52TBI.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: 3KFFG52TBI.exe, 00000000.00000003.1678948852.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.exe, 00000000.00000003.1679263791.000000007F58B000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000001.00000000.1680469042.0000000000DB1000.00000020.00000001.01000000.00000004.sdmp, 3KFFG52TBI.tmp, 00000006.00000000.1769996020.00000000006ED000.00000020.00000001.01000000.00000008.sdmp, 3KFFG52TBI.tmp.5.dr, 3KFFG52TBI.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: X2Wp7LmHrF.X2Wp7LmHrF.1.drStatic PE information: section name: .aQ#
Source: X2Wp7LmHrF.X2Wp7LmHrF.6.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6BEC3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BEC3886
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C048810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C048810
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C049450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C049450
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6BEC3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BEC3A6A
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6BEC39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BEC39CF
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6BEC3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BEC3D62
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6BEC3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BEC3D18
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6BEC3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BEC3C62
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6BEC1950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6BEC1950
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6BEC4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6BEC4754
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6BEC47546_2_6BEC4754
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C228D126_2_6C228D12
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C194F0A6_2_6C194F0A
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C21B06F6_2_6C21B06F
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C0448606_2_6C044860
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C1B38816_2_6C1B3881
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C04A1336_2_6C04A133
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C157A466_2_6C157A46
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C1CCB306_2_6C1CCB30
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C0A9CE06_2_6C0A9CE0
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C0F6D506_2_6C0F6D50
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C0FCE806_2_6C0FCE80
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C07BEA16_2_6C07BEA1
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C095EC96_2_6C095EC9
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C0F18106_2_6C0F1810
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C10D9306_2_6C10D930
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C07B9726_2_6C07B972
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C0FC9F06_2_6C0FC9F0
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C0F2A506_2_6C0F2A50
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C0F4AA06_2_6C0F4AA0
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C107AA06_2_6C107AA0
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C0F0AD06_2_6C0F0AD0
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C093B666_2_6C093B66
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C083BCA6_2_6C083BCA
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C09840A6_2_6C09840A
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C0F55806_2_6C0F5580
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C1025C06_2_6C1025C0
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C0FC6E06_2_6C0FC6E0
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C11C7006_2_6C11C700
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C07F7CF6_2_6C07F7CF
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C0F30206_2_6C0F3020
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C1067506_2_6C106750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AC81EC10_2_00AC81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A9E00A10_2_00A9E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B081C010_2_00B081C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B022E010_2_00B022E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1824010_2_00B18240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1C3C010_2_00B1C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B2230010_2_00B22300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AEE49F10_2_00AEE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B104C810_2_00B104C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B025F010_2_00B025F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AFA6A010_2_00AFA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AF66D010_2_00AF66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AF865010_2_00AF8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1E99010_2_00B1E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD094310_2_00AD0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AFC95010_2_00AFC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B02A8010_2_00B02A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00ADAB1110_2_00ADAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B06CE010_2_00B06CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AF8C2010_2_00AF8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B14EA010_2_00B14EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B10E0010_2_00B10E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AE10AC10_2_00AE10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B0D08910_2_00B0D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B0518010_2_00B05180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AFB18010_2_00AFB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B191C010_2_00B191C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AFD1D010_2_00AFD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AEB12110_2_00AEB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1112010_2_00B11120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1D2C010_2_00B1D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1720010_2_00B17200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B0F3A010_2_00B0F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AAB3E410_2_00AAB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AE53F310_2_00AE53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A853CF10_2_00A853CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1F3C010_2_00B1F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00ACD49610_2_00ACD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B154D010_2_00B154D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B0F42010_2_00B0F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AF741010_2_00AF7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1D47010_2_00B1D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1F59910_2_00B1F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1353010_2_00B13530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B2351A10_2_00B2351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AFF50010_2_00AFF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8157210_2_00A81572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1155010_2_00B11550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B0D6A010_2_00B0D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B2360110_2_00B23601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD965210_2_00AD9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A897CA10_2_00A897CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B177C010_2_00B177C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A9976610_2_00A99766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AAF8E010_2_00AAF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1D9E010_2_00B1D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AFF91010_2_00AFF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A81AA110_2_00A81AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B07AF010_2_00B07AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD3AEF10_2_00AD3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A9BAC910_2_00A9BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A9BC9210_2_00A9BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B07C5010_2_00B07C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AFFDF010_2_00AFFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B05E8010_2_00B05E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B05F8010_2_00B05F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: String function: 6C119F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: String function: 6C07C240 appears 31 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00B1FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00A828E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00A81E40 appears 82 times
Source: 3KFFG52TBI.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 3KFFG52TBI.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 3KFFG52TBI.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: 3KFFG52TBI.exeStatic PE information: Number of sections : 11 > 10
Source: 3KFFG52TBI.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: 3KFFG52TBI.exe, 00000000.00000003.1678948852.0000000002D9E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameX2Wp7LmHrF.exe vs 3KFFG52TBI.exe
Source: 3KFFG52TBI.exe, 00000000.00000003.1679263791.000000007F88A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameX2Wp7LmHrF.exe vs 3KFFG52TBI.exe
Source: 3KFFG52TBI.exe, 00000000.00000000.1677512151.0000000000C19000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameX2Wp7LmHrF.exe vs 3KFFG52TBI.exe
Source: 3KFFG52TBI.exeBinary or memory string: OriginalFileNameX2Wp7LmHrF.exe vs 3KFFG52TBI.exe
Source: 3KFFG52TBI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@134/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C049450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C049450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A89313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00A89313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A93D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00A93D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A89252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00A89252
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C048930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6C048930
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpFile created: C:\Program Files (x86)\Windows NT\is-H8536.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3864:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1900:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6708:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5284:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6732:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3688:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6036:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3244:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1148:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5572:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1312:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3844:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4544:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6100:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6712:120:WilError_03
Source: C:\Users\user\Desktop\3KFFG52TBI.exeFile created: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmpJump to behavior
Source: C:\Users\user\Desktop\3KFFG52TBI.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\3KFFG52TBI.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\3KFFG52TBI.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\3KFFG52TBI.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\3KFFG52TBI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: 3KFFG52TBI.exeVirustotal: Detection: 12%
Source: 3KFFG52TBI.exeReversingLabs: Detection: 36%
Source: 3KFFG52TBI.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\3KFFG52TBI.exeFile read: C:\Users\user\Desktop\3KFFG52TBI.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\3KFFG52TBI.exe "C:\Users\user\Desktop\3KFFG52TBI.exe"
Source: C:\Users\user\Desktop\3KFFG52TBI.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp "C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp" /SL5="$20422,5866124,845824,C:\Users\user\Desktop\3KFFG52TBI.exe"
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess created: C:\Users\user\Desktop\3KFFG52TBI.exe "C:\Users\user\Desktop\3KFFG52TBI.exe" /VERYSILENT
Source: C:\Users\user\Desktop\3KFFG52TBI.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp "C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp" /SL5="$40410,5866124,845824,C:\Users\user\Desktop\3KFFG52TBI.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3KFFG52TBI.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp "C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp" /SL5="$20422,5866124,845824,C:\Users\user\Desktop\3KFFG52TBI.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess created: C:\Users\user\Desktop\3KFFG52TBI.exe "C:\Users\user\Desktop\3KFFG52TBI.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\3KFFG52TBI.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp "C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp" /SL5="$40410,5866124,845824,C:\Users\user\Desktop\3KFFG52TBI.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\3KFFG52TBI.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\3KFFG52TBI.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\3KFFG52TBI.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\3KFFG52TBI.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: 3KFFG52TBI.exeStatic file information: File size 6820658 > 1048576
Source: 3KFFG52TBI.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1800381036.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1800250621.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00B057D0
Source: 3KFFG52TBI.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343863
Source: 3KFFG52TBI.exeStatic PE information: real checksum: 0x0 should be: 0x6842ae
Source: 3KFFG52TBI.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343863
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: 3KFFG52TBI.exeStatic PE information: section name: .didata
Source: 3KFFG52TBI.tmp.0.drStatic PE information: section name: .didata
Source: X2Wp7LmHrF.X2Wp7LmHrF.1.drStatic PE information: section name: .00cfg
Source: X2Wp7LmHrF.X2Wp7LmHrF.1.drStatic PE information: section name: .voltbl
Source: X2Wp7LmHrF.X2Wp7LmHrF.1.drStatic PE information: section name: .aQ#
Source: 3KFFG52TBI.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: X2Wp7LmHrF.X2Wp7LmHrF.6.drStatic PE information: section name: .00cfg
Source: X2Wp7LmHrF.X2Wp7LmHrF.6.drStatic PE information: section name: .voltbl
Source: X2Wp7LmHrF.X2Wp7LmHrF.6.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C04BDDB push ecx; ret 6_2_6C04BDEE
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6BEF0F00 push ss; retn 0001h6_2_6BEF0F0A
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C119F10 push eax; ret 6_2_6C119F2E
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C07E9F4 push 004AC35Ch; ret 6_2_6C07EA0E
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C11A290 push eax; ret 6_2_6C11A2BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A845F4 push 00B2C35Ch; ret 10_2_00A8460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1FB10 push eax; ret 10_2_00B1FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1FE90 push eax; ret 10_2_00B1FEBE
Source: X2Wp7LmHrF.X2Wp7LmHrF.1.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: X2Wp7LmHrF.X2Wp7LmHrF.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3G76O.tmp\X2Wp7LmHrF.X2Wp7LmHrFJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\Desktop\3KFFG52TBI.exeFile created: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HA5HP.tmp\X2Wp7LmHrF.X2Wp7LmHrFJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HA5HP.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\3KFFG52TBI.exeFile created: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3G76O.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HA5HP.tmp\X2Wp7LmHrF.X2Wp7LmHrFJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3G76O.tmp\X2Wp7LmHrF.X2Wp7LmHrFJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\3KFFG52TBI.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\3KFFG52TBI.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6816Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2957Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpWindow / User API: threadDelayed 560Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpWindow / User API: threadDelayed 546Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpWindow / User API: threadDelayed 509Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3G76O.tmp\X2Wp7LmHrF.X2Wp7LmHrFJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HA5HP.tmp\X2Wp7LmHrF.X2Wp7LmHrFJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HA5HP.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3G76O.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7144Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C03E090 FindFirstFileA,FindClose,FindClose,6_2_6C03E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A86868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00A86868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A87496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00A87496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A89C60 GetSystemInfo,10_2_00A89C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: 3KFFG52TBI.tmp, 00000001.00000002.1773922018.0000000000CED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6BEC3886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6BEC3886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C053871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C053871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00B057D0
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C05D425 mov eax, dword ptr fs:[00000030h]6_2_6C05D425
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C05D456 mov eax, dword ptr fs:[00000030h]6_2_6C05D456
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C05286D mov eax, dword ptr fs:[00000030h]6_2_6C05286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C053871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C053871
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C04C3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C04C3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmpProcess created: C:\Users\user\Desktop\3KFFG52TBI.exe "C:\Users\user\Desktop\3KFFG52TBI.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmpCode function: 6_2_6C11A700 cpuid 6_2_6C11A700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8AB2A GetSystemTimeAsFileTime,10_2_00A8AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B20090 GetVersion,10_2_00B20090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory431
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)111
Process Injection		241
Virtualization/Sandbox Evasion		Security Account Manager241
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API		Login Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem45
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1581694 Sample: 3KFFG52TBI.exe Startdate: 28/12/2024 Architecture: WINDOWS Score: 96 92 Multi AV Scanner detection for dropped file 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Found driver which could be used to inject code into processes 2->96 98 3 other signatures 2->98 10 3KFFG52TBI.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 90 C:\Users\user\AppData\...\3KFFG52TBI.tmp, PE32 10->90 dropped 19 3KFFG52TBI.tmp 3 5 10->19         started        23 sc.exe 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 27 other processes 17->33 process5 file6 76 C:\Users\user\...\X2Wp7LmHrF.X2Wp7LmHrF, PE32 19->76 dropped 78 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->78 dropped 100 Adds a directory exclusion to Windows Defender 19->100 35 3KFFG52TBI.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 26 other processes 33->53 signatures7 process8 file9 80 C:\Users\user\AppData\...\3KFFG52TBI.tmp, PE32 35->80 dropped 55 3KFFG52TBI.tmp 4 15 35->55         started        102 Loading BitLocker PowerShell Module 38->102 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        63 Conhost.exe 41->63         started        signatures10 process11 file12 82 C:\Users\user\...\X2Wp7LmHrF.X2Wp7LmHrF, PE32 55->82 dropped 84 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->84 dropped 86 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->86 dropped 88 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->88 dropped 104 Query firmware table information (likely to detect VMs) 55->104 106 Protects its processes via BreakOnTermination flag 55->106 108 Hides threads from debuggers 55->108 110 Contains functionality to hide a thread from the debugger 55->110 65 7zr.exe 2 55->65         started        68 7zr.exe 7 55->68         started        signatures13 process14 file15 74 C:\Program Files (x86)\...\tProtect.dll, PE32+ 65->74 dropped 70 conhost.exe 65->70         started        72 conhost.exe 68->72         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
3KFFG52TBI.exe12%VirustotalBrowse
3KFFG52TBI.exe37%ReversingLabsWin32.Trojan.CrypterX

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc47%ReversingLabsWin32.Trojan.CrypterX
C:\Program Files (x86)\Windows NT\hrsw.vbc57%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-3G76O.tmp\X2Wp7LmHrF.X2Wp7LmHrF47%ReversingLabsWin32.Trojan.CrypterX
C:\Users\user\AppData\Local\Temp\is-3G76O.tmp\X2Wp7LmHrF.X2Wp7LmHrF57%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-3G76O.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-HA5HP.tmp\X2Wp7LmHrF.X2Wp7LmHrF47%ReversingLabsWin32.Trojan.CrypterX
C:\Users\user\AppData\Local\Temp\is-HA5HP.tmp\_isetup\_setup64.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU3KFFG52TBI.exefalse
      		high
      https://www.remobjects.com/ps3KFFG52TBI.exe, 00000000.00000003.1678948852.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.exe, 00000000.00000003.1679263791.000000007F58B000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000001.00000000.1680469042.0000000000DB1000.00000020.00000001.01000000.00000004.sdmp, 3KFFG52TBI.tmp, 00000006.00000000.1769996020.00000000006ED000.00000020.00000001.01000000.00000008.sdmp, 3KFFG52TBI.tmp.5.dr, 3KFFG52TBI.tmp.0.drfalse
        		high
        https://www.innosetup.com/3KFFG52TBI.exe, 00000000.00000003.1678948852.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.exe, 00000000.00000003.1679263791.000000007F58B000.00000004.00001000.00020000.00000000.sdmp, 3KFFG52TBI.tmp, 00000001.00000000.1680469042.0000000000DB1000.00000020.00000001.01000000.00000004.sdmp, 3KFFG52TBI.tmp, 00000006.00000000.1769996020.00000000006ED000.00000020.00000001.01000000.00000008.sdmp, 3KFFG52TBI.tmp.5.dr, 3KFFG52TBI.tmp.0.drfalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1581694
          Start date and time:2024-12-28 17:45:27 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 9m 39s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:110
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Critical Process Termination
          Sample name:3KFFG52TBI.exe
          renamed because original name is a hash value
          Original Sample Name:0A886C39186AD2A6D3EB9F0736D81B14.exe
          Detection:MAL
          Classification:mal96.evad.winEXE@134/31@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 74%
          • Number of executed functions: 121
          • Number of non-executed functions: 103
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

          Warnings

          • Exclude process from analysis (whitelisted): SIHClient.exe
          • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.95.31.18
          • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, dns.msftncsi.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          bg.microsoft.map.fastly.neta2mNMrPxow.exeGet hashmaliciousUnknownBrowse
          • 199.232.214.172
          tzA45NGAW4.lnkGet hashmaliciousUnknownBrowse
          • 199.232.210.172
          sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
          • 199.232.214.172
          New Upd v1.1.0.exeGet hashmaliciousLummaCBrowse
          • 199.232.214.172
          JA7cOAGHym.exeGet hashmaliciousVidarBrowse
          • 199.232.214.172
          wp.batGet hashmaliciousUnknownBrowse
          • 199.232.210.172
          final.exeGet hashmaliciousMeterpreterBrowse
          • 199.232.214.172
          n5Szx8qsFB.lnkGet hashmaliciousUnknownBrowse
          • 199.232.214.172
          A4FY1OA97K.lnkGet hashmaliciousDanaBotBrowse
          • 199.232.214.172
          vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
          • 199.232.210.172

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Program Files (x86)\Windows NT\7zr.exeSetup64v7.3.9.exeGet hashmaliciousUnknownBrowse
            Setup64v4.1.9.exeGet hashmaliciousUnknownBrowse
              Setup64v7.3.9.exeGet hashmaliciousUnknownBrowse
                Setup64v4.1.9.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeGet hashmaliciousUnknownBrowse
                      yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                        yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Program Files (x86)\Windows NT\7zr.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            • Antivirus: Virustotal, Detection: 0%, Browse
                            Joe Sandbox View:
                            • Filename: Setup64v7.3.9.exe, Detection: malicious, Browse
                            • Filename: Setup64v4.1.9.exe, Detection: malicious, Browse
                            • Filename: Setup64v7.3.9.exe, Detection: malicious, Browse
                            • Filename: Setup64v4.1.9.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, Detection: malicious, Browse
                            • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                            • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\file.dat (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1714160
                            Entropy (8bit):7.999904264666926
                            Encrypted:true
                            SSDEEP:24576:srVyarQqdIDSrVJdFufmHD03pGDz5uKsg08I2ltORkk28iBYr94DT4Vw5LEnlktB:7/OxJXufmHw5Mt7sg0hwpYBkFYnlOynK
                            MD5:D5F23E21F68FD7492919A1297BEF3CB1
                            SHA1:0647A1503A3981797CF8320B08EB7D4B7A310406
                            SHA-256:B4F46D0EE210DFE52EC5007E6CFFE19CC922AF1C8F086BEE34972CE0D548C5F4
                            SHA-512:CD75EBF4277B8E281D5321ACB6FBAFC9F0193D6766205761417DB0A6B90F09CA34BF3AEB2995BF3C546C9000922ABCE9E0637BCF65D75259C7BAA17C7C977632
                            Malicious:false
                            Preview:.@S.....*_Pl.................}....@.]+25..Ao.k.=..5....V..!..W.....p.........,.+)._9.k.n:.7*..>.......r..G..qM....( .D5..tga.,......(N.>-.....ne/..}f......0[HI..x0}<1.(.l.....M....;......Rl...|....P..1....}X....7.`....i.>..)..S.{..0l. .T....92.....Am.g....lJ...v.....L......bNA.....S..x..zH.49..d.....kNZ..q.U.9...}...Ux..f...3A..No..'.. TquQKw.8.x.S..... ...y...bH.;.;... "..%O.8@.y.O.. ..dDAR..1......`W1.....M.Rmv.Z..NY{......\Z...lw...G..+'m,..w..$...C..@.{!.RT...e..$...K.P.o.....J.....as.t.J.i...1...8..YZb.y..i.V.....NlM...9.3R.O......M...(..B4}..zH....>.>............5..d..<t.k0..~.B.......9.(.C.".)..gr...[...U..(y..*.~.1.BE.C.`._k.M.4..T?.VJt.......-.X.+..6.E...p.R.=Jv.y..h...S...Z....[.j.fy....m.../s@v...1...?4z.~3<..6.[..:.}.I....L.....q.T.;.3..v.............P.,....I.j.|_I....].z....^.1.%....;.5..^.mFSV..QU.............A...\.Bt.]\.$..T....+.....^..5.,.....5.......T.p..G.f.q.6}p DG.*.J.e..bt.,..x<...O.q8.W..D....@..r...Wt}h...x.P.....

                            C:\Program Files (x86)\Windows NT\hrsw.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3621376
                            Entropy (8bit):7.006091085616759
                            Encrypted:false
                            SSDEEP:98304:eXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:e5SG7Hwke71MzxY/UZD
                            MD5:BF0598974E1850BE8EAA8A102BAAAE9D
                            SHA1:1DFDC8A63929C51CE26E1AF66AA78B5074406EE2
                            SHA-256:7C1571AC30C74272A6E8E89A0672A493F622060351BC1AF16682D11199CF05DB
                            SHA-512:5FD44633C59D4685F91DE33E4EFDEB9650DC4F4DFA0C84FFD21C5BFB8D9928D93D80DA91E5E24C3F94C361DF92F69F65A4792736A4A644DB06953645A53064B9
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 47%
                            • Antivirus: Virustotal, Detection: 57%, Browse
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7.......7...@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\is-H8536.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1714160
                            Entropy (8bit):7.999904264666926
                            Encrypted:true
                            SSDEEP:24576:srVyarQqdIDSrVJdFufmHD03pGDz5uKsg08I2ltORkk28iBYr94DT4Vw5LEnlktB:7/OxJXufmHw5Mt7sg0hwpYBkFYnlOynK
                            MD5:D5F23E21F68FD7492919A1297BEF3CB1
                            SHA1:0647A1503A3981797CF8320B08EB7D4B7A310406
                            SHA-256:B4F46D0EE210DFE52EC5007E6CFFE19CC922AF1C8F086BEE34972CE0D548C5F4
                            SHA-512:CD75EBF4277B8E281D5321ACB6FBAFC9F0193D6766205761417DB0A6B90F09CA34BF3AEB2995BF3C546C9000922ABCE9E0637BCF65D75259C7BAA17C7C977632
                            Malicious:false
                            Preview:.@S.....*_Pl.................}....@.]+25..Ao.k.=..5....V..!..W.....p.........,.+)._9.k.n:.7*..>.......r..G..qM....( .D5..tga.,......(N.>-.....ne/..}f......0[HI..x0}<1.(.l.....M....;......Rl...|....P..1....}X....7.`....i.>..)..S.{..0l. .T....92.....Am.g....lJ...v.....L......bNA.....S..x..zH.49..d.....kNZ..q.U.9...}...Ux..f...3A..No..'.. TquQKw.8.x.S..... ...y...bH.;.;... "..%O.8@.y.O.. ..dDAR..1......`W1.....M.Rmv.Z..NY{......\Z...lw...G..+'m,..w..$...C..@.{!.RT...e..$...K.P.o.....J.....as.t.J.i...1...8..YZb.y..i.V.....NlM...9.3R.O......M...(..B4}..zH....>.>............5..d..<t.k0..~.B.......9.(.C.".)..gr...[...U..(y..*.~.1.BE.C.`._k.M.4..T?.VJt.......-.X.+..6.E...p.R.=Jv.y..h...S...Z....[.j.fy....m.../s@v...1...?4z.~3<..6.[..:.}.I....L.....q.T.;.3..v.............P.,....I.j.|_I....].z....^.1.%....;.5..^.mFSV..QU.............A...\.Bt.]\.$..T....+.....^..5.,.....5.......T.p..G.f.q.6}p DG.*.J.e..bt.,..x<...O.q8.W..D....@..r...Wt}h...x.P.....

                            C:\Program Files (x86)\Windows NT\locale.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.9967910750777165
                            Encrypted:true
                            SSDEEP:1536:QSwIdqokbmiNDWHHeTx3Hvxd+rQ4ZDsAGe+fw:Qed2bmiNDWHHYx3HvxOQeGe+o
                            MD5:FB21F0A9013D3F8EB0FADDD2A47454C0
                            SHA1:D7C57226084E795EBCB4C645B5F90168BC4570A1
                            SHA-256:D71FBAD808409A4D913F90314843764E6F2DA4920746411A384F78B21C630B94
                            SHA-512:734FD377A82CFCA37789D27BAC8E3A69D9DF8462C61F52BC6C424D3D3770B8715FFDD0ACF648793123A7CE462D63B3FFB752FC6C7E8351E1A2B9007FCA13F372
                            Malicious:false
                            Preview:.@S.....0.1l ..............W..........s....H.U..>c.d.%..;m...#.X~..v]......%..|5+.%8....G@}.....G...4...q..L7.~..^..0^.?...r.G$..@.....d........l....!..Wa&...t......^.....O_..^$..U.i.|8.H....V."&Q.Z..8...o.}...:...kH.fU...J.8.,b-9m.(^....A0]...@..C].H.~.(+...)7....RF..Y)9D.kn....C...w.(c...5*.{..Ig..oJF..,.."K.......B...u.cIfaD.M........C...Hm.W....M..B._..e..."J..........g..h..M..oY.........4BGd~..:2}v..Y?.].Upg....r.t,...c.....D.......+.a..YNs...{.tj.[u....2D.}w...5y2d.......W.iv.O.......bq;j...rs.Z.:....s.}.?-Q...;.ju.{....].....>......{....`..M..h...f.-.|..B......V!.*l...M...i[S.VeK.[W..C..w.U.....39u....my5.......?.%.Px........[u...]6.`.O@..",L.....T\..5.,.....u.9!-r ..L|._...U...`.1e..3pEy.g.4.]..f!.T....c....weq..z.ex.K.6D.(..@..r.U.....A\.\S.t?#...d..Iz.Z_*...|[s....o..[H/...~..\H.(...+.....@}.u3..r..5.7$&L}..:..?..E".^.iJ.j......c.H\..I..JF..;.r.Fs.[#..?..T.)..7.s6.l..^~tR..+S....}0r.........vdx...s..C.....T=...4.....

                            C:\Program Files (x86)\Windows NT\locale.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.99679107507772
                            Encrypted:true
                            SSDEEP:1536:BjzyJcm+ESwaEZw7CpUP1GZi/J+96XH2nf9/XAx9NsbLflWWc:BqGESHGUP1GkUc2l/eQbL9WWc
                            MD5:114171702D5080CC9B2D7F8AA37CACA3
                            SHA1:458BD7F5019D2FBBE6F0A8B3E41C91EB7A714129
                            SHA-256:E4BEA795DC85DB1D462E4C27AD0628639873706E953EAEF5DDEB67AC53FC7AC2
                            SHA-512:3227AB21AED9E8E92B6751F62471C868AC154EEE682E7EC48471188C4D2BCB2041BD3E8F3776A77C6019E9ABBF5DD3768C8C62308A7BA185496DFC34C45952AF
                            Malicious:false
                            Preview:7z..'..............2........cbY..f..p,[.~A.m.)..l.o.n....T......t...y.|t.0.........0.u(......1...F.. '<..g{l....*..*v.{.I.?.\..$... .....gO..i?58K..H.Vus_.9)....G^q../).|....O..YW..%....Y..d.[iX..q..8.F:.luQ.V.6L.n.IX...P...V..Z.}...-.n.2Q...eO&..X...D.6.....AF...T............C ..@G.%."....._U.r..(...m>........+4..g7VX. ......g.cZ...R0?..fdu...r^.&..S.5.4m'..\.zm....=.s..g2..!.1.u.U/..n.oB.'oh.o....>0|...I..#.....+h.|X.....+..E.aZz0<.[..>3&....o....(........N.w.@..|J.....pe"..2..v.[dH$cR<....L"h.....*i.W.6...`...D%}'.S.......p.-Z._4.P.)H.w .)u........c.y.........C. .....^.xg!.u*?..........wi.~d.$.F.u..,..c.9#...R.#"....9z....50...'.?..MXu..e....J...l<g"......r.A*.ky.......,....r.S..Z."...@>.......0.Be....3....D).......J..u.m......Fa.+..2..f..v..o..."?.$E]..r....m ...y"j|z.g6....A.\.i.[..)..j}.B...8..n...>.c....`..g*@.tl..?.......D.......y...i..>..l..I{...G...tT..t .~....Q....:hB....)..2=.C..=JlVS\i.h....`....'.0Q|U..<.R.I.Yt..MgJ

                            C:\Program Files (x86)\Windows NT\locale2.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                            C:\Program Files (x86)\Windows NT\locale2.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                            C:\Program Files (x86)\Windows NT\locale3.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                            C:\Program Files (x86)\Windows NT\locale3.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                            C:\Program Files (x86)\Windows NT\locale4.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                            C:\Program Files (x86)\Windows NT\locale4.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                            C:\Program Files (x86)\Windows NT\locale7.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                            C:\Program Files (x86)\Windows NT\locale7.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                            C:\Program Files (x86)\Windows NT\res.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):1714160
                            Entropy (8bit):7.999904264666923
                            Encrypted:true
                            SSDEEP:49152:wO7AgQ1qWwi+h/FKRL9T1FbjwSnAlQuoha8:wO7WAWo/oRL9T1xjy0ha8
                            MD5:B09E2D76521238A6A59FD5BD7EA8072F
                            SHA1:3696032B74394D4519262A73FECAFE883CBD9B17
                            SHA-256:B58258934C2C9CE6B69CD0E848F0BED6BB09A8B2F1E0D891B5F6731F8F3A9A62
                            SHA-512:2A2EB492A003D351AB6F545E445959AA7BDB9162770434539077627F052079D1B9AC852DAB24CABC3573F8EDCEA87CADB1AD6D6134D8F7499B86A7AE239A6654
                            Malicious:false
                            Preview:7z..'.......'......@........*H..R8".5..... c...2.8V..MeE8..6.w..@.....v..G.mn-.m.....|.C.....+..,..m..|c.zV..w..>.&{...L.......V.12...D.k....b.O....4}..Q9........(....5...._2.z.....P..G.P.h..Qy..F..<....PX.y...(.@...[22.t..!..../......H.l.?K%... .A...e.w.t...<P...2.....ZASJQWo.......~... ........0<.bz(q....._...Y.b.....$......T=.i2.............4g...0.^N.h...US.7#.L.#.W.p..u`..............E).".4$.)....u-.~......+.n....f=.}*.....&^#..5..@....we.p*.h.*.:t|.;.......(..r.dz.%...){.R..[9J/.t...,.o..Y |.....$....Q..:.S...._....*.g.O...D.e(5f.zu...{.."$..]"#S5.....`W...g...!...{...X..:G..q..*...MVP.K3...x.....Y2..zR6..G...)..]..w.!.7.....>..k..V..M.....D...@wu.r&.'m..}.hT.T.T........4..m.4..$u3d1.8.WM..E.`..t.....<....3I<G.d)L.......*&.^.Eb...u..vr&..Tae6.....e..3....@.s_.!.y.7Ie...m&^r/...Y.......'..!..3.B..U.....P.l....[_...|.....cWb.x.A...E.h.......(...6.#..T ...HK.H./..Xh.H..@h..|.V.uo...>......A.~...Dd..i..Q...Q........g...~...G.U.._...%.p.#|......

                            C:\Program Files (x86)\Windows NT\tProtect.dll

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            • Antivirus: Virustotal, Detection: 6%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\task.xml

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.3443983145211007
                            Encrypted:false
                            SSDEEP:48:dXKLzDlnyL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnHwhldOVQOj6dKbKsz7
                            MD5:1E67E91688292692932CD9096EDEA2BD
                            SHA1:AA8859477C235F2F194FC7C4D75EF4C082A6864B
                            SHA-256:ED20E6ED002708041CC98B046F976B2BE43685B258AE6461F291CF73F7128924
                            SHA-512:7C6DE3E403542FE6D33C75F286212A114C7112B8401EAC8323EDBE856CADE905CE11E0B9C4083AE01A711E6B1EC12329CBF43AB0B585BCB56FE8A0F151B47B3E
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAva

                            C:\Program Files (x86)\Windows NT\trash

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PGP Secret Sub-key -
                            Category:dropped
                            Size (bytes):1464049
                            Entropy (8bit):7.999877108047805
                            Encrypted:true
                            SSDEEP:24576:E+KWpAuKn8ZrQEveHNPQFBR3DtS/rFsooltsGezJmOx/k2+:rKLujQ3ZO3DtS/xsooltXeVVxn+
                            MD5:733005DD0B417F207112D70916D9BDD2
                            SHA1:87F0C88FA4C3375E7B52335CB675CBDB70D9A3F5
                            SHA-256:F6D1DBAD2589F6403EDE1AFE20D2694B2A7DF2EDA0F69E502AEF0C961D66BFE4
                            SHA-512:837F123F42C693C32C04EA777A894E5204BEC7AF7D6FAFF2B3218FC392B377FBF0FD0DDE480E09025794EAD2B26961CCCE0BD5B49AF549AA86DC4EE327089AFC
                            Malicious:false
                            Preview:.H..d7a.U....o..8.y....g.Y/...R..."..._.nfn...P.... r......,.&0.$.......C....n.q.;[.tW...G...^..b..*.,u.W^6*..e=.3....T....J......l..H7......:0.V..td|.X......L. ^q...-..z..^..^.k.c...yk....N..5....X.....5.....F........9am(."sA...N.01.%.......y..|.. .V.j./....7....s..w.=..~1%y..y.}.r.....;@T-Y.X..-._.._.....w......u.A..~G'.....9O...e._7......)d.9...'au.......S.OG.....8....@....6....p/6.s.7..0bx....v.....S.r...d.0..Ab.....{8....zk...[..LC>..bH......_..n.CL....<....7..Q.V..41.i.oY.K`....XF.4k..).?.QR....f.U[.....6|..X..._8......g....v..S...lk.c..Z....}+.st.L.|s.1..fM..H...1....\...~........`H.....-.........V....3a..2.....1.....a.(.N......D..r6.M.....D1^.fFn*...6<1X~...r.x<...?.w.._..}..Y<.v6w<..M.qK...E?..A^"w...+d.."...B.Ts..".3...aO.3...h.v.J.........(M.:....D..c.W.."d.......+0.J.."X5.i..+...5>.Lc...6.....Q.l.n.......-..d".c.N...g..cM.7..q.g.Z....P..]mz..:...?D.)....@....F.Z>.F.,.....p...M2./.ff9{t.....0h-93V...4..r..o...07[.G.......o,S:...

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:NlllulXg+//lz:NllUwu/l
                            MD5:ED0FF51DEEE7DB96EC9C5624C12E0A04
                            SHA1:515B7FC63DB9F9313A6AEE6B4A6266B0FB6FF3A7
                            SHA-256:B93B1F8411ACBB11CBECF0F4E344D7D6D3551801BD891B816FB4720E60CE357B
                            SHA-512:FD82F7D0B1B6F1641D2FF3F4EC6FEF66E2AB0F2048D7A5BBC674C379DD429516198FFD6E6E445C6EC1A2763ADAACF6288026B4A90697D86C8EED743A71F177ED
                            Malicious:false
                            Preview:@...e.................................F..............@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4qyf3qj.umi.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gadim3jq.pto.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jetrp1c5.upq.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rzwkhvuz.nii.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\is-3G76O.tmp\X2Wp7LmHrF.X2Wp7LmHrF

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3621376
                            Entropy (8bit):7.006091085616759
                            Encrypted:false
                            SSDEEP:98304:eXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:e5SG7Hwke71MzxY/UZD
                            MD5:BF0598974E1850BE8EAA8A102BAAAE9D
                            SHA1:1DFDC8A63929C51CE26E1AF66AA78B5074406EE2
                            SHA-256:7C1571AC30C74272A6E8E89A0672A493F622060351BC1AF16682D11199CF05DB
                            SHA-512:5FD44633C59D4685F91DE33E4EFDEB9650DC4F4DFA0C84FFD21C5BFB8D9928D93D80DA91E5E24C3F94C361DF92F69F65A4792736A4A644DB06953645A53064B9
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 47%
                            • Antivirus: Virustotal, Detection: 57%, Browse
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7.......7...@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-3G76O.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-HA5HP.tmp\X2Wp7LmHrF.X2Wp7LmHrF

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3621376
                            Entropy (8bit):7.006091085616759
                            Encrypted:false
                            SSDEEP:98304:eXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:e5SG7Hwke71MzxY/UZD
                            MD5:BF0598974E1850BE8EAA8A102BAAAE9D
                            SHA1:1DFDC8A63929C51CE26E1AF66AA78B5074406EE2
                            SHA-256:7C1571AC30C74272A6E8E89A0672A493F622060351BC1AF16682D11199CF05DB
                            SHA-512:5FD44633C59D4685F91DE33E4EFDEB9650DC4F4DFA0C84FFD21C5BFB8D9928D93D80DA91E5E24C3F94C361DF92F69F65A4792736A4A644DB06953645A53064B9
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 47%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7.......7...@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-HA5HP.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp

                            Download File
                            Process:C:\Users\user\Desktop\3KFFG52TBI.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530563507515443
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:69B4108233326BFF72DA366C9862D2B3
                            SHA1:E5063164E641699F9C13F35CE8FE016506843345
                            SHA-256:FA1F691C4D4F4F8907A1EED06A5E24962995B42A6F7943E5F95B393D69761BE0
                            SHA-512:80B48585130C4D37D149FE7FEB8A39E327474BEB834C164656827C44C2EFF2312A63EEB07F1AE00499569A227114EB7217AFE916B8F211620926914C3C7D6865
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp

                            Download File
                            Process:C:\Users\user\Desktop\3KFFG52TBI.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530563507515443
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:69B4108233326BFF72DA366C9862D2B3
                            SHA1:E5063164E641699F9C13F35CE8FE016506843345
                            SHA-256:FA1F691C4D4F4F8907A1EED06A5E24962995B42A6F7943E5F95B393D69761BE0
                            SHA-512:80B48585130C4D37D149FE7FEB8A39E327474BEB834C164656827C44C2EFF2312A63EEB07F1AE00499569A227114EB7217AFE916B8F211620926914C3C7D6865
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            \Device\ConDrv

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.940786416372314
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.04%
                            • Inno Setup installer (109748/4) 1.08%
                            • InstallShield setup (43055/19) 0.42%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            File name:3KFFG52TBI.exe
                            File size:6'820'658 bytes
                            MD5:0a886c39186ad2a6d3eb9f0736d81b14
                            SHA1:8c6de9ade2663c78758eb1bbc4ed53c3bef2f306
                            SHA256:586f4b53ba8a17c022fd339c206e8f1fc543e9d4bd189bcc15c0f2fee899d1a0
                            SHA512:0ae95aae242a207b8dfbaf38952f121dad51c670c06e9d394d5d83bb9d8523e22c3e0c64a60c40632f7cb5ff7cbfc65ee9c53c609d7f78effb14def4907657a7
                            SSDEEP:98304:XwRE1fg7+f+Ha5JJ7oMY3vQ63V3OllbU5ed409iq8lDtLoQyPbdMwZgV:lt0+0+roT3ZOPo5e408TpLNyLk
                            TLSH:45661223F2CBE43EE05D0B3B06B2A65494FB6A606523AD5796ECB4ECCF211501D3E647
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:0c0c2d33ceec80aa

                            Static PE Info

                            General

                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007F2D44BEBCD5h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007F2D44C7D65Bh
                            call 00007F2D44C7D1AEh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007F2D44C77E88h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007F2D44BE5D83h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007F2D44C791B3h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007F2D44C7D6E3h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007F2D44C843CAh
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007F2D44C79AA8h
                            mov edx, dword ptr [004B4200h]

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x110000x11000b6f14c83a6aa642a8379fb377ad40bf5False0.18767233455882354data3.7225953552718756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                            RT_STRING0xd8e000x3f8data0.3198818897637795
                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                            RT_STRING0xd94d40x430data0.40578358208955223
                            RT_STRING0xd99040x44cdata0.38636363636363635
                            RT_STRING0xd9d500x2d4data0.39226519337016574
                            RT_STRING0xda0240xb8data0.6467391304347826
                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                            RT_STRING0xda1780x374data0.4230769230769231
                            RT_STRING0xda4ec0x398data0.3358695652173913
                            RT_STRING0xda8840x368data0.3795871559633027
                            RT_STRING0xdabec0x2a4data0.4275147928994083
                            RT_RCDATA0xdae900x10data1.5
                            RT_RCDATA0xdaea00x310data0.6173469387755102
                            RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2747875354107649
                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                            Imports

                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                            Exports

                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Dec 28, 2024 17:46:36.974198103 CET1.1.1.1192.168.2.40x1c0cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                            Dec 28, 2024 17:46:36.974198103 CET1.1.1.1192.168.2.40x1c0cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:11:46:18
                            Start date:28/12/2024
                            Path:C:\Users\user\Desktop\3KFFG52TBI.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\3KFFG52TBI.exe"
                            Imagebase:0xb60000
                            File size:6'820'658 bytes
                            MD5 hash:0A886C39186AD2A6D3EB9F0736D81B14
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:11:46:18
                            Start date:28/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-M4KSA.tmp\3KFFG52TBI.tmp" /SL5="$20422,5866124,845824,C:\Users\user\Desktop\3KFFG52TBI.exe"
                            Imagebase:0xdb0000
                            File size:3'366'912 bytes
                            MD5 hash:69B4108233326BFF72DA366C9862D2B3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:11:46:18
                            Start date:28/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:11:46:18
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:11:46:22
                            Start date:28/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff693ab0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:5
                            Start time:11:46:27
                            Start date:28/12/2024
                            Path:C:\Users\user\Desktop\3KFFG52TBI.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\3KFFG52TBI.exe" /VERYSILENT
                            Imagebase:0xb60000
                            File size:6'820'658 bytes
                            MD5 hash:0A886C39186AD2A6D3EB9F0736D81B14
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:6
                            Start time:11:46:27
                            Start date:28/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-QHOC8.tmp\3KFFG52TBI.tmp" /SL5="$40410,5866124,845824,C:\Users\user\Desktop\3KFFG52TBI.exe" /VERYSILENT
                            Imagebase:0x470000
                            File size:3'366'912 bytes
                            MD5 hash:69B4108233326BFF72DA366C9862D2B3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:7
                            Start time:11:46:29
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:11:46:29
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:11:46:29
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:11:46:29
                            Start date:28/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0xa80000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            • Detection: 0%, Virustotal, Browse
                            Has exited:true

                            General

                            Target ID:11
                            Start time:11:46:29
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:12
                            Start time:11:46:30
                            Start date:28/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0xa80000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:13
                            Start time:11:46:30
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:14
                            Start time:11:46:30
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:15
                            Start time:11:46:30
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:11:46:30
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:11:46:30
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:11:46:30
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:11:46:30
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:11:46:30
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:11:46:30
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:11:46:30
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:11:46:31
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:52
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:54
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:61
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:62
                            Start time:11:46:32
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:66
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7699e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:67
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:68
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:71
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:72
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:73
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:74
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:75
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:76
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:77
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:78
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:79
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:80
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:81
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:82
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:83
                            Start time:11:46:33
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:84
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:85
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff71f2c0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:86
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:87
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:88
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:89
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:90
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:91
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:92
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:93
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:94
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:95
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:96
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:97
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:98
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:99
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:100
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:101
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:102
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:103
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:104
                            Start time:11:46:34
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:105
                            Start time:11:46:35
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:106
                            Start time:11:46:35
                            Start date:28/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff67bd00000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:107
                            Start time:11:46:35
                            Start date:28/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:108
                            Start time:11:46:35
                            Start date:28/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff659c70000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:267
                            Start time:11:46:43
                            Start date:28/12/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:2%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:5.1%
                              Total number of Nodes:741
                              Total number of Limit Nodes:9
                              execution_graph 63617 6c0601c3 63618 6c0601ed 63617->63618 63619 6c0601d5 __dosmaperr 63617->63619 63618->63619 63621 6c060238 __dosmaperr 63618->63621 63622 6c060267 63618->63622 63664 6c053810 18 API calls __fassign 63621->63664 63623 6c060280 63622->63623 63624 6c06029b __dosmaperr 63622->63624 63626 6c0602d7 __wsopen_s 63622->63626 63623->63624 63645 6c060285 63623->63645 63657 6c053810 18 API calls __fassign 63624->63657 63658 6c057eab HeapFree GetLastError __dosmaperr 63626->63658 63627 6c06042e 63631 6c0604a4 63627->63631 63634 6c060447 GetConsoleMode 63627->63634 63629 6c0602f7 63659 6c057eab HeapFree GetLastError __dosmaperr 63629->63659 63633 6c0604a8 ReadFile 63631->63633 63636 6c0604c2 63633->63636 63637 6c06051c GetLastError 63633->63637 63634->63631 63638 6c060458 63634->63638 63635 6c0602fe 63642 6c0602b2 __dosmaperr __wsopen_s 63635->63642 63660 6c05e359 20 API calls __wsopen_s 63635->63660 63636->63637 63639 6c060499 63636->63639 63637->63642 63638->63633 63640 6c06045e ReadConsoleW 63638->63640 63639->63642 63646 6c0604e7 63639->63646 63647 6c0604fe 63639->63647 63640->63639 63644 6c06047a GetLastError 63640->63644 63661 6c057eab HeapFree GetLastError __dosmaperr 63642->63661 63644->63642 63652 6c0650d5 63645->63652 63662 6c0605ee 23 API calls 3 library calls 63646->63662 63647->63642 63648 6c060515 63647->63648 63663 6c0608a6 21 API calls __wsopen_s 63648->63663 63651 6c06051a 63651->63642 63653 6c0650ef 63652->63653 63654 6c0650e2 63652->63654 63655 6c0650fb 63653->63655 63665 6c053810 18 API calls __fassign 63653->63665 63654->63627 63655->63627 63657->63642 63658->63629 63659->63635 63660->63645 63661->63619 63662->63642 63663->63651 63664->63619 63665->63654 63666 6c05262f 63667 6c05263b __wsopen_s 63666->63667 63668 6c052642 GetLastError ExitThread 63667->63668 63669 6c05264f 63667->63669 63678 6c0580a2 GetLastError 63669->63678 63674 6c05266b 63712 6c05259a 16 API calls 2 library calls 63674->63712 63677 6c05268d 63679 6c0580bf 63678->63679 63680 6c0580b9 63678->63680 63684 6c0580c5 SetLastError 63679->63684 63714 6c05a252 6 API calls std::_Lockit::_Lockit 63679->63714 63713 6c05a213 6 API calls std::_Lockit::_Lockit 63680->63713 63683 6c0580dd 63683->63684 63685 6c0580e1 63683->63685 63689 6c052654 63684->63689 63690 6c058159 63684->63690 63715 6c05a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63685->63715 63688 6c0580ed 63691 6c0580f5 63688->63691 63692 6c05810c 63688->63692 63706 6c05d456 63689->63706 63721 6c0541b9 37 API calls std::locale::_Setgloballocale 63690->63721 63716 6c05a252 6 API calls std::_Lockit::_Lockit 63691->63716 63718 6c05a252 6 API calls std::_Lockit::_Lockit 63692->63718 63697 6c058118 63699 6c05812d 63697->63699 63700 6c05811c 63697->63700 63698 6c058103 63717 6c057eab HeapFree GetLastError __dosmaperr 63698->63717 63720 6c057eab HeapFree GetLastError __dosmaperr 63699->63720 63719 6c05a252 6 API calls std::_Lockit::_Lockit 63700->63719 63703 6c058109 63703->63684 63705 6c05813f 63705->63684 63707 6c05d468 GetPEB 63706->63707 63710 6c05265f 63706->63710 63708 6c05d47b 63707->63708 63707->63710 63722 6c05a508 5 API calls std::_Lockit::_Lockit 63708->63722 63710->63674 63711 6c05a45f 5 API calls std::_Lockit::_Lockit 63710->63711 63711->63674 63712->63677 63713->63679 63714->63683 63715->63688 63716->63698 63717->63703 63718->63697 63719->63698 63720->63705 63722->63710 63723 6bedf150 63725 6bedefbe 63723->63725 63724 6bedf243 CreateFileA 63727 6bedf2a7 63724->63727 63725->63724 63726 6bee02ca 63727->63726 63728 6bee02ac GetCurrentProcess TerminateProcess 63727->63728 63728->63726 63729 6bec3d62 63730 6bec3bc0 63729->63730 63731 6bec3e8a GetCurrentThread NtSetInformationThread 63730->63731 63732 6bec3eea 63731->63732 63733 6bedf8a3 63734 6bedf887 63733->63734 63735 6bee02ac GetCurrentProcess TerminateProcess 63734->63735 63736 6bee02ca 63735->63736 63737 6bed3b72 63750 6c04a133 63737->63750 63743 6bed37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 63747 6bee639e 63743->63747 63764 6c03e090 63743->63764 63770 6bee6ba0 63743->63770 63789 6bee6e60 63743->63789 63799 6bee7090 63743->63799 63812 6bf0e010 67 API calls 63743->63812 63813 6c053820 18 API calls 2 library calls 63747->63813 63752 6c04a138 63750->63752 63751 6c04a152 63751->63743 63752->63751 63755 6c04a154 std::_Facet_Register 63752->63755 63814 6c052704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63752->63814 63754 6c04afb3 std::_Facet_Register 63818 6c04ca69 RaiseException 63754->63818 63755->63754 63815 6c04ca69 RaiseException 63755->63815 63757 6c04b7ac IsProcessorFeaturePresent 63763 6c04b7d1 63757->63763 63759 6c04af73 63816 6c04ca69 RaiseException 63759->63816 63761 6c04af93 std::invalid_argument::invalid_argument 63817 6c04ca69 RaiseException 63761->63817 63763->63743 63765 6c03e0a6 FindFirstFileA 63764->63765 63766 6c03e0a4 63764->63766 63767 6c03e0e0 63765->63767 63766->63765 63768 6c03e13c 63767->63768 63769 6c03e0e2 FindClose 63767->63769 63768->63743 63769->63767 63771 6bee6bd5 63770->63771 63819 6bf12020 63771->63819 63773 6bee6c68 63774 6c04a133 std::_Facet_Register 4 API calls 63773->63774 63775 6bee6ca0 63774->63775 63836 6c04aa17 63775->63836 63777 6bee6cb4 63848 6bf11d90 63777->63848 63780 6bee6d8e 63780->63743 63782 6bee6dc8 63856 6bf126e0 24 API calls 4 library calls 63782->63856 63784 6bee6dda 63857 6c04ca69 RaiseException 63784->63857 63786 6bee6def 63858 6bf0e010 67 API calls 63786->63858 63788 6bee6e0f 63788->63743 63790 6bee6e9f 63789->63790 63794 6bee6eb3 63790->63794 64221 6bf13560 32 API calls std::_Xinvalid_argument 63790->64221 63791 6bee6f5b 63795 6bee6f6e 63791->63795 64222 6bf137e0 32 API calls std::_Xinvalid_argument 63791->64222 63794->63791 64223 6bf12250 30 API calls 63794->64223 64224 6bf126e0 24 API calls 4 library calls 63794->64224 64225 6c04ca69 RaiseException 63794->64225 63795->63743 63800 6bee709e 63799->63800 63802 6bee70d1 63799->63802 64226 6bf101f0 63800->64226 63803 6bee7183 63802->63803 64230 6bf12250 30 API calls 63802->64230 63803->63743 63806 6c054208 67 API calls 63806->63802 63807 6bee71ae 64231 6bf12340 24 API calls 63807->64231 63809 6bee71be 64232 6c04ca69 RaiseException 63809->64232 63811 6bee71c9 63812->63743 63814->63752 63815->63759 63816->63761 63817->63754 63818->63757 63820 6c04a133 std::_Facet_Register 4 API calls 63819->63820 63821 6bf1207e 63820->63821 63822 6c04aa17 43 API calls 63821->63822 63823 6bf12092 63822->63823 63859 6bf12f60 42 API calls 4 library calls 63823->63859 63825 6bf120c8 63826 6bf12136 63825->63826 63828 6bf1210d 63825->63828 63861 6bf12250 30 API calls 63826->63861 63827 6bf12120 63827->63773 63828->63827 63860 6c04a67e 9 API calls 2 library calls 63828->63860 63831 6bf1215b 63862 6bf12340 24 API calls 63831->63862 63833 6bf12171 63863 6c04ca69 RaiseException 63833->63863 63835 6bf1217c 63835->63773 63837 6c04aa23 __EH_prolog3 63836->63837 63864 6c04a5a5 63837->63864 63840 6c04aa5f 63870 6c04a5d6 63840->63870 63843 6c04aa41 63878 6c04aaaa 39 API calls std::locale::_Setgloballocale 63843->63878 63844 6c04aa9c 63844->63777 63846 6c04aa49 63879 6c04a8a1 HeapFree GetLastError _Yarn 63846->63879 63849 6bee6d5d 63848->63849 63850 6bf11ddc 63848->63850 63849->63780 63855 6bf12250 30 API calls 63849->63855 63884 6c04ab37 63850->63884 63854 6bf11e82 63855->63782 63856->63784 63857->63786 63858->63788 63859->63825 63860->63827 63861->63831 63862->63833 63863->63835 63865 6c04a5b4 63864->63865 63866 6c04a5bb 63864->63866 63880 6c053abd 6 API calls std::_Lockit::_Lockit 63865->63880 63868 6c04a5b9 63866->63868 63881 6c04bc7b EnterCriticalSection 63866->63881 63868->63840 63877 6c04a920 6 API calls 2 library calls 63868->63877 63871 6c04a5e0 63870->63871 63872 6c053acb 63870->63872 63873 6c04a5f3 63871->63873 63882 6c04bc89 LeaveCriticalSection 63871->63882 63883 6c053aa6 LeaveCriticalSection 63872->63883 63873->63844 63876 6c053ad2 63876->63844 63877->63843 63878->63846 63879->63840 63880->63868 63881->63868 63882->63873 63883->63876 63885 6c04ab40 63884->63885 63886 6bf11dea 63885->63886 63893 6c05343a 63885->63893 63886->63849 63892 6c04fc53 18 API calls __fassign 63886->63892 63888 6c04ab8c 63888->63886 63904 6c053148 65 API calls 63888->63904 63890 6c04aba7 63890->63886 63905 6c054208 63890->63905 63892->63854 63894 6c053445 __wsopen_s 63893->63894 63895 6c053458 63894->63895 63896 6c053478 63894->63896 63930 6c053810 18 API calls __fassign 63895->63930 63900 6c053468 63896->63900 63916 6c05e4fc 63896->63916 63900->63888 63904->63890 63906 6c054214 __wsopen_s 63905->63906 63907 6c054233 63906->63907 63908 6c05421e 63906->63908 63909 6c05422e 63907->63909 64111 6c04fc99 EnterCriticalSection 63907->64111 64126 6c053810 18 API calls __fassign 63908->64126 63909->63886 63912 6c054250 64112 6c05428c 63912->64112 63914 6c05425b 64127 6c054282 LeaveCriticalSection 63914->64127 63917 6c05e508 __wsopen_s 63916->63917 63932 6c053a8f EnterCriticalSection 63917->63932 63919 6c05e516 63933 6c05e5a0 63919->63933 63924 6c05e662 63925 6c05e781 63924->63925 63957 6c05e804 63925->63957 63928 6c0534bc 63931 6c0534e5 LeaveCriticalSection 63928->63931 63930->63900 63931->63900 63932->63919 63941 6c05e5c3 63933->63941 63934 6c05e523 63947 6c05e55c 63934->63947 63935 6c05e61b 63952 6c05a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63935->63952 63937 6c05e624 63953 6c057eab HeapFree GetLastError __dosmaperr 63937->63953 63940 6c05e62d 63940->63934 63954 6c05a30f 6 API calls std::_Lockit::_Lockit 63940->63954 63941->63934 63941->63935 63941->63941 63950 6c04fc99 EnterCriticalSection 63941->63950 63951 6c04fcad LeaveCriticalSection 63941->63951 63943 6c05e64c 63955 6c04fc99 EnterCriticalSection 63943->63955 63946 6c05e65f 63946->63934 63956 6c053aa6 LeaveCriticalSection 63947->63956 63949 6c053493 63949->63900 63949->63924 63950->63941 63951->63941 63952->63937 63953->63940 63954->63943 63955->63946 63956->63949 63958 6c05e823 63957->63958 63959 6c05e836 63958->63959 63961 6c05e84b 63958->63961 63973 6c053810 18 API calls __fassign 63959->63973 63968 6c05e96b 63961->63968 63974 6c067598 37 API calls __fassign 63961->63974 63962 6c05e797 63962->63928 63970 6c0676ce 63962->63970 63965 6c05e9bb 63965->63968 63975 6c067598 37 API calls __fassign 63965->63975 63967 6c05e9d9 63967->63968 63976 6c067598 37 API calls __fassign 63967->63976 63968->63962 63977 6c053810 18 API calls __fassign 63968->63977 63978 6c067a86 63970->63978 63973->63962 63974->63965 63975->63967 63976->63968 63977->63962 63979 6c067a92 __wsopen_s 63978->63979 63980 6c067a99 63979->63980 63981 6c067ac4 63979->63981 63996 6c053810 18 API calls __fassign 63980->63996 63987 6c0676ee 63981->63987 63986 6c0676e9 63986->63928 63998 6c053dbb 63987->63998 63993 6c067724 63994 6c067756 63993->63994 64038 6c057eab HeapFree GetLastError __dosmaperr 63993->64038 63997 6c067b1b LeaveCriticalSection __wsopen_s 63994->63997 63996->63986 63997->63986 64039 6c04f3db 63998->64039 64001 6c053ddf 64003 6c04f4e6 64001->64003 64048 6c04f53e 64003->64048 64005 6c04f4fe 64005->63993 64006 6c06775c 64005->64006 64063 6c067bdc 64006->64063 64011 6c06778e __dosmaperr 64011->63993 64013 6c067882 GetFileType 64015 6c0678d4 64013->64015 64016 6c06788d GetLastError 64013->64016 64014 6c067857 GetLastError 64014->64011 64093 6c064ea0 SetStdHandle __dosmaperr __wsopen_s 64015->64093 64092 6c0530e2 __dosmaperr 64016->64092 64017 6c067805 64017->64013 64017->64014 64091 6c067b47 CreateFileW 64017->64091 64020 6c06789b CloseHandle 64020->64011 64034 6c0678c4 64020->64034 64022 6c06784a 64022->64013 64022->64014 64023 6c0678f5 64024 6c067941 64023->64024 64094 6c067d56 70 API calls 2 library calls 64023->64094 64028 6c067948 64024->64028 64108 6c067e00 70 API calls 2 library calls 64024->64108 64027 6c067976 64027->64028 64029 6c067984 64027->64029 64095 6c05f015 64028->64095 64029->64011 64031 6c067a00 CloseHandle 64029->64031 64109 6c067b47 CreateFileW 64031->64109 64033 6c067a2b 64033->64034 64035 6c067a35 GetLastError 64033->64035 64034->64011 64036 6c067a41 __dosmaperr 64035->64036 64110 6c064e0f SetStdHandle __dosmaperr __wsopen_s 64036->64110 64038->63994 64040 6c04f3fb 64039->64040 64041 6c04f3f2 64039->64041 64040->64041 64042 6c0580a2 __Getctype 37 API calls 64040->64042 64041->64001 64047 6c05a0c5 5 API calls std::_Lockit::_Lockit 64041->64047 64043 6c04f41b 64042->64043 64044 6c058618 __Getctype 37 API calls 64043->64044 64045 6c04f431 64044->64045 64046 6c058645 __fassign 37 API calls 64045->64046 64046->64041 64047->64001 64049 6c04f566 64048->64049 64050 6c04f54c 64048->64050 64051 6c04f58c 64049->64051 64052 6c04f56d 64049->64052 64053 6c04f4cc __wsopen_s HeapFree GetLastError 64050->64053 64055 6c057f33 __fassign MultiByteToWideChar 64051->64055 64054 6c04f556 __dosmaperr 64052->64054 64056 6c04f48d __wsopen_s HeapFree GetLastError 64052->64056 64053->64054 64054->64005 64057 6c04f59b 64055->64057 64056->64054 64058 6c04f5a2 GetLastError 64057->64058 64059 6c04f48d __wsopen_s HeapFree GetLastError 64057->64059 64061 6c04f5c8 64057->64061 64058->64054 64059->64061 64060 6c057f33 __fassign MultiByteToWideChar 64062 6c04f5df 64060->64062 64061->64054 64061->64060 64062->64054 64062->64058 64066 6c067bfd 64063->64066 64068 6c067c17 64063->64068 64064 6c067b6c __wsopen_s 18 API calls 64065 6c067c4f 64064->64065 64069 6c067c7e 64065->64069 64073 6c053810 __fassign 18 API calls 64065->64073 64067 6c053810 __fassign 18 API calls 64066->64067 64066->64068 64067->64068 64068->64064 64070 6c069001 __wsopen_s 18 API calls 64069->64070 64074 6c067779 64069->64074 64071 6c067ccc 64070->64071 64072 6c067d49 64071->64072 64071->64074 64075 6c05383d __Getctype 11 API calls 64072->64075 64073->64069 64074->64011 64077 6c064cfc 64074->64077 64076 6c067d55 64075->64076 64078 6c064d08 __wsopen_s 64077->64078 64079 6c053a8f std::_Lockit::_Lockit EnterCriticalSection 64078->64079 64083 6c064d0f 64079->64083 64080 6c064d56 64081 6c064e06 __wsopen_s LeaveCriticalSection 64080->64081 64084 6c064d76 64081->64084 64082 6c064d34 64085 6c064f32 __wsopen_s 11 API calls 64082->64085 64083->64080 64083->64082 64087 6c064da3 EnterCriticalSection 64083->64087 64084->64011 64090 6c067b47 CreateFileW 64084->64090 64086 6c064d39 64085->64086 64086->64080 64088 6c065080 __wsopen_s EnterCriticalSection 64086->64088 64087->64080 64089 6c064db0 LeaveCriticalSection 64087->64089 64088->64080 64089->64083 64090->64017 64091->64022 64092->64020 64093->64023 64094->64024 64096 6c064c92 __wsopen_s 18 API calls 64095->64096 64097 6c05f025 64096->64097 64098 6c05f02b 64097->64098 64100 6c05f05d 64097->64100 64101 6c064c92 __wsopen_s 18 API calls 64097->64101 64099 6c064e0f __wsopen_s SetStdHandle 64098->64099 64107 6c05f083 __dosmaperr 64099->64107 64100->64098 64102 6c064c92 __wsopen_s 18 API calls 64100->64102 64103 6c05f054 64101->64103 64104 6c05f069 CloseHandle 64102->64104 64106 6c064c92 __wsopen_s 18 API calls 64103->64106 64104->64098 64105 6c05f075 GetLastError 64104->64105 64105->64098 64106->64100 64107->64011 64108->64027 64109->64033 64110->64034 64111->63912 64113 6c0542ae 64112->64113 64114 6c054299 64112->64114 64118 6c0542a9 64113->64118 64128 6c0543a9 64113->64128 64150 6c053810 18 API calls __fassign 64114->64150 64118->63914 64122 6c0542d1 64143 6c05ef88 64122->64143 64124 6c0542d7 64124->64118 64151 6c057eab HeapFree GetLastError __dosmaperr 64124->64151 64126->63909 64127->63909 64129 6c0543c1 64128->64129 64130 6c0542c3 64128->64130 64129->64130 64131 6c05d350 18 API calls 64129->64131 64134 6c05be2e 64130->64134 64132 6c0543df 64131->64132 64152 6c05f25c 64132->64152 64135 6c05be45 64134->64135 64136 6c0542cb 64134->64136 64135->64136 64208 6c057eab HeapFree GetLastError __dosmaperr 64135->64208 64138 6c05d350 64136->64138 64139 6c05d371 64138->64139 64140 6c05d35c 64138->64140 64139->64122 64209 6c053810 18 API calls __fassign 64140->64209 64142 6c05d36c 64142->64122 64144 6c05efae 64143->64144 64146 6c05ef99 __dosmaperr 64143->64146 64145 6c05eff7 __dosmaperr 64144->64145 64147 6c05efd5 64144->64147 64218 6c053810 18 API calls __fassign 64145->64218 64146->64124 64210 6c05f0b1 64147->64210 64150->64118 64151->64118 64153 6c05f268 __wsopen_s 64152->64153 64154 6c05f2ba 64153->64154 64156 6c05f323 __dosmaperr 64153->64156 64158 6c05f270 __dosmaperr 64153->64158 64163 6c065080 EnterCriticalSection 64154->64163 64193 6c053810 18 API calls __fassign 64156->64193 64157 6c05f2c0 64161 6c05f2dc __dosmaperr 64157->64161 64164 6c05f34e 64157->64164 64158->64130 64192 6c05f31b LeaveCriticalSection __wsopen_s 64161->64192 64163->64157 64165 6c05f370 64164->64165 64191 6c05f38c __dosmaperr 64164->64191 64166 6c05f3c4 64165->64166 64167 6c05f374 __dosmaperr 64165->64167 64168 6c05f3d7 64166->64168 64202 6c05e359 20 API calls __wsopen_s 64166->64202 64201 6c053810 18 API calls __fassign 64167->64201 64194 6c05f530 64168->64194 64173 6c05f3ed 64175 6c05f416 64173->64175 64176 6c05f3f1 64173->64176 64174 6c05f42c 64177 6c05f485 WriteFile 64174->64177 64178 6c05f440 64174->64178 64204 6c05f5a1 43 API calls 5 library calls 64175->64204 64176->64191 64203 6c05f94b 6 API calls __wsopen_s 64176->64203 64180 6c05f4a9 GetLastError 64177->64180 64177->64191 64181 6c05f475 64178->64181 64182 6c05f44b 64178->64182 64180->64191 64207 6c05f9b3 7 API calls 2 library calls 64181->64207 64185 6c05f465 64182->64185 64186 6c05f450 64182->64186 64206 6c05fb77 8 API calls 3 library calls 64185->64206 64189 6c05f455 64186->64189 64186->64191 64188 6c05f463 64188->64191 64205 6c05fa8e 7 API calls 2 library calls 64189->64205 64191->64161 64192->64158 64193->64158 64195 6c0650d5 __wsopen_s 18 API calls 64194->64195 64196 6c05f541 64195->64196 64197 6c05f3e8 64196->64197 64198 6c0580a2 __Getctype 37 API calls 64196->64198 64197->64173 64197->64174 64199 6c05f564 64198->64199 64199->64197 64200 6c05f57e GetConsoleMode 64199->64200 64200->64197 64201->64191 64202->64168 64203->64191 64204->64191 64205->64188 64206->64188 64207->64188 64208->64136 64209->64142 64211 6c05f0bd __wsopen_s 64210->64211 64219 6c065080 EnterCriticalSection 64211->64219 64213 6c05f0cb 64214 6c05f015 __wsopen_s 21 API calls 64213->64214 64215 6c05f0f8 64213->64215 64214->64215 64220 6c05f131 LeaveCriticalSection __wsopen_s 64215->64220 64217 6c05f11a 64217->64146 64218->64146 64219->64213 64220->64217 64221->63794 64222->63795 64223->63794 64224->63794 64225->63794 64227 6bf1022e 64226->64227 64228 6bee70c4 64227->64228 64233 6c054ecb 64227->64233 64228->63806 64230->63807 64231->63809 64232->63811 64234 6c054ef6 64233->64234 64235 6c054ed9 64233->64235 64234->64227 64235->64234 64236 6c054ee6 64235->64236 64237 6c054efa 64235->64237 64249 6c053810 18 API calls __fassign 64236->64249 64241 6c0550f2 64237->64241 64242 6c0550fe __wsopen_s 64241->64242 64250 6c04fc99 EnterCriticalSection 64242->64250 64244 6c05510c 64251 6c0550af 64244->64251 64248 6c054f2c 64248->64227 64249->64234 64250->64244 64259 6c05bc96 64251->64259 64257 6c0550e9 64258 6c055141 LeaveCriticalSection 64257->64258 64258->64248 64260 6c05d350 18 API calls 64259->64260 64261 6c05bca7 64260->64261 64262 6c0650d5 __wsopen_s 18 API calls 64261->64262 64263 6c05bcad __wsopen_s 64262->64263 64264 6c0550c3 64263->64264 64276 6c057eab HeapFree GetLastError __dosmaperr 64263->64276 64266 6c054f2e 64264->64266 64267 6c054f40 64266->64267 64270 6c054f5e 64266->64270 64268 6c054f4e 64267->64268 64267->64270 64273 6c054f76 _Yarn 64267->64273 64277 6c053810 18 API calls __fassign 64268->64277 64275 6c05bd49 62 API calls 64270->64275 64271 6c0543a9 62 API calls 64271->64273 64272 6c05d350 18 API calls 64272->64273 64273->64270 64273->64271 64273->64272 64274 6c05f25c __wsopen_s 62 API calls 64273->64274 64274->64273 64275->64257 64276->64264 64277->64270 64278 6bec4b53 64279 6c04a133 std::_Facet_Register 4 API calls 64278->64279 64280 6bec4b5c _Yarn 64279->64280 64281 6c03e090 2 API calls 64280->64281 64286 6bec4bae std::ios_base::_Ios_base_dtor 64281->64286 64282 6bee639e 64481 6c053820 18 API calls 2 library calls 64282->64481 64284 6bec5164 CreateFileA CloseHandle 64290 6bec51ec 64284->64290 64285 6bec4cff 64286->64282 64286->64284 64286->64285 64287 6bed245a _Yarn _strlen 64286->64287 64287->64282 64289 6c03e090 2 API calls 64287->64289 64304 6bed2a83 std::ios_base::_Ios_base_dtor 64289->64304 64436 6c048810 OpenSCManagerA 64290->64436 64292 6becfc00 64473 6c048930 CreateToolhelp32Snapshot 64292->64473 64295 6c04a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 64330 6bec5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 64295->64330 64297 6bed37d0 Sleep 64342 6bed37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 64297->64342 64298 6c03e090 2 API calls 64298->64330 64299 6bee63b2 64482 6bec15e0 18 API calls std::ios_base::_Ios_base_dtor 64299->64482 64300 6c048930 4 API calls 64318 6bed053a 64300->64318 64301 6c048930 4 API calls 64323 6bed12e2 64301->64323 64303 6bee64f8 64304->64282 64440 6c030880 64304->64440 64305 6becffe3 64305->64300 64309 6bed0abc 64305->64309 64306 6bee6ba0 104 API calls 64306->64330 64307 6bee6e60 32 API calls 64307->64330 64309->64287 64309->64301 64310 6bee7090 77 API calls 64310->64330 64311 6c048930 4 API calls 64311->64309 64312 6c048930 4 API calls 64331 6bed1dd9 64312->64331 64313 6bed211c 64313->64287 64314 6bed241a 64313->64314 64317 6c030880 10 API calls 64314->64317 64315 6c03e090 2 API calls 64315->64342 64319 6bed244d 64317->64319 64318->64309 64318->64311 64479 6c049450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 64319->64479 64321 6bed2452 Sleep 64321->64287 64322 6bec6722 64449 6c044860 25 API calls 4 library calls 64322->64449 64323->64312 64323->64313 64335 6bed16ac 64323->64335 64324 6bec6162 64325 6bec740b 64450 6c0486e0 CreateProcessA 64325->64450 64327 6c048930 4 API calls 64327->64313 64328 6bee6ba0 104 API calls 64328->64342 64329 6bee6e60 32 API calls 64329->64342 64330->64282 64330->64292 64330->64295 64330->64298 64330->64306 64330->64307 64330->64310 64330->64322 64330->64324 64448 6bf0e010 67 API calls 64330->64448 64331->64313 64331->64327 64332 6bee7090 77 API calls 64332->64342 64334 6bec775a _strlen 64334->64282 64336 6bec7ba9 64334->64336 64337 6bec7b92 64334->64337 64340 6bec7b43 _Yarn 64334->64340 64339 6c04a133 std::_Facet_Register 4 API calls 64336->64339 64338 6c04a133 std::_Facet_Register 4 API calls 64337->64338 64338->64340 64339->64340 64341 6c03e090 2 API calls 64340->64341 64351 6bec7be7 std::ios_base::_Ios_base_dtor 64341->64351 64342->64282 64342->64315 64342->64328 64342->64329 64342->64332 64480 6bf0e010 67 API calls 64342->64480 64343 6c0486e0 4 API calls 64354 6bec8a07 64343->64354 64344 6bec9d7f 64348 6c04a133 std::_Facet_Register 4 API calls 64344->64348 64345 6bec9d68 64347 6c04a133 std::_Facet_Register 4 API calls 64345->64347 64346 6bec962c _strlen 64346->64282 64346->64344 64346->64345 64349 6bec9d18 _Yarn 64346->64349 64347->64349 64348->64349 64350 6c03e090 2 API calls 64349->64350 64357 6bec9dbd std::ios_base::_Ios_base_dtor 64350->64357 64351->64282 64351->64343 64351->64346 64352 6bec8387 64351->64352 64353 6c0486e0 4 API calls 64362 6bec9120 64353->64362 64354->64353 64355 6c0486e0 4 API calls 64372 6beca215 _strlen 64355->64372 64356 6c0486e0 4 API calls 64359 6bec9624 64356->64359 64357->64282 64357->64355 64363 6bece8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 64357->64363 64358 6c04a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 64358->64363 64454 6c049450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 64359->64454 64361 6c03e090 2 API calls 64361->64363 64362->64356 64363->64282 64363->64358 64363->64361 64364 6becf7b1 64363->64364 64365 6beced02 Sleep 64363->64365 64472 6c049450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 64364->64472 64384 6bece8c1 64365->64384 64367 6beca9bb 64371 6c04a133 std::_Facet_Register 4 API calls 64367->64371 64368 6beca9a4 64370 6c04a133 std::_Facet_Register 4 API calls 64368->64370 64369 6bece8dd GetCurrentProcess TerminateProcess 64369->64363 64379 6beca953 _Yarn _strlen 64370->64379 64371->64379 64372->64282 64372->64367 64372->64368 64372->64379 64373 6c0486e0 4 API calls 64373->64384 64374 6becfbb8 64375 6becfbe8 ExitWindowsEx Sleep 64374->64375 64375->64292 64376 6becf7c0 64376->64374 64377 6becb009 64381 6c04a133 std::_Facet_Register 4 API calls 64377->64381 64378 6becaff0 64380 6c04a133 std::_Facet_Register 4 API calls 64378->64380 64379->64299 64379->64377 64379->64378 64382 6becafa0 _Yarn 64379->64382 64380->64382 64381->64382 64455 6c049050 64382->64455 64384->64363 64384->64369 64384->64373 64385 6becb059 std::ios_base::_Ios_base_dtor _strlen 64385->64282 64386 6becb42c 64385->64386 64387 6becb443 64385->64387 64390 6becb3da _Yarn _strlen 64385->64390 64388 6c04a133 std::_Facet_Register 4 API calls 64386->64388 64389 6c04a133 std::_Facet_Register 4 API calls 64387->64389 64388->64390 64389->64390 64390->64299 64391 6becb79e 64390->64391 64392 6becb7b7 64390->64392 64395 6becb751 _Yarn 64390->64395 64393 6c04a133 std::_Facet_Register 4 API calls 64391->64393 64394 6c04a133 std::_Facet_Register 4 API calls 64392->64394 64393->64395 64394->64395 64396 6c049050 104 API calls 64395->64396 64397 6becb804 std::ios_base::_Ios_base_dtor _strlen 64396->64397 64397->64282 64398 6becbc0f 64397->64398 64399 6becbc26 64397->64399 64402 6becbbbd _Yarn _strlen 64397->64402 64400 6c04a133 std::_Facet_Register 4 API calls 64398->64400 64401 6c04a133 std::_Facet_Register 4 API calls 64399->64401 64400->64402 64401->64402 64402->64299 64403 6becc08e 64402->64403 64404 6becc075 64402->64404 64407 6becc028 _Yarn 64402->64407 64406 6c04a133 std::_Facet_Register 4 API calls 64403->64406 64405 6c04a133 std::_Facet_Register 4 API calls 64404->64405 64405->64407 64406->64407 64408 6c049050 104 API calls 64407->64408 64413 6becc0db std::ios_base::_Ios_base_dtor _strlen 64408->64413 64409 6becc7bc 64412 6c04a133 std::_Facet_Register 4 API calls 64409->64412 64410 6becc7a5 64411 6c04a133 std::_Facet_Register 4 API calls 64410->64411 64420 6becc753 _Yarn _strlen 64411->64420 64412->64420 64413->64282 64413->64409 64413->64410 64413->64420 64414 6becd3ed 64416 6c04a133 std::_Facet_Register 4 API calls 64414->64416 64415 6becd406 64417 6c04a133 std::_Facet_Register 4 API calls 64415->64417 64418 6becd39a _Yarn 64416->64418 64417->64418 64419 6c049050 104 API calls 64418->64419 64421 6becd458 std::ios_base::_Ios_base_dtor _strlen 64419->64421 64420->64299 64420->64414 64420->64415 64420->64418 64426 6beccb2f 64420->64426 64421->64282 64422 6becd8bb 64421->64422 64423 6becd8a4 64421->64423 64427 6becd852 _Yarn _strlen 64421->64427 64425 6c04a133 std::_Facet_Register 4 API calls 64422->64425 64424 6c04a133 std::_Facet_Register 4 API calls 64423->64424 64424->64427 64425->64427 64427->64299 64428 6becdccf 64427->64428 64429 6becdcb6 64427->64429 64432 6becdc69 _Yarn 64427->64432 64431 6c04a133 std::_Facet_Register 4 API calls 64428->64431 64430 6c04a133 std::_Facet_Register 4 API calls 64429->64430 64430->64432 64431->64432 64433 6c049050 104 API calls 64432->64433 64435 6becdd1c std::ios_base::_Ios_base_dtor 64433->64435 64434 6c0486e0 4 API calls 64434->64363 64435->64282 64435->64434 64437 6c048846 64436->64437 64438 6c0488be OpenServiceA 64437->64438 64439 6c048922 64437->64439 64438->64437 64439->64330 64445 6c030893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 64440->64445 64441 6c034e71 CloseHandle 64441->64445 64442 6bed37cb 64447 6c049450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 64442->64447 64443 6c033bd1 CloseHandle 64443->64445 64445->64441 64445->64442 64445->64443 64446 6c01cea0 WriteFile ReadFile WriteFile WriteFile 64445->64446 64483 6c01c390 64445->64483 64446->64445 64447->64297 64448->64330 64449->64325 64451 6c048770 64450->64451 64452 6c0487b0 WaitForSingleObject CloseHandle CloseHandle 64451->64452 64453 6c0487a4 64451->64453 64452->64451 64453->64334 64454->64346 64456 6c0490a7 64455->64456 64494 6c0496e0 64456->64494 64458 6c0490b8 64459 6bee6ba0 104 API calls 64458->64459 64460 6c0490dc 64459->64460 64465 6c049144 64460->64465 64471 6c049157 64460->64471 64513 6c049a30 64460->64513 64521 6bf23010 64460->64521 64463 6c04918f std::ios_base::_Ios_base_dtor 64547 6bf0e010 67 API calls 64463->64547 64531 6c049280 64465->64531 64467 6c0491d2 std::ios_base::_Ios_base_dtor 64467->64385 64469 6c04914c 64470 6bee7090 77 API calls 64469->64470 64470->64471 64546 6bf0e010 67 API calls 64471->64546 64472->64376 64476 6c048966 std::locale::_Setgloballocale 64473->64476 64474 6c048a64 Process32NextW 64474->64476 64475 6c048a14 CloseHandle 64475->64476 64476->64474 64476->64475 64477 6c048a96 64476->64477 64478 6c048a45 Process32FirstW 64476->64478 64477->64305 64478->64476 64479->64321 64480->64342 64482->64303 64484 6c01c3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 64483->64484 64485 6c01ce3c 64484->64485 64486 6c01cab9 CreateFileA 64484->64486 64488 6c01b4d0 64484->64488 64485->64445 64486->64484 64489 6c01b4e3 __wsopen_s std::locale::_Setgloballocale 64488->64489 64490 6c01c206 WriteFile 64489->64490 64491 6c01c377 64489->64491 64492 6c01b619 WriteFile 64489->64492 64493 6c01bc23 ReadFile 64489->64493 64490->64489 64491->64484 64492->64489 64493->64489 64495 6c049715 64494->64495 64496 6bf12020 52 API calls 64495->64496 64497 6c0497b6 64496->64497 64498 6c04a133 std::_Facet_Register 4 API calls 64497->64498 64499 6c0497ee 64498->64499 64500 6c04aa17 43 API calls 64499->64500 64501 6c049802 64500->64501 64502 6bf11d90 89 API calls 64501->64502 64503 6c0498ab 64502->64503 64504 6c0498dc 64503->64504 64548 6bf12250 30 API calls 64503->64548 64504->64458 64506 6c049916 64549 6bf126e0 24 API calls 4 library calls 64506->64549 64508 6c049928 64550 6c04ca69 RaiseException 64508->64550 64510 6c04993d 64551 6bf0e010 67 API calls 64510->64551 64512 6c04994f 64512->64458 64514 6c049a7d 64513->64514 64552 6c049c90 64514->64552 64517 6c049b6c 64517->64460 64520 6c049a95 64520->64517 64570 6bf12250 30 API calls 64520->64570 64571 6bf126e0 24 API calls 4 library calls 64520->64571 64572 6c04ca69 RaiseException 64520->64572 64522 6bf2304f 64521->64522 64525 6bf23063 64522->64525 64581 6bf13560 32 API calls std::_Xinvalid_argument 64522->64581 64527 6bf2311e 64525->64527 64583 6bf12250 30 API calls 64525->64583 64584 6bf126e0 24 API calls 4 library calls 64525->64584 64585 6c04ca69 RaiseException 64525->64585 64529 6bf23131 64527->64529 64582 6bf137e0 32 API calls std::_Xinvalid_argument 64527->64582 64529->64460 64532 6c04928e 64531->64532 64535 6c0492c1 64531->64535 64534 6bf101f0 64 API calls 64532->64534 64533 6c049373 64533->64469 64536 6c0492b4 64534->64536 64535->64533 64586 6bf12250 30 API calls 64535->64586 64538 6c054208 67 API calls 64536->64538 64538->64535 64539 6c04939e 64587 6bf12340 24 API calls 64539->64587 64541 6c0493ae 64588 6c04ca69 RaiseException 64541->64588 64543 6c0493b9 64589 6bf0e010 67 API calls 64543->64589 64545 6c049412 std::ios_base::_Ios_base_dtor 64545->64469 64546->64463 64547->64467 64548->64506 64549->64508 64550->64510 64551->64512 64553 6c049ccc 64552->64553 64554 6c049cf8 64552->64554 64555 6c049cf1 64553->64555 64575 6bf12250 30 API calls 64553->64575 64560 6c049d09 64554->64560 64573 6bf13560 32 API calls std::_Xinvalid_argument 64554->64573 64555->64520 64558 6c049ed8 64576 6bf12340 24 API calls 64558->64576 64560->64555 64574 6bf12f60 42 API calls 4 library calls 64560->64574 64561 6c049ee7 64577 6c04ca69 RaiseException 64561->64577 64565 6c049f17 64579 6bf12340 24 API calls 64565->64579 64567 6c049f2d 64580 6c04ca69 RaiseException 64567->64580 64569 6c049d43 64569->64555 64578 6bf12250 30 API calls 64569->64578 64570->64520 64571->64520 64572->64520 64573->64560 64574->64569 64575->64558 64576->64561 64577->64569 64578->64565 64579->64567 64580->64555 64581->64525 64582->64529 64583->64525 64584->64525 64585->64525 64586->64539 64587->64541 64588->64543 64589->64545

                              Executed Functions

                              Function 6BEC4754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: HR^
                              • API String ID: 4218353326-1341859651
                              • Opcode ID: 50d333067a74fbcfd668203da5e6f7b233f9a4f74aab8997057d54f95161a09d
                              • Instruction ID: d0482ba932d0bed08a9355ad455b0fa02d7c3959e1fb05576a0a75f22b04284c
                              • Opcode Fuzzy Hash: 50d333067a74fbcfd668203da5e6f7b233f9a4f74aab8997057d54f95161a09d
                              • Instruction Fuzzy Hash: AF741671644B018FC728CF28C9D0696B7F3EF95318B298A6DC0A68B755E778B44BCB41
                              Function 6C048930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4604 6c048930-6c048964 CreateToolhelp32Snapshot 4605 6c048980-6c048989 4604->4605 4606 6c0489d0-6c0489d5 4605->4606 4607 6c04898b-6c048990 4605->4607 4610 6c048a34-6c048a62 call 6c04f010 Process32FirstW 4606->4610 4611 6c0489d7-6c0489dc 4606->4611 4608 6c048992-6c048997 4607->4608 4609 6c048a0d-6c048a12 4607->4609 4612 6c048966-6c048973 4608->4612 4613 6c048999-6c04899e 4608->4613 4616 6c048a14-6c048a2f CloseHandle 4609->4616 4617 6c048a8b-6c048a90 4609->4617 4623 6c048a76-6c048a86 4610->4623 4614 6c048a64-6c048a71 Process32NextW 4611->4614 4615 6c0489e2-6c0489e7 4611->4615 4612->4605 4613->4605 4620 6c0489a0-6c0489ca call 6c0562f5 4613->4620 4614->4623 4615->4605 4621 6c0489e9-6c048a08 4615->4621 4616->4605 4617->4605 4619 6c048a96-6c048aa4 4617->4619 4620->4605 4621->4605 4623->4605
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C04893E
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: CreateSnapshotToolhelp32
                              • String ID:
                              • API String ID: 3332741929-0
                              • Opcode ID: 3ce2a521c7f459c71b86258592a549b82ab6b367eee1d1828834749cf9e73836
                              • Instruction ID: a58e1028de776a11543be4e716052a7970fe5eaba3fca3461d9ea3fabe9dd4d3
                              • Opcode Fuzzy Hash: 3ce2a521c7f459c71b86258592a549b82ab6b367eee1d1828834749cf9e73836
                              • Instruction Fuzzy Hash: 11315E70219301EFD701AF59C88475EBBE4AF8A718F588E2EE488D6360D771D8558B93
                              Function 6BEC3886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4877 6bec3886-6bec388e 4878 6bec3894-6bec3896 4877->4878 4879 6bec3970-6bec397d 4877->4879 4878->4879 4880 6bec389c-6bec38b9 4878->4880 4881 6bec397f-6bec3989 4879->4881 4882 6bec39f1-6bec39f8 4879->4882 4886 6bec38c0-6bec38c1 4880->4886 4881->4880 4883 6bec398f-6bec3994 4881->4883 4884 6bec39fe-6bec3a03 4882->4884 4885 6bec3ab5-6bec3aba 4882->4885 4887 6bec399a-6bec399f 4883->4887 4888 6bec3b16-6bec3b18 4883->4888 4889 6bec3a09-6bec3a2f 4884->4889 4890 6bec38d2-6bec38d4 4884->4890 4885->4880 4892 6bec3ac0-6bec3ac7 4885->4892 4891 6bec395e 4886->4891 4893 6bec383b-6bec3855 call 6c012a20 call 6c012a30 4887->4893 4894 6bec39a5-6bec39bf 4887->4894 4888->4886 4895 6bec38f8-6bec3955 4889->4895 4896 6bec3a35-6bec3a3a 4889->4896 4897 6bec3957-6bec395c 4890->4897 4899 6bec3960-6bec3964 4891->4899 4892->4886 4898 6bec3acd-6bec3ad6 4892->4898 4902 6bec3860-6bec3885 4893->4902 4900 6bec3a5a-6bec3a5d 4894->4900 4895->4897 4903 6bec3b1d-6bec3b22 4896->4903 4904 6bec3a40-6bec3a57 4896->4904 4897->4891 4898->4888 4905 6bec3ad8-6bec3aeb 4898->4905 4901 6bec396a 4899->4901 4899->4902 4911 6bec3aa9-6bec3ab0 4900->4911 4912 6bec3a87-6bec3aa7 4900->4912 4910 6bec3ba1-6bec3bb6 4901->4910 4902->4877 4907 6bec3b49-6bec3b50 4903->4907 4908 6bec3b24-6bec3b44 4903->4908 4904->4900 4905->4895 4913 6bec3af1-6bec3af8 4905->4913 4907->4886 4916 6bec3b56-6bec3b5d 4907->4916 4908->4912 4918 6bec3bc0-6bec3bda call 6c012a20 call 6c012a30 4910->4918 4911->4899 4912->4911 4919 6bec3afa-6bec3aff 4913->4919 4920 6bec3b62-6bec3b85 4913->4920 4916->4899 4928 6bec3be0-6bec3bfe 4918->4928 4919->4897 4920->4895 4923 6bec3b8b 4920->4923 4923->4910 4931 6bec3e7b 4928->4931 4932 6bec3c04-6bec3c11 4928->4932 4935 6bec3e81-6bec3ee0 call 6bec3750 GetCurrentThread NtSetInformationThread 4931->4935 4933 6bec3c17-6bec3c20 4932->4933 4934 6bec3ce0-6bec3cea 4932->4934 4936 6bec3dc5 4933->4936 4937 6bec3c26-6bec3c2d 4933->4937 4938 6bec3cec-6bec3d0c 4934->4938 4939 6bec3d3a-6bec3d3c 4934->4939 4953 6bec3eea-6bec3f04 call 6c012a20 call 6c012a30 4935->4953 4943 6bec3dc6 4936->4943 4941 6bec3dc3 4937->4941 4942 6bec3c33-6bec3c3a 4937->4942 4944 6bec3d90-6bec3d95 4938->4944 4946 6bec3d3e-6bec3d45 4939->4946 4947 6bec3d70-6bec3d8d 4939->4947 4941->4936 4950 6bec3e26-6bec3e2b 4942->4950 4951 6bec3c40-6bec3c5b 4942->4951 4952 6bec3dc8-6bec3dcc 4943->4952 4948 6bec3dba-6bec3dc1 4944->4948 4949 6bec3d97-6bec3db8 4944->4949 4954 6bec3d50-6bec3d57 4946->4954 4947->4944 4948->4941 4955 6bec3dd7-6bec3ddc 4948->4955 4949->4936 4958 6bec3c7b-6bec3cd0 4950->4958 4959 6bec3e31 4950->4959 4956 6bec3e1b-6bec3e24 4951->4956 4952->4928 4957 6bec3dd2 4952->4957 4971 6bec3f75-6bec3fa1 4953->4971 4954->4943 4961 6bec3dde-6bec3e17 4955->4961 4962 6bec3e36-6bec3e3d 4955->4962 4956->4952 4963 6bec3e76-6bec3e79 4957->4963 4958->4954 4959->4918 4961->4956 4966 6bec3e5c-6bec3e5f 4962->4966 4967 6bec3e3f-6bec3e5a 4962->4967 4963->4935 4966->4958 4970 6bec3e65-6bec3e69 4966->4970 4967->4956 4970->4952 4970->4963 4975 6bec4020-6bec4026 4971->4975 4976 6bec3fa3-6bec3fa8 4971->4976 4977 6bec402c-6bec403c 4975->4977 4978 6bec3f06-6bec3f35 4975->4978 4979 6bec407c-6bec4081 4976->4979 4980 6bec3fae-6bec3fcf 4976->4980 4982 6bec403e-6bec4058 4977->4982 4983 6bec40b3-6bec40b8 4977->4983 4981 6bec3f38-6bec3f61 4978->4981 4984 6bec40aa-6bec40ae 4979->4984 4985 6bec4083-6bec408a 4979->4985 4980->4984 4987 6bec3f64-6bec3f67 4981->4987 4988 6bec405a-6bec4063 4982->4988 4983->4980 4986 6bec40be-6bec40c9 4983->4986 4989 6bec3f6b-6bec3f6f 4984->4989 4985->4981 4990 6bec4090 4985->4990 4986->4984 4991 6bec40cb-6bec40d4 4986->4991 4992 6bec3f69 4987->4992 4993 6bec4069-6bec406c 4988->4993 4994 6bec40f5-6bec413f 4988->4994 4989->4971 4990->4953 4995 6bec40d6-6bec40f0 4991->4995 4996 6bec40a7 4991->4996 4992->4989 4998 6bec4144-6bec414b 4993->4998 4999 6bec4072-6bec4077 4993->4999 4994->4992 4995->4988 4996->4984 4998->4989 4999->4987
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9607811885abc54acb07f1b1a105374a8caa3b34bcc3a3e57f7196fb9b0483b0
                              • Instruction ID: 129504f40ba72f175ea91e16dc1f09391ba4e17f972958e82bc01ee659ac98a4
                              • Opcode Fuzzy Hash: 9607811885abc54acb07f1b1a105374a8caa3b34bcc3a3e57f7196fb9b0483b0
                              • Instruction Fuzzy Hash: 4232CF32244B018FC334CF28C990696B7E3EF91314B7A8A6DC0BA5B795D779B44A8B51
                              Function 6BEC3A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: efe4c08d25fab3574bf2bd0b2af7b4120005fdfb60ffaa450b4fe064f78a63af
                              • Instruction ID: 85c38ac94c836d367fac7170b72262037e14781b2b620bfceee61653ee4e44c5
                              • Opcode Fuzzy Hash: efe4c08d25fab3574bf2bd0b2af7b4120005fdfb60ffaa450b4fe064f78a63af
                              • Instruction Fuzzy Hash: 3851BD725487018FC3308F28C9807C6B7F3AF96314F798A5DC0E61B695DB79B44A8B52
                              Function 6BEC39CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 448ba53d7271df7b41dcbc63d142e9d65c1499d7d803b5e4788bc4b9198d8245
                              • Instruction ID: 568c990c432d3263d1ea5e1c8daccd9f3a2d70d3836901573cc6610cbc8414f2
                              • Opcode Fuzzy Hash: 448ba53d7271df7b41dcbc63d142e9d65c1499d7d803b5e4788bc4b9198d8245
                              • Instruction Fuzzy Hash: AC51BA31508B018FC3308F28C5807DAB7F3AF96314B758A5DC0FA5B695DB78B44A8B92
                              Function 6BEC3D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6BEC3E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BEC3EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 701eff630dd7c776c0b413f74ef076bfbca079673af9d318263856217f20f1c2
                              • Instruction ID: aec2068f648fbfaf0acf3208f0ee94f3b8a08b8e8998a27685f3214fa5a86e67
                              • Opcode Fuzzy Hash: 701eff630dd7c776c0b413f74ef076bfbca079673af9d318263856217f20f1c2
                              • Instruction Fuzzy Hash: 6431DE31559B018FC330CF28C9847C7B7B3AF96314F668A1EC0B65B681DB78744A9B52
                              Function 6BEC3D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6BEC3E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BEC3EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 38274c0e3f91bee5f236946762db222067c645dd5abd08aa5b8b5d2bae9d6c22
                              • Instruction ID: 8ff901082d17d8d5e2bfe1bb3fc72e468cb041150ef977b1c48d09bc42d3d194
                              • Opcode Fuzzy Hash: 38274c0e3f91bee5f236946762db222067c645dd5abd08aa5b8b5d2bae9d6c22
                              • Instruction Fuzzy Hash: 4631CD311187018FC734CF28C694797BBB2AF96308F754A5EC0FA5B281DB7974468B92
                              Function 6C048810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C048820
                              • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6C0488C5
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: Open$ManagerService
                              • String ID:
                              • API String ID: 2351955762-0
                              • Opcode ID: 7ebf7548abda6a32389380cadddf0fe0df0ead7a90bebe877ef186d91a05a61e
                              • Instruction ID: 7a58ea60d9759b689e9a9a74d51bd6e2a6d4ba1ecac96ed51ca40595db729239
                              • Opcode Fuzzy Hash: 7ebf7548abda6a32389380cadddf0fe0df0ead7a90bebe877ef186d91a05a61e
                              • Instruction Fuzzy Hash: 7A310574608302EFD600AF29C849B0FBBF1AB89354F548D6EF488D7261D271C8499BA2
                              Function 6BEC3C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6BEC3E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BEC3EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 558f37020789f48d69b19f1ce46e485eeec88fcbfce77cda1f0dbe55518c2311
                              • Instruction ID: 80fdd84c82f6ea481d5cb3b6acb2c39bedc6cf97125564daa69690e9af36c4dd
                              • Opcode Fuzzy Hash: 558f37020789f48d69b19f1ce46e485eeec88fcbfce77cda1f0dbe55518c2311
                              • Instruction Fuzzy Hash: EE21BC701587018FD3348F28C9957DBB7B2AF42304F758A1ED0B69B680DB78A4499B53
                              Function 6C03E090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(?,?), ref: 6C03E0AC
                              • FindClose.KERNEL32(000000FF), ref: 6C03E0E2
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirst
                              • String ID:
                              • API String ID: 2295610775-0
                              • Opcode ID: e4920765d6ec7ee1b10542c7f8dc2de24c3a6fc132992f856fed0a93fba5d380
                              • Instruction ID: ba2c83aa3344975b5760347d530cd9ea8a5f383217e3ec9d1701d55f811522a3
                              • Opcode Fuzzy Hash: e4920765d6ec7ee1b10542c7f8dc2de24c3a6fc132992f856fed0a93fba5d380
                              • Instruction Fuzzy Hash: 8C1128745087629FC7208F28C944B4EBBE4AB86314F548E5AE4A8C6690D738DC888B82
                              Function 6C0601C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3722 6c0601c3-6c0601d3 3723 6c0601d5-6c0601e8 call 6c0530cf call 6c0530bc 3722->3723 3724 6c0601ed-6c0601ef 3722->3724 3738 6c06056c 3723->3738 3725 6c060554-6c060561 call 6c0530cf call 6c0530bc 3724->3725 3726 6c0601f5-6c0601fb 3724->3726 3743 6c060567 call 6c053810 3725->3743 3726->3725 3729 6c060201-6c060227 3726->3729 3729->3725 3732 6c06022d-6c060236 3729->3732 3736 6c060250-6c060252 3732->3736 3737 6c060238-6c06024b call 6c0530cf call 6c0530bc 3732->3737 3741 6c060550-6c060552 3736->3741 3742 6c060258-6c06025b 3736->3742 3737->3743 3744 6c06056f-6c060572 3738->3744 3741->3744 3742->3741 3746 6c060261-6c060265 3742->3746 3743->3738 3746->3737 3749 6c060267-6c06027e 3746->3749 3751 6c060280-6c060283 3749->3751 3752 6c0602cf-6c0602d5 3749->3752 3755 6c060285-6c06028e 3751->3755 3756 6c060293-6c060299 3751->3756 3753 6c0602d7-6c0602e1 3752->3753 3754 6c06029b-6c0602b2 call 6c0530cf call 6c0530bc call 6c053810 3752->3754 3760 6c0602e3-6c0602e5 3753->3760 3761 6c0602e8-6c060306 call 6c057ee5 call 6c057eab * 2 3753->3761 3788 6c060487 3754->3788 3757 6c060353-6c060363 3755->3757 3756->3754 3758 6c0602b7-6c0602ca 3756->3758 3763 6c060428-6c060431 call 6c0650d5 3757->3763 3764 6c060369-6c060375 3757->3764 3758->3757 3760->3761 3792 6c060323-6c06034c call 6c05e359 3761->3792 3793 6c060308-6c06031e call 6c0530bc call 6c0530cf 3761->3793 3776 6c0604a4 3763->3776 3777 6c060433-6c060445 3763->3777 3764->3763 3768 6c06037b-6c06037d 3764->3768 3768->3763 3772 6c060383-6c0603a7 3768->3772 3772->3763 3778 6c0603a9-6c0603bf 3772->3778 3781 6c0604a8-6c0604c0 ReadFile 3776->3781 3777->3776 3783 6c060447-6c060456 GetConsoleMode 3777->3783 3778->3763 3779 6c0603c1-6c0603c3 3778->3779 3779->3763 3784 6c0603c5-6c0603eb 3779->3784 3786 6c0604c2-6c0604c8 3781->3786 3787 6c06051c-6c060527 GetLastError 3781->3787 3783->3776 3789 6c060458-6c06045c 3783->3789 3784->3763 3791 6c0603ed-6c060403 3784->3791 3786->3787 3796 6c0604ca 3786->3796 3794 6c060540-6c060543 3787->3794 3795 6c060529-6c06053b call 6c0530bc call 6c0530cf 3787->3795 3790 6c06048a-6c060494 call 6c057eab 3788->3790 3789->3781 3797 6c06045e-6c060478 ReadConsoleW 3789->3797 3790->3744 3791->3763 3799 6c060405-6c060407 3791->3799 3792->3757 3793->3788 3806 6c060480-6c060486 call 6c0530e2 3794->3806 3807 6c060549-6c06054b 3794->3807 3795->3788 3803 6c0604cd-6c0604df 3796->3803 3804 6c06047a GetLastError 3797->3804 3805 6c060499-6c0604a2 3797->3805 3799->3763 3809 6c060409-6c060423 3799->3809 3803->3790 3813 6c0604e1-6c0604e5 3803->3813 3804->3806 3805->3803 3806->3788 3807->3790 3809->3763 3817 6c0604e7-6c0604f7 call 6c0605ee 3813->3817 3818 6c0604fe-6c060509 3813->3818 3830 6c0604fa-6c0604fc 3817->3830 3820 6c060515-6c06051a call 6c0608a6 3818->3820 3821 6c06050b call 6c060573 3818->3821 3828 6c060510-6c060513 3820->3828 3821->3828 3828->3830 3830->3790
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 9ea0e32ea91cfb0f9175f9de27ed050fc84ec7cdecb26209df04f915bcf133c6
                              • Instruction ID: 9a0dcbac38ee78e42058eee2b7411c02df5753dc8b1eed700f972491d75e9e4d
                              • Opcode Fuzzy Hash: 9ea0e32ea91cfb0f9175f9de27ed050fc84ec7cdecb26209df04f915bcf133c6
                              • Instruction Fuzzy Hash: 27C116B0A482899FDF01CF9AC890BAEBBF0AF4A31CF508159E514A7F81C7719945CB65
                              Function 6C06775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3831 6c06775c-6c06778c call 6c067bdc 3834 6c0677a7-6c0677b3 call 6c064cfc 3831->3834 3835 6c06778e-6c067799 call 6c0530cf 3831->3835 3841 6c0677b5-6c0677ca call 6c0530cf call 6c0530bc 3834->3841 3842 6c0677cc-6c067815 call 6c067b47 3834->3842 3840 6c06779b-6c0677a2 call 6c0530bc 3835->3840 3851 6c067a81-6c067a85 3840->3851 3841->3840 3849 6c067817-6c067820 3842->3849 3850 6c067882-6c06788b GetFileType 3842->3850 3853 6c067857-6c06787d GetLastError call 6c0530e2 3849->3853 3854 6c067822-6c067826 3849->3854 3855 6c0678d4-6c0678d7 3850->3855 3856 6c06788d-6c0678be GetLastError call 6c0530e2 CloseHandle 3850->3856 3853->3840 3854->3853 3860 6c067828-6c067855 call 6c067b47 3854->3860 3858 6c0678e0-6c0678e6 3855->3858 3859 6c0678d9-6c0678de 3855->3859 3856->3840 3870 6c0678c4-6c0678cf call 6c0530bc 3856->3870 3863 6c0678ea-6c067938 call 6c064ea0 3858->3863 3864 6c0678e8 3858->3864 3859->3863 3860->3850 3860->3853 3873 6c067957-6c06797f call 6c067e00 3863->3873 3874 6c06793a-6c067946 call 6c067d56 3863->3874 3864->3863 3870->3840 3880 6c067984-6c0679c5 3873->3880 3881 6c067981-6c067982 3873->3881 3874->3873 3882 6c067948 3874->3882 3884 6c0679e6-6c0679f4 3880->3884 3885 6c0679c7-6c0679cb 3880->3885 3883 6c06794a-6c067952 call 6c05f015 3881->3883 3882->3883 3883->3851 3887 6c067a7f 3884->3887 3888 6c0679fa-6c0679fe 3884->3888 3885->3884 3886 6c0679cd-6c0679e1 3885->3886 3886->3884 3887->3851 3888->3887 3890 6c067a00-6c067a33 CloseHandle call 6c067b47 3888->3890 3894 6c067a67-6c067a7b 3890->3894 3895 6c067a35-6c067a61 GetLastError call 6c0530e2 call 6c064e0f 3890->3895 3894->3887 3895->3894
                              APIs
                                • Part of subcall function 6C067B47: CreateFileW.KERNEL32(00000000,00000000,?,6C067805,?,?,00000000,?,6C067805,00000000,0000000C), ref: 6C067B64
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C067870
                              • __dosmaperr.LIBCMT ref: 6C067877
                              • GetFileType.KERNEL32(00000000), ref: 6C067883
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C06788D
                              • __dosmaperr.LIBCMT ref: 6C067896
                              • CloseHandle.KERNEL32(00000000), ref: 6C0678B6
                              • CloseHandle.KERNEL32(6C05E7C0), ref: 6C067A03
                              • GetLastError.KERNEL32 ref: 6C067A35
                              • __dosmaperr.LIBCMT ref: 6C067A3C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: 8Q
                              • API String ID: 4237864984-4022487301
                              • Opcode ID: d4f31a5d3b282fbb625defe8356333da4128aa8ed79a93dd36de33cc16f9251a
                              • Instruction ID: 24d325fa45544beebd2704eb111082cc55b03f25c65d7d138ef78db7ae084866
                              • Opcode Fuzzy Hash: d4f31a5d3b282fbb625defe8356333da4128aa8ed79a93dd36de33cc16f9251a
                              • Instruction Fuzzy Hash: 81A12632A041148FDF09DF6DC851BAD7BF1AB0A328F18424DE811EBB91DB359916CB61
                              Function 6C01B4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6C01B62F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID: *$,=ym$-=ym$-=ym$B$H
                              • API String ID: 3934441357-3163594065
                              • Opcode ID: 26c0dea7b9b70f809e4cfc9657fbdcce4957bb2f5ef3adf01c154cb5a77f3209
                              • Instruction ID: bef43c2145bb635f8c9301792c38042eb98bd562b6c8a411e5eed057c2695e04
                              • Opcode Fuzzy Hash: 26c0dea7b9b70f809e4cfc9657fbdcce4957bb2f5ef3adf01c154cb5a77f3209
                              • Instruction Fuzzy Hash: 077258B460D3459FCB14CFA8C49075EFBE1AB89304F588A2EE499CBB50E774D8858B53
                              Function 6BEC4200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;T55
                              • API String ID: 0-2572755013
                              • Opcode ID: 9d310cebb2f941a1c809c4ccdbeb0880540ec02278785422d87f48b28852381b
                              • Instruction ID: ae4d5592c429351d91c37e2372e19e32262856514d2f919c7fd81ef43ffabd8c
                              • Opcode Fuzzy Hash: 9d310cebb2f941a1c809c4ccdbeb0880540ec02278785422d87f48b28852381b
                              • Instruction Fuzzy Hash: 6903B331644B018FC728CF28C890696B7F3AFD53247698A6DC0A64B795DB7CB54BCB90
                              Function 6C0486E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4469 6c0486e0-6c048767 CreateProcessA 4470 6c04878b-6c048794 4469->4470 4471 6c048796-6c04879b 4470->4471 4472 6c0487b0-6c0487fa WaitForSingleObject CloseHandle * 2 4470->4472 4473 6c048770-6c048783 4471->4473 4474 6c04879d-6c0487a2 4471->4474 4472->4470 4473->4470 4474->4470 4475 6c0487a4-6c048807 4474->4475
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: CloseHandle$CreateObjectProcessSingleWait
                              • String ID: D
                              • API String ID: 2059082233-2746444292
                              • Opcode ID: 5433055d50e605ef07a5074c5be128a3e8f510fcbd056e01c7a9791ff61b47a8
                              • Instruction ID: fb5855c8eda4157251f033acf78c0b7a5c08b0dbcb25127ef1935816e616d1f5
                              • Opcode Fuzzy Hash: 5433055d50e605ef07a5074c5be128a3e8f510fcbd056e01c7a9791ff61b47a8
                              • Instruction Fuzzy Hash: 5231C171819380CFD740EF68D19872ABBF0AB99318F509A2EF9D996360D774D584CB83
                              Function 6C05F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4477 6c05f34e-6c05f36a 4478 6c05f370-6c05f372 4477->4478 4479 6c05f529 4477->4479 4480 6c05f394-6c05f3b5 4478->4480 4481 6c05f374-6c05f387 call 6c0530cf call 6c0530bc call 6c053810 4478->4481 4482 6c05f52b-6c05f52f 4479->4482 4484 6c05f3b7-6c05f3ba 4480->4484 4485 6c05f3bc-6c05f3c2 4480->4485 4499 6c05f38c-6c05f38f 4481->4499 4484->4485 4487 6c05f3c4-6c05f3c9 4484->4487 4485->4481 4485->4487 4489 6c05f3cb-6c05f3d7 call 6c05e359 4487->4489 4490 6c05f3da-6c05f3eb call 6c05f530 4487->4490 4489->4490 4497 6c05f3ed-6c05f3ef 4490->4497 4498 6c05f42c-6c05f43e 4490->4498 4500 6c05f416-6c05f422 call 6c05f5a1 4497->4500 4501 6c05f3f1-6c05f3f9 4497->4501 4502 6c05f485-6c05f4a7 WriteFile 4498->4502 4503 6c05f440-6c05f449 4498->4503 4499->4482 4513 6c05f427-6c05f42a 4500->4513 4504 6c05f3ff-6c05f40c call 6c05f94b 4501->4504 4505 6c05f4bb-6c05f4be 4501->4505 4507 6c05f4b2 4502->4507 4508 6c05f4a9-6c05f4af GetLastError 4502->4508 4509 6c05f475-6c05f483 call 6c05f9b3 4503->4509 4510 6c05f44b-6c05f44e 4503->4510 4521 6c05f40f-6c05f411 4504->4521 4515 6c05f4c1-6c05f4c6 4505->4515 4514 6c05f4b5-6c05f4ba 4507->4514 4508->4507 4509->4513 4516 6c05f465-6c05f473 call 6c05fb77 4510->4516 4517 6c05f450-6c05f453 4510->4517 4513->4521 4514->4505 4522 6c05f524-6c05f527 4515->4522 4523 6c05f4c8-6c05f4cd 4515->4523 4516->4513 4517->4515 4524 6c05f455-6c05f463 call 6c05fa8e 4517->4524 4521->4514 4522->4482 4526 6c05f4cf-6c05f4d4 4523->4526 4527 6c05f4f9-6c05f505 4523->4527 4524->4513 4531 6c05f4d6-6c05f4e8 call 6c0530bc call 6c0530cf 4526->4531 4532 6c05f4ed-6c05f4f4 call 6c0530e2 4526->4532 4529 6c05f507-6c05f50a 4527->4529 4530 6c05f50c-6c05f51f call 6c0530bc call 6c0530cf 4527->4530 4529->4479 4529->4530 4530->4499 4531->4499 4532->4499
                              APIs
                                • Part of subcall function 6C05F5A1: GetConsoleCP.KERNEL32(?,6C05E7C0,?), ref: 6C05F5E9
                              • WriteFile.KERNEL32(?,?,6C067DDC,00000000,00000000,?,00000000,00000000,6C0691A6,00000000,00000000,?,00000000,6C05E7C0,6C067DDC,00000000), ref: 6C05F49F
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C067DDC,6C05E7C0,00000000,?,?,?,?,00000000,?), ref: 6C05F4A9
                              • __dosmaperr.LIBCMT ref: 6C05F4EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                              • String ID: 8Q
                              • API String ID: 251514795-4022487301
                              • Opcode ID: 4cb4c1fe6a247cd25c1eaa0270eb6ef541d58c4d967eab3f2653919a9eacfcc6
                              • Instruction ID: 01580bbbcbb1332b1433a245511ad88b6d6e2e5ee23eb01057f99a817946ac2d
                              • Opcode Fuzzy Hash: 4cb4c1fe6a247cd25c1eaa0270eb6ef541d58c4d967eab3f2653919a9eacfcc6
                              • Instruction Fuzzy Hash: 98512C71A0420AAFEF01DFA4CA40BDEB7FDEF09358F940511E500A7A51D778E955CB61
                              Function 6C049280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4544 6c049280-6c04928c 4545 6c0492cd 4544->4545 4546 6c04928e-6c049299 4544->4546 4547 6c0492cf-6c049347 4545->4547 4548 6c0492af-6c0492bc call 6bf101f0 call 6c054208 4546->4548 4549 6c04929b-6c0492ad 4546->4549 4550 6c049373-6c049379 4547->4550 4551 6c049349-6c049371 4547->4551 4558 6c0492c1-6c0492cb 4548->4558 4549->4548 4551->4550 4553 6c04937a-6c049439 call 6bf12250 call 6bf12340 call 6c04ca69 call 6bf0e010 call 6c04a778 4551->4553 4558->4547
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C049421
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 323602529-1866435925
                              • Opcode ID: d4d7046ef241725f7322792b35145667ab10d83de023f6f3e03185b94ae32ac5
                              • Instruction ID: bcd28e8c9cdf499281bfc158d980f57f8ce9129254c9d5618a2f9b9433ceda92
                              • Opcode Fuzzy Hash: d4d7046ef241725f7322792b35145667ab10d83de023f6f3e03185b94ae32ac5
                              • Instruction Fuzzy Hash: 9D5132B6900B008FD725CF29C585B97BBF5BB49318F408A2DD9864BB90D779B909CF90
                              Function 6C01CEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4567 6c01cea0-6c01cf03 call 6c04a260 4570 6c01cf40-6c01cf49 4567->4570 4571 6c01cf90-6c01cf95 4570->4571 4572 6c01cf4b-6c01cf50 4570->4572 4575 6c01d030-6c01d035 4571->4575 4576 6c01cf9b-6c01cfa0 4571->4576 4573 6c01d000-6c01d005 4572->4573 4574 6c01cf56-6c01cf5b 4572->4574 4583 6c01d125-6c01d158 call 6c04ea90 4573->4583 4584 6c01d00b-6c01d010 4573->4584 4579 6c01cf61-6c01cf66 4574->4579 4580 6c01d065-6c01d08c 4574->4580 4577 6c01d03b-6c01d040 4575->4577 4578 6c01d17d-6c01d191 4575->4578 4581 6c01cf05-6c01cf21 WriteFile 4576->4581 4582 6c01cfa6-6c01cfab 4576->4582 4585 6c01d1a7-6c01d1ac 4577->4585 4586 6c01d046-6c01d060 4577->4586 4593 6c01d195-6c01d1a2 4578->4593 4587 6c01d091-6c01d0aa WriteFile 4579->4587 4588 6c01cf6c-6c01cf71 4579->4588 4589 6c01cf33-6c01cf38 4580->4589 4594 6c01cf30 4581->4594 4591 6c01cfb1-6c01cfb6 4582->4591 4592 6c01d0af-6c01d120 WriteFile 4582->4592 4583->4570 4595 6c01d016-6c01d01b 4584->4595 4596 6c01d15d-6c01d175 4584->4596 4585->4570 4600 6c01d1b2-6c01d1c0 4585->4600 4586->4593 4587->4594 4588->4570 4597 6c01cf73-6c01cf86 4588->4597 4589->4570 4591->4570 4599 6c01cfb8-6c01cfee call 6c04f010 ReadFile 4591->4599 4592->4594 4593->4570 4594->4589 4595->4570 4601 6c01d021-6c01d02b 4595->4601 4596->4578 4597->4589 4599->4594 4601->4594
                              APIs
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C01CFE1
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: e24af7dff547e55df425e610af80918990e58b93969647e2a65d1e17c0deb0aa
                              • Instruction ID: 0a569d2588672997ffd874a06600ad67cd20bcb3253f0aa8e1615b4b4ad78e8a
                              • Opcode Fuzzy Hash: e24af7dff547e55df425e610af80918990e58b93969647e2a65d1e17c0deb0aa
                              • Instruction Fuzzy Hash: 597148B0209350AFD711DF69C884B9AFBE4BF89708F50492EF494C7A90E375D984CB82
                              Function 6C01C390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4626 6c01c390-6c01c406 call 6c04a260 call 6c04f010 4631 6c01c426-6c01c42f 4626->4631 4632 6c01c431-6c01c436 4631->4632 4633 6c01c490-6c01c495 4631->4633 4636 6c01c500-6c01c505 4632->4636 4637 6c01c43c-6c01c441 4632->4637 4634 6c01c570-6c01c575 4633->4634 4635 6c01c49b-6c01c4a0 4633->4635 4642 6c01c6d6-6c01c6db 4634->4642 4643 6c01c57b-6c01c580 4634->4643 4644 6c01c4a6-6c01c4ab 4635->4644 4645 6c01c638-6c01c63d 4635->4645 4640 6c01c679-6c01c67e 4636->4640 4641 6c01c50b-6c01c510 4636->4641 4638 6c01c447-6c01c44c 4637->4638 4639 6c01c5bf-6c01c5c4 4637->4639 4646 6c01c742-6c01c747 4638->4646 4647 6c01c452-6c01c457 4638->4647 4660 6c01c863-6c01c868 4639->4660 4661 6c01c5ca-6c01c5cf 4639->4661 4652 6c01c8e2-6c01c8e7 4640->4652 4653 6c01c684-6c01c689 4640->4653 4648 6c01c516-6c01c51b 4641->4648 4649 6c01c7de-6c01c7e3 4641->4649 4658 6c01c6e1-6c01c6e6 4642->4658 4659 6c01c912-6c01c917 4642->4659 4654 6c01c830-6c01c835 4643->4654 4655 6c01c586-6c01c58b 4643->4655 4656 6c01c4b1-6c01c4b6 4644->4656 4657 6c01c796-6c01c79b 4644->4657 4650 6c01c643-6c01c648 4645->4650 4651 6c01c8ab-6c01c8b0 4645->4651 4680 6c01cca3-6c01ccba 4646->4680 4681 6c01c74d-6c01c752 4646->4681 4664 6c01c93d-6c01c95b 4647->4664 4665 6c01c45d-6c01c462 4647->4665 4682 6c01c521-6c01c526 4648->4682 4683 6c01c9a3-6c01c9b3 4648->4683 4686 6c01c7e9-6c01c7ee 4649->4686 4687 6c01ccfa-6c01cd23 4649->4687 4666 6c01cb08-6c01cb34 4650->4666 4667 6c01c64e-6c01c653 4650->4667 4668 6c01c8b6-6c01c8bb 4651->4668 4669 6c01cdda-6c01cdf1 4651->4669 4670 6c01cdf9-6c01ce12 4652->4670 4671 6c01c8ed-6c01c8f2 4652->4671 4672 6c01cb61-6c01cb85 4653->4672 4673 6c01c68f-6c01c694 4653->4673 4690 6c01c83b-6c01c840 4654->4690 4691 6c01cd6c-6c01cd88 4654->4691 4688 6c01c591-6c01c596 4655->4688 4689 6c01c9fe-6c01ca3a 4655->4689 4674 6c01c97a-6c01c984 4656->4674 4675 6c01c4bc-6c01c4c1 4656->4675 4684 6c01c7a1-6c01c7a6 4657->4684 4685 6c01c408-6c01c418 4657->4685 4678 6c01cc12-6c01cc4d call 6c04f010 call 6c01b4d0 4658->4678 4679 6c01c6ec-6c01c6f1 4658->4679 4676 6c01ce1a-6c01ce29 4659->4676 4677 6c01c91d-6c01c922 4659->4677 4662 6c01cdb7-6c01cdbf 4660->4662 4663 6c01c86e-6c01c873 4660->4663 4692 6c01ca71-6c01ca9b call 6c04ea90 4661->4692 4693 6c01c5d5-6c01c5da 4661->4693 4721 6c01cdc4-6c01cdd5 4662->4721 4694 6c01ce31-6c01ce36 4663->4694 4695 6c01c879-6c01c8a6 4663->4695 4703 6c01cd8a-6c01cd98 4664->4703 4696 6c01c960-6c01c975 4665->4696 4697 6c01c468-6c01c46d 4665->4697 4666->4631 4712 6c01cb39-6c01cb5c 4667->4712 4713 6c01c659-6c01c65e 4667->4713 4668->4631 4698 6c01c8c1-6c01c8dd 4668->4698 4669->4670 4670->4676 4671->4631 4699 6c01c8f8-6c01c90d 4671->4699 4672->4631 4714 6c01cb8a-6c01cc0d 4673->4714 4715 6c01c69a-6c01c69f 4673->4715 4674->4631 4700 6c01c4c7-6c01c4cc 4675->4700 4701 6c01c989-6c01c99e 4675->4701 4676->4694 4677->4631 4702 6c01c928-6c01c938 4677->4702 4752 6c01cc52-6c01cc72 4678->4752 4717 6c01cc77-6c01cc88 4679->4717 4718 6c01c6f7-6c01c6fc 4679->4718 4716 6c01ccbc-6c01ccc4 4680->4716 4719 6c01ccc9-6c01ccd8 4681->4719 4720 6c01c758-6c01c75d 4681->4720 4704 6c01c9bd-6c01c9c5 4682->4704 4705 6c01c52c-6c01c531 4682->4705 4683->4704 4722 6c01cce0-6c01ccf5 4684->4722 4723 6c01c7ac-6c01c7b1 4684->4723 4726 6c01c41d 4685->4726 4724 6c01c7f4-6c01c7f9 4686->4724 4725 6c01cd28-6c01cd67 4686->4725 4687->4631 4707 6c01ca43-6c01ca6c 4688->4707 4708 6c01c59c-6c01c5a1 4688->4708 4689->4707 4727 6c01c846-6c01c84b 4690->4727 4728 6c01cd9d-6c01cdad 4690->4728 4691->4703 4692->4631 4709 6c01caa0-6c01cb03 call 6c01ce50 CreateFileA 4693->4709 4710 6c01c5e0-6c01c5e5 4693->4710 4694->4631 4746 6c01ce3c-6c01ce47 4694->4746 4695->4631 4696->4631 4697->4631 4729 6c01c46f-6c01c483 4697->4729 4730 6c01cc8d-6c01cc9e 4698->4730 4699->4631 4700->4631 4731 6c01c4d2-6c01c4fa call 6c012a20 call 6c012a30 4700->4731 4732 6c01c420-6c01c424 4701->4732 4702->4721 4703->4631 4733 6c01c9ca-6c01c9f9 4704->4733 4705->4631 4734 6c01c537-6c01c561 4705->4734 4707->4631 4708->4631 4736 6c01c5a7-6c01c5ba 4708->4736 4709->4631 4710->4631 4738 6c01c5eb-6c01c633 4710->4738 4712->4631 4713->4631 4740 6c01c664-6c01c674 4713->4740 4714->4631 4715->4631 4741 6c01c6a5-6c01c6d1 4715->4741 4716->4631 4717->4730 4718->4631 4742 6c01c702-6c01c73d 4718->4742 4719->4722 4720->4631 4743 6c01c763-6c01c791 4720->4743 4721->4631 4722->4726 4723->4631 4744 6c01c7b7-6c01c7d9 4723->4744 4724->4631 4745 6c01c7ff-6c01c82b 4724->4745 4725->4631 4726->4732 4727->4631 4747 6c01c851-6c01c85e 4727->4747 4728->4662 4729->4721 4730->4631 4731->4631 4732->4631 4733->4631 4734->4631 4736->4631 4738->4631 4740->4733 4741->4631 4742->4631 4743->4716 4744->4703 4745->4631 4747->4733 4752->4631
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: @*Z$@*Z
                              • API String ID: 0-2842812045
                              • Opcode ID: 2b8e08310cc6041761f361bbb2cbfb8f18e06ed2cca5132db691c33b3e9f2e5e
                              • Instruction ID: 6065dd216682410a7e6800b652bd4668e9025c687b9eca4fd4dff9d04d4bd30d
                              • Opcode Fuzzy Hash: 2b8e08310cc6041761f361bbb2cbfb8f18e06ed2cca5132db691c33b3e9f2e5e
                              • Instruction Fuzzy Hash: 3842557060D3428FCB14DFA9D48166EFBE1AB89318F644D2EF49AC7B61D231D9458B03
                              Function 6C05F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4755 6c05f015-6c05f029 call 6c064c92 4758 6c05f02f-6c05f037 4755->4758 4759 6c05f02b-6c05f02d 4755->4759 4761 6c05f042-6c05f045 4758->4761 4762 6c05f039-6c05f040 4758->4762 4760 6c05f07d-6c05f09d call 6c064e0f 4759->4760 4770 6c05f09f-6c05f0a9 call 6c0530e2 4760->4770 4771 6c05f0ab 4760->4771 4765 6c05f047-6c05f04b 4761->4765 4766 6c05f063-6c05f073 call 6c064c92 CloseHandle 4761->4766 4762->4761 4764 6c05f04d-6c05f061 call 6c064c92 * 2 4762->4764 4764->4759 4764->4766 4765->4764 4765->4766 4766->4759 4774 6c05f075-6c05f07b GetLastError 4766->4774 4776 6c05f0ad-6c05f0b0 4770->4776 4771->4776 4774->4760
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6C06794F), ref: 6C05F06B
                              • GetLastError.KERNEL32(?,00000000,?,6C06794F), ref: 6C05F075
                              • __dosmaperr.LIBCMT ref: 6C05F0A0
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: 6145b6b70f2311f499b995ff8305bba90afa1e07d49ebef8b5a89b181eec6e7f
                              • Instruction ID: 1e57ef635b369e100b6a3330b9b4c5c4e68d757d959e2e7c5ba21cc21409534e
                              • Opcode Fuzzy Hash: 6145b6b70f2311f499b995ff8305bba90afa1e07d49ebef8b5a89b181eec6e7f
                              • Instruction Fuzzy Hash: C7018E3370533027D211667A9A687AE27ED8B8373CFAD9649E914C7FC0DF6CD45582A0
                              Function 6C05428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 5000 6c05428c-6c054297 5001 6c0542ae-6c0542bb 5000->5001 5002 6c054299-6c0542ac call 6c0530bc call 6c053810 5000->5002 5004 6c0542f6-6c0542ff call 6c05e565 5001->5004 5005 6c0542bd-6c0542d2 call 6c0543a9 call 6c05be2e call 6c05d350 call 6c05ef88 5001->5005 5013 6c054300-6c054302 5002->5013 5004->5013 5019 6c0542d7-6c0542dc 5005->5019 5020 6c0542e3-6c0542e7 5019->5020 5021 6c0542de-6c0542e1 5019->5021 5020->5004 5022 6c0542e9-6c0542f5 call 6c057eab 5020->5022 5021->5004 5022->5004
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction ID: 8e2cba5e891676442ea723fce22092a6068845b68dc03e37f0f3dac75efaf723
                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction Fuzzy Hash: C9F0D1325056207BD7215AA99E007DB32E88F42338FD44B15EA6493ED0DB75F43A86E1
                              Function 6C049050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0491A4
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0491E4
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID:
                              • API String ID: 323602529-0
                              • Opcode ID: 0f29d2b199122990f24243df28fbfff6a09e67065b745ab817a93be7891b827d
                              • Instruction ID: edc48a966a3ead2dac57268aa0ec213200528e5bc9333b90f8b1165b23ffe075
                              • Opcode Fuzzy Hash: 0f29d2b199122990f24243df28fbfff6a09e67065b745ab817a93be7891b827d
                              • Instruction Fuzzy Hash: 9A515871101B00DBD725CF25C985BA3BBF4FB08718F448A2CD4AA4BAA1DB35B545CB80
                              Function 6C05262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(6C079DD0,0000000C), ref: 6C052642
                              • ExitThread.KERNEL32 ref: 6C052649
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: e265fefb4c0eea51d4aa7e919dab6c20d3f09c851f7107e085dc5480052af1d4
                              • Instruction ID: 536da86e80a8344a012425b3b5f69c1c2be61b16ef6cc1cf3682c7aa9391dd3d
                              • Opcode Fuzzy Hash: e265fefb4c0eea51d4aa7e919dab6c20d3f09c851f7107e085dc5480052af1d4
                              • Instruction Fuzzy Hash: 9DF0C270A00204AFDF05ABB0CA4DBAE3BF8FF45208F244549E001A7B91CF30A964CFA1
                              Function 6C05E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: fe7e85bbb8d81a9feacf20028c7d1df0ee886e6d5098fd7888327bb08cde1f49
                              • Instruction ID: 7ce587ecccfff5bc5e960255ed1925eb1bab0c7583dc174457c03398036a36ee
                              • Opcode Fuzzy Hash: fe7e85bbb8d81a9feacf20028c7d1df0ee886e6d5098fd7888327bb08cde1f49
                              • Instruction Fuzzy Hash: 97118C71A0420AAFCF05CF58E948E9B3BF8EF48308F104069F818AB301D630ED25CBA4
                              Function 6C0676EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction ID: 8c1508d1a816fda877cfd12cebad3b1599f6f0f1dd381fc92ba2c18941104430
                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction Fuzzy Hash: E1014B72C0115AAFCF019FA88C00AEEBFF5AF08314F144165E924E36A1E7318A24DB91
                              Function 6C067B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,6C067805,?,?,00000000,?,6C067805,00000000,0000000C), ref: 6C067B64
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 71bad3f82da81af84274e073f58f7227680568c47b9068d2a3164506abf41bad
                              • Instruction ID: d5a93c78c341947946d0592af0f60db33d488425e00bf14a66c058aefb0d2e42
                              • Opcode Fuzzy Hash: 71bad3f82da81af84274e073f58f7227680568c47b9068d2a3164506abf41bad
                              • Instruction Fuzzy Hash: CED06C3210014DBBDF128E84DC06EDA3BAAFB48755F014010BA1866020C732E861AB90
                              Function 6BF183A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction ID: 8a8cef8ac0b8e36a0eb43ea14b32a4ae50e64946b3a759aaec7f20c4dc89c441
                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction Fuzzy Hash:

                              Non-executed Functions

                              Function 6C044860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: C
                              • API String ID: 4218353326-4157497815
                              • Opcode ID: 6b73afda664d47da91e7add03fa5a3f093821eb7dd93ac77e748b36c01f8405d
                              • Instruction ID: 882bb34bbe0def07759124b9564221f15d82e945efd54cbcee7b9db5abfbbca9
                              • Opcode Fuzzy Hash: 6b73afda664d47da91e7add03fa5a3f093821eb7dd93ac77e748b36c01f8405d
                              • Instruction Fuzzy Hash: 6073F271644B01CFC728CF29C890B9AB3F2AF95318759CA7DC09787A95EB74B54ACB40
                              Function 6C049450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 6C04945A
                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C049466
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C049474
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C04949B
                              • NtInitiatePowerAction.NTDLL ref: 6C0494AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3256374457-3733053543
                              • Opcode ID: f20f310ae92c742a638bd6748ad84bbaf0e917c2f25b33be95147da88655685a
                              • Instruction ID: 540c624dd4fe0b7ecdf775e40a66bd6628dcf84bdcf36d4927da00e534fcbc31
                              • Opcode Fuzzy Hash: f20f310ae92c742a638bd6748ad84bbaf0e917c2f25b33be95147da88655685a
                              • Instruction Fuzzy Hash: DDF05470644304ABFA10BF28CD0EB6A7BF8EF45715F008A19F945AA1D1D7706994DBE2
                              Function 6BEC1950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: \j`7$\j`7$j
                              • API String ID: 0-3644614255
                              • Opcode ID: 6790028912daa306c2f7acf98b7f5d3d4acb3b82f65dc89c1ae6435ff8233471
                              • Instruction ID: dfa10b261ef2dc844e87fc8ea38ab0195ade5aa0728d0e114190e175b3bf0832
                              • Opcode Fuzzy Hash: 6790028912daa306c2f7acf98b7f5d3d4acb3b82f65dc89c1ae6435ff8233471
                              • Instruction Fuzzy Hash: 5B42247460C3928FCB14CFA8C58065ABBE1AFDA354F24895EE4A5CB360D338D846CB53
                              Function 6C0A9CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C0A9CE5
                                • Part of subcall function 6C07FC2A: __EH_prolog.LIBCMT ref: 6C07FC2F
                                • Part of subcall function 6C0816A6: __EH_prolog.LIBCMT ref: 6C0816AB
                                • Part of subcall function 6C0A9A0E: __EH_prolog.LIBCMT ref: 6C0A9A13
                                • Part of subcall function 6C0A9837: __EH_prolog.LIBCMT ref: 6C0A983C
                                • Part of subcall function 6C0AD143: __EH_prolog.LIBCMT ref: 6C0AD148
                                • Part of subcall function 6C0AD143: ctype.LIBCPMT ref: 6C0AD16C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog$ctype
                              • String ID:
                              • API String ID: 1039218491-3916222277
                              • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                              • Instruction ID: d32520751f9dfb0429374779a8ca64903ed27e9af6e8ac3196e8ab04f2742907
                              • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                              • Instruction Fuzzy Hash: 0E039C30905288DFDF25DBE4C850BDCBBF4AF15308F248099D44967A92DB74AB8ADF61
                              Function 6C053871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C053969
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C053973
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C053980
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: ff3a6a167a18821777ba1d38f4a3685da9a06975fc5442926a05c8b60051e031
                              • Instruction ID: 7754d46d9f8be2392a6546b4464700bdc058831174734edc1986595abb2a9feb
                              • Opcode Fuzzy Hash: ff3a6a167a18821777ba1d38f4a3685da9a06975fc5442926a05c8b60051e031
                              • Instruction Fuzzy Hash: 5231C4B5901228DBCB21DF28D988BDDBBF8BF48314F5045EAE41CA7250EB709B858F54
                              Function 6C05286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,?,6C052925,6C04D339,00000003,00000000,6C04D339,00000000), ref: 6C05288F
                              • TerminateProcess.KERNEL32(00000000,?,6C052925,6C04D339,00000003,00000000,6C04D339,00000000), ref: 6C052896
                              • ExitProcess.KERNEL32 ref: 6C0528A8
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: 4de904e68b25dc6bcd070305ecf83fac34e709656292d48df74fba370dfd3f29
                              • Instruction ID: 4d6376a44860063461bfc6e2add0cb4c52bcb51d60fe251fe7a6aa12697b2afc
                              • Opcode Fuzzy Hash: 4de904e68b25dc6bcd070305ecf83fac34e709656292d48df74fba370dfd3f29
                              • Instruction Fuzzy Hash: 52E04F31101248ABCF076F54CA0CB683FF9FF45785F510424F40496520CF35E8A2CA50
                              Function 6C07BEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x=J
                              • API String ID: 3519838083-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: f3e6d4eba70fb32827a2faead8fe709fbb713a800646917166fdfae64b246a3e
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: A491C431D012599BCF2CEFA4D890BEDB7F1BF06708F108069D45167A51DB316A8ACBB8
                              Function 6C04A133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C04AFA0
                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C04B7C3
                                • Part of subcall function 6C04CA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C04B7AC,00000000,?,?,?,6C04B7AC,?,6C07853C), ref: 6C04CAC9
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                              • String ID:
                              • API String ID: 915016180-0
                              • Opcode ID: e230fd9eea70862e86cd96910684b6105207dda55c7c39008669c3c091918e88
                              • Instruction ID: 249cd7ead711f14558e70e5de17f102fd6ed2451a473388cab6d082d1d6454e1
                              • Opcode Fuzzy Hash: e230fd9eea70862e86cd96910684b6105207dda55c7c39008669c3c091918e88
                              • Instruction Fuzzy Hash: 00B146B1A04609DBDF04DF65C88179EBBF5FB4972CF28C52AD425E7A90D338A644CB90
                              Function 6C07B972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: 8b7c5e982a54f8fa070f5336f5509bcf12e8d96a78ea526c7fb1824a7da1057d
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: 912171376A49564BE74CCA28DC33EB926C0E745305B89527EE94BCB7D1DF5D8800CA48
                              Function 6C09840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C09840F
                                • Part of subcall function 6C099137: __EH_prolog.LIBCMT ref: 6C09913C
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction ID: 9236c0f714a0376c8c7c613e58e2a3108a53ec60b7a5cc27f0ad755bbaf1353e
                              • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction Fuzzy Hash: 0C624670905219CFDF15CFA4C894BEEBBF5AF08308F14526AE915ABB80D774AA44DF90
                              Function 6C0F0AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: YA1
                              • API String ID: 0-613462611
                              • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction ID: b2a74ed0ab3c664defef7553d1ca77ad30091a7fe9e753bc897e64aa89de7d86
                              • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction Fuzzy Hash: 7542917060D3918FD315CF28C49079ABBE2AFD9308F15496DE8E58B742D671D98BCB82
                              Function 6C083BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: 6d615bbaef061422911e20bff17a9af985853f040bc07570cb0d937830735adf
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: 5951E971A093559BDB10CF5AC4C02EDFBE6EFBD214F18C05DE88897242D27A595AC760
                              Function 6C0FCE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction ID: 24fc59d88227eb3676ac8676a3083a1e34ce3fb47af89eddfa24cbe02afdc46d
                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction Fuzzy Hash: 4802BF316093408BD725CF28C49079EBBE2BFC9708F144A2DE9E597B55C774E986CB82
                              Function 6C07F7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: (SL
                              • API String ID: 0-669240678
                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction ID: 8c06f092cd3bbb86f6f2a5f05c15fee5781acc9cb2514aec72b68dfab97b0261
                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction Fuzzy Hash: F9519473E248214AE78CCE24DC2177572D2E784310F8BC1B99D4BAB6E6CD789890C7D4
                              Function 6C157A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: B
                              • API String ID: 0-1255198513
                              • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                              • Instruction ID: 706de48a949d9e6329debb8a4156d4abf2207bcddb2fb5a8ab2f223cdc234466
                              • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                              • Instruction Fuzzy Hash: B53124315087558BD314DF68D884AABB3E2FBC4325F60CA3ED89ACBA94E7745815CF41
                              Function 6C0F3020 Relevance: .8, Instructions: 762COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction ID: 3135e24c855f63d0f9c0fe7297f27841a45072372ae0edc5a92051859f82cbb4
                              • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction Fuzzy Hash: CE524271209B458BD715CF29C49076AB7E2BF89318F148A2DD8EAC7B41DB74F486CB42
                              Function 6C10D930 Relevance: .7, Instructions: 740COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction ID: 6f2af9652f6e639e267d8c11449ecd08e606036973943d16553a9398b829ac61
                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction Fuzzy Hash: 0F6213B1A083458FC714DF1AC48061AFBF2BFD9744F248A6EE89987715DB70E945CB82
                              Function 6C0F6D50 Relevance: .5, Instructions: 547COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction ID: f653b35913893e19a975483d66ab9cd4b9f2ab1577fa61b9bfcfa15571fc9be6
                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction Fuzzy Hash: 5D1280712097418BC718CF2DC59076AFBE2BFC9344F54492DE9A687B41DB31E88ACB52
                              Function 6C107AA0 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: e2fa3a55acfd6d109b3e1db604356d5da6b1301b40228a823f60c33f93b9db12
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: BF02FA31B082128BD319CE28C490369BBF2FBC4355F190B2FE59697A94DB74D985CBD2
                              Function 6C0F2A50 Relevance: .5, Instructions: 453COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction ID: 0bb9542d78d2401299e4f640138e014674f9ed60dfb1af010b05840b11beb47a
                              • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction Fuzzy Hash: 80F1F0326042C98BEB24CE28D8547EEB7E2FBC5304F544539DC99CBB41DB35A58ACB91
                              Function 6C1025C0 Relevance: .3, Instructions: 333COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction ID: 5be066c8928d6c2cdfa35315c257c44212f8f9bcfc38f5eb1542745101cd1ee5
                              • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction Fuzzy Hash: A2D155716047168FD719CF1CC4A8636BBE1FF86304F054ABDDAA28B39ADB349615CB50
                              Function 6C194F0A Relevance: .3, Instructions: 332COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                              • Instruction ID: cff1b71fa7b8219eac9c2d87e93edb1121ac4b00f80e5c50782f88d64dd7575a
                              • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                              • Instruction Fuzzy Hash: 6AB1B9366087128BD318DE7CD8509FB73E2EBC1320F55863DE596C79C4DB39951A8B81
                              Function 6C0F5580 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction ID: 4eee9cb0eaa44d9c1f00b70d1e85858574a72f9e1350e6bcced481912f141c80
                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction Fuzzy Hash: BCC1B6352087418BC719CF39D0A069BBBE2EFD9314F148A6DC8DE4BB55DA30A44ECB55
                              Function 6C0F1810 Relevance: .3, Instructions: 296COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction ID: 4682faca92a265834dbacd329b7b769b0d2036886752de777a6a0d534bb9e8c7
                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction Fuzzy Hash: F2B1F571309B058BD714DF79C890BDAB7E1AF85308F04452DC9BA87B91EF34B58A8B90
                              Function 6C0F4AA0 Relevance: .3, Instructions: 291COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction ID: e4112f66e0709f1baac0f47e4168bba3dc2b544ccc047396bd9439de6011bef7
                              • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction Fuzzy Hash: 08B1C0756087028BC304DF69C9906ABF7E2FFC8304F14892DD8A9C7711E771A59ACB95
                              Function 6C0FC9F0 Relevance: .3, Instructions: 287COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction ID: 171f049940732d2e837a498f0c4c2c4673a1efb04ea5816e871c3166968fbf00
                              • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction Fuzzy Hash: C5A1C67160C3418FC328DF19C49175EBBE1ABD9348F584A2DE8E687741D631E98BCB46
                              Function 6C0FC6E0 Relevance: .2, Instructions: 223COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction ID: 55700622167076816a439bcbfe538de9f0f6b240b305e030e124a4254f799ac8
                              • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction Fuzzy Hash: 1481A235A047058FC320DF29C481296B7E1FF99714F28CA6DC9A99B711E772E987CB81
                              Function 6C1B3881 Relevance: .2, Instructions: 184COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                              • Instruction ID: d2dc0ee4758851efc75650b94a8b1a86368b49001b725422617cca2faf15aace
                              • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                              • Instruction Fuzzy Hash: 2351A836A166124BC30CDA3CD8A19E73392EBC6370B49C73EE55AC79D4EB79940BC600
                              Function 6C093B66 Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: f24e576481a312681058bfd97a13a257a88812148f1c1a67be78c7edb7ec2adb
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: E3518DB6F006099BDF08CE98D9A17ADB7F2EB8C308F249169D119E7781D7749A41DF80
                              Function 6C21B06F Relevance: .2, Instructions: 155COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                              • Instruction ID: d7112580d81509f099da95a290a743203a429a99ea45a15d5a4beb862ad5fa7b
                              • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                              • Instruction Fuzzy Hash: A051467650C7068BC314DF6CE9409EAB3A1AFC1320F618B3EE495CB8D1EB75552ACB46
                              Function 6C095EC9 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: a383e61d4892a09cc68f6a04f98408b122f6dc581b80949d4ee6239c3da56d95
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: 2031142B7A440103C70CC92BCC2279FA1A75BD422A75EDB396805CAFA5D52CC8165144
                              Function 6C1CCB30 Relevance: .1, Instructions: 118COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70913103dcb79474dcdbcf86f4d2b4dac07ceed3311b1ddc1740c0f7ecf99e5e
                              • Instruction ID: d6ab8445829fb92d1af0cb345ba1171d9f88c3b02914de9162803e20a39f0de0
                              • Opcode Fuzzy Hash: 70913103dcb79474dcdbcf86f4d2b4dac07ceed3311b1ddc1740c0f7ecf99e5e
                              • Instruction Fuzzy Hash: 6D419C72A4871A8FC304DE58EC804FBB3A6EFC9320F904B3D9866971D5D771691AC790
                              Function 6C228D12 Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                              • Instruction ID: 981d5476b460fde64215e5686e4d85c440662ce8dfa1d912cb5d73dff71d9f64
                              • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                              • Instruction Fuzzy Hash: 40318831A147128BD728DA39D4500ABB3E3EFC5318B55CB3DC4568B589EBB5610BCB81
                              Function 6C11C700 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction ID: 3b880d7395d2c5bb1e1323ca73f1c1e06dd7c14b858ebe591f9396bfb0bf416b
                              • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction Fuzzy Hash: B4218E77320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2D77AC457C785
                              Function 6C05D456 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 82119a7de81af5519601b09873e4e7022b727434cbb5d56916c772059113a490
                              • Instruction ID: a969c467565e5d7a082e7e5e6fac8a3ba84d2900467b269663adae27ecd31919
                              • Opcode Fuzzy Hash: 82119a7de81af5519601b09873e4e7022b727434cbb5d56916c772059113a490
                              • Instruction Fuzzy Hash: D8F0A932A10320EBCB12DB48CA05B8973F8EB05BA8F618097E401EB640C2B0EE00DBC0
                              Function 6C05D425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction ID: 24f855537418a4e82c252f2de7556b9d32ee3c1d82d35310f6a6cf2e3fade03c
                              • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction Fuzzy Hash: 33E08C32912238EBCB10CBC8DA04E8AF3ECEB85B14B6140A6F505D3600D270EE00CBD0
                              Function 6C11A700 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                              • Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
                              • Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                              • Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64
                              Function 6C0B1B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 3519838083-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: 020b10dc919cf5b36be6d20de7af8f59f1b2a01ddcf71b1244f1794d9721baa6
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: FAD18B71A0420AAFCF15CFA4D980BEEB7F5FF49308F244529E055B3A50DB72A949CB64
                              Function 6C099798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: >WJ$x$x
                              • API String ID: 2300968129-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: 57bb1442c3b144a076400bb6e99bb4f910b624c9591b499fd610d5d898f3e8a7
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: 42125671900209AFDF14DFA4C880BEDBBF5FF08318F249169E919A7A50D735AA45DF50
                              Function 6C04D1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 6C04D1F7
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6C04D1FF
                              • _ValidateLocalCookies.LIBCMT ref: 6C04D288
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6C04D2B3
                              • _ValidateLocalCookies.LIBCMT ref: 6C04D308
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: be1d238bdeb0ffd9c8e31f8807b29c1378a869483da75e321e2527806774b7ee
                              • Instruction ID: a830257e2d34f072d660d8cb6080eaacb81322a68348751a638f178d40bc1f41
                              • Opcode Fuzzy Hash: be1d238bdeb0ffd9c8e31f8807b29c1378a869483da75e321e2527806774b7ee
                              • Instruction Fuzzy Hash: AC418D34A01218EBCF00DF68C994B9E7BF5AF4531CF54C1A5E9289BB51D731EA16CBA0
                              Function 6C05A58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 0-537541572
                              • Opcode ID: ea224d48930e51d2a35695407fe18fd5bdef8bf18cb5fdf9e804fd5815b7b40f
                              • Instruction ID: 143b386b77f79e65236ad9da8f7da5ebb40c13204131b47ee89f27b4b202eca1
                              • Opcode Fuzzy Hash: ea224d48930e51d2a35695407fe18fd5bdef8bf18cb5fdf9e804fd5815b7b40f
                              • Instruction Fuzzy Hash: DC21EB75E05221EBDF224A2D8E44B6A37EC9F067A8FB50625E915B76C0DA30EC11C6F0
                              Function 6C05F5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(?,6C05E7C0,?), ref: 6C05F5E9
                              • __fassign.LIBCMT ref: 6C05F7C8
                              • __fassign.LIBCMT ref: 6C05F7E5
                              • WriteFile.KERNEL32(?,6C0691A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C05F82D
                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C05F86D
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C05F919
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: FileWrite__fassign$ConsoleErrorLast
                              • String ID:
                              • API String ID: 4031098158-0
                              • Opcode ID: 27a421835eef8841d6d057c777b159ea4040f7366a8e101eafd83fdb86ef99e6
                              • Instruction ID: 8297f9a2979702cc8c1deaeded07c946c5b8945fa4cd62b94c1641827fe91186
                              • Opcode Fuzzy Hash: 27a421835eef8841d6d057c777b159ea4040f7366a8e101eafd83fdb86ef99e6
                              • Instruction Fuzzy Hash: 73D1CC75D012589FDF01CFA8C980AEDBBF9FF09318F64416AE855BB241D734AA16CB50
                              Function 6BF12F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6BF12F95
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6BF12FAF
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6BF12FD0
                              • __Getctype.LIBCPMT ref: 6BF13084
                              • std::_Facet_Register.LIBCPMT ref: 6BF1309C
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6BF130B7
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                              • String ID:
                              • API String ID: 1102183713-0
                              • Opcode ID: 7762ffa6abe2e8ca7e0508b28addc3cc62604501f7c59896a627fd09368e5c4a
                              • Instruction ID: 98488d365d5a667a8b50ebb4719392e65b31bc16d4f978c0020b69ad506a959f
                              • Opcode Fuzzy Hash: 7762ffa6abe2e8ca7e0508b28addc3cc62604501f7c59896a627fd09368e5c4a
                              • Instruction Fuzzy Hash: 4A4147B2E04214CFDB14DF98C854B9EB7F4FB48718F108969D859AB750D739AA04CBD1
                              Function 6C087FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: 97467fe133df0aa5b814c1b65ae6f949081028bdf970a3c8b9210c2c7cb3a0e3
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: 4221C130946219BEDF60DE948C40FCF7EA9EB457B8F20C326B520A1A90D3728D64DA61
                              Function 6C08D6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C08D6F1
                                • Part of subcall function 6C09C173: __EH_prolog.LIBCMT ref: 6C09C178
                              • __EH_prolog.LIBCMT ref: 6C08D8F9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: IJ$WIJ$J
                              • API String ID: 3519838083-740443243
                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction ID: b30f4052f4478e35708572eacfa8fc9354998a39d08eff02674960a6c6eeb29c
                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction Fuzzy Hash: B9717930905255DFDF18DFA4C440BEDBBF0AF15308F5081AAD8556BB91DB74BA0ACBA4
                              Function 6C0690FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6C0691CD
                              • _free.LIBCMT ref: 6C0691F6
                              • SetEndOfFile.KERNEL32(00000000,6C067DDC,00000000,6C05E7C0,?,?,?,?,?,?,?,6C067DDC,6C05E7C0,00000000), ref: 6C069228
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C067DDC,6C05E7C0,00000000,?,?,?,?,00000000,?), ref: 6C069244
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: _free$ErrorFileLast
                              • String ID: 8Q
                              • API String ID: 1547350101-4022487301
                              • Opcode ID: 4fef7db7f2673771b5153f0e8cafab740666adcfc80864299c91960ce7fc580a
                              • Instruction ID: dd29840df2999c463549bb636e9b8e69638a24d6bc1e2391541ab6ea62d0115d
                              • Opcode Fuzzy Hash: 4fef7db7f2673771b5153f0e8cafab740666adcfc80864299c91960ce7fc580a
                              • Instruction Fuzzy Hash: A441D332A00605ABDB019FAACD44BCE77F9EF49738F240504E924EBF90EB35E9594761
                              Function 6C0A1418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C0A141D
                                • Part of subcall function 6C0A1E40: __EH_prolog.LIBCMT ref: 6C0A1E45
                                • Part of subcall function 6C0A18EB: __EH_prolog.LIBCMT ref: 6C0A18F0
                                • Part of subcall function 6C0A1593: __EH_prolog.LIBCMT ref: 6C0A1598
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 3519838083-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: f61d48ad1f3ad7d8c087f1b3b3cb610f9e41d67e268ddf43b493e2352032c9e5
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: 35216871D01358EACB08DBE4D991AEDBBF5AF25308F204069D41227781DB786E09CB65
                              Function 6C0A1234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J$DJ$`J
                              • API String ID: 3519838083-2453737217
                              • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction ID: cf178da0b6e7c7ae3c85a9c2725796084055ebf5dc4168461c5e0863598812dc
                              • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction Fuzzy Hash: 0311C2B0904B64CEC724CF5AC45429AFBE8BFA5708B10C91FC4A687B50C7F8A509CB99
                              Function 6C05281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C0528A4,00000000,?,6C052925,6C04D339,00000003,00000000), ref: 6C05282F
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C052842
                              • FreeLibrary.KERNEL32(00000000,?,?,6C0528A4,00000000,?,6C052925,6C04D339,00000003,00000000), ref: 6C052865
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: b977e8158379fe3680db4e99c87cbc3fa1e6c83e0c541dcfd0d33286bfeca8ed
                              • Instruction ID: 8e5fff31a03ba0e59c91deff7e2359e6f27d0bf04a541424ce95a7eaa906a91b
                              • Opcode Fuzzy Hash: b977e8158379fe3680db4e99c87cbc3fa1e6c83e0c541dcfd0d33286bfeca8ed
                              • Instruction Fuzzy Hash: 55F08231712528FBDF16AB94CE1DBAD7BF8EF0539AF110064A404B2450CF308A01DBA0
                              Function 6C04AA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C04AA1E
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C04AA29
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C04AA97
                                • Part of subcall function 6C04A920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C04A938
                              • std::locale::_Setgloballocale.LIBCPMT ref: 6C04AA44
                              • _Yarn.LIBCPMT ref: 6C04AA5A
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                              • String ID:
                              • API String ID: 1088826258-0
                              • Opcode ID: 84218db3e43d8c0a31f72d3180b50a2541227077408d8059a3222cb74f7ccf12
                              • Instruction ID: 0f4d478e8b1f0b8830d59b3799d6ee3f29ace595d8a4dad16030e6a4420b9179
                              • Opcode Fuzzy Hash: 84218db3e43d8c0a31f72d3180b50a2541227077408d8059a3222cb74f7ccf12
                              • Instruction Fuzzy Hash: 51015AB9A00221DFDB06EB208954BBE7BF5FF85248B258069D80157B80DF34AA06DBD1
                              Function 6C0C9E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $!$@
                              • API String ID: 3519838083-2517134481
                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction ID: 26a7fd368084da62ec65b8d04e2171f52c8112d68f9bcda2f239fd8e3646ac06
                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction Fuzzy Hash: C6126C70A09249EFCB04CFA4C490BDEBBF1FF09348F248469E855ABB51D735A945CB62
                              Function 6C095B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv
                              • String ID: $SJ
                              • API String ID: 4125985754-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: 0bc0eef65f9cd6c7dd53a2bfc4bca19522666b81a88da5fc0ccf8fa926654c2c
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: 20B17CB5D012099FCB24CF96C890BAEBBF1FF48315F60962ED416A7B50C734AA45DB90
                              Function 6BF12020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C04AA17: __EH_prolog3.LIBCMT ref: 6C04AA1E
                                • Part of subcall function 6C04AA17: std::_Lockit::_Lockit.LIBCPMT ref: 6C04AA29
                                • Part of subcall function 6C04AA17: std::locale::_Setgloballocale.LIBCPMT ref: 6C04AA44
                                • Part of subcall function 6C04AA17: _Yarn.LIBCPMT ref: 6C04AA5A
                                • Part of subcall function 6C04AA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6C04AA97
                                • Part of subcall function 6BF12F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BF12F95
                                • Part of subcall function 6BF12F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BF12FAF
                                • Part of subcall function 6BF12F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BF12FD0
                                • Part of subcall function 6BF12F60: __Getctype.LIBCPMT ref: 6BF13084
                                • Part of subcall function 6BF12F60: std::_Facet_Register.LIBCPMT ref: 6BF1309C
                                • Part of subcall function 6BF12F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BF130B7
                              • std::ios_base::_Addstd.LIBCPMT ref: 6BF1211B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 3332196525-1866435925
                              • Opcode ID: a8468e49bbbb4da05fb4b8d56bf616f5ba9ae0e64059f67e800ae0d3c08cae58
                              • Instruction ID: 5779851bd755207da13f1553ee978c917117f6726e848b3f463c181b34f0c60e
                              • Opcode Fuzzy Hash: a8468e49bbbb4da05fb4b8d56bf616f5ba9ae0e64059f67e800ae0d3c08cae58
                              • Instruction Fuzzy Hash: 2C41A3B1E003099FEB00CFA4D8457AEBBB4FF49314F108668E515AB391D775A985CF90
                              Function 6C0991D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $CK$CK
                              • API String ID: 3519838083-2957773085
                              • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction ID: c2540697edea5e300a44ff9bf484bd9b12dc31b9082301ae51526bcb938b6ed4
                              • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction Fuzzy Hash: 8921A170E012058FCB04DFA984803EEB7F2AB99314F54562AC526A3A91C7745A06DAA2
                              Function 6C0B0584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0$LrJ$x
                              • API String ID: 3519838083-658305261
                              • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                              • Instruction ID: d560a5df1f5993292f9e3a680b0b3a3f8aff30369a98f96a5edb142973899aab
                              • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                              • Instruction Fuzzy Hash: BF215E72D0115D9ACF18DBD8CA90BEEB7F5EF58308F20016AD41177A40DB766E08CBA5
                              Function 6C0A7EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C0A7ECC
                                • Part of subcall function 6C09258A: __EH_prolog.LIBCMT ref: 6C09258F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :hJ$dJ$xJ
                              • API String ID: 3519838083-2437443688
                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction ID: 106b3559d2e2e866e033a050463e8024ba33afe47e64695279c20c0530e3c8cf
                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction Fuzzy Hash: 5621DAB0805B40CFC764CF6AC14428ABBF4BF29708B00C96EC0AA97B11D7B8B509CF59
                              Function 6C05E480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C05E7C0,6BF11DEA,00008000,6C05E7C0,?,?,?,6C05E36F,6C05E7C0,?,00000000,6BF11DEA), ref: 6C05E4B9
                              • GetLastError.KERNEL32(?,?,?,6C05E36F,6C05E7C0,?,00000000,6BF11DEA,?,6C067D8E,6C05E7C0,000000FF,000000FF,00000002,00008000,6C05E7C0), ref: 6C05E4C3
                              • __dosmaperr.LIBCMT ref: 6C05E4CA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer__dosmaperr
                              • String ID: 8Q
                              • API String ID: 2336955059-4022487301
                              • Opcode ID: dcb589565b57c66d692ff4268f5805b2490def01aa2419e984f6a835dcf6885b
                              • Instruction ID: 3d36bd4d6ee6dca7e8469a966e55a2c2842bfdb5ee5c979cd5e4c1217111383f
                              • Opcode Fuzzy Hash: dcb589565b57c66d692ff4268f5805b2490def01aa2419e984f6a835dcf6885b
                              • Instruction Fuzzy Hash: A5012832710514ABCB069F59CD1499D3BBEEB86334B644208E860AB680EA35E9508BA0
                              Function 6C09ED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: <J$DJ$HJ$TJ$]
                              • API String ID: 0-686860805
                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction ID: d36a930de754ee51e0458782bc11a7f199a15925575d1e1d5b9a586e0dd930a4
                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction Fuzzy Hash: 7541B470C06249ABCF24DBA1D490BEEB7F4BF15308B50D16DD03127A61EB35BA49DB91
                              Function 6C099331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction ID: 54677213b8d522a9c386a894c5b6d2aa4ca72479c4f35a0e76027302625ce21c
                              • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction Fuzzy Hash: 29119076204204BFEB218EA5CC40FAF7BFDEBC9754F00852DB24556A90C6B1AC08A760
                              Function 6C0580A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000008,?,00000000,6C05BB43), ref: 6C0580A7
                              • _free.LIBCMT ref: 6C058104
                              • _free.LIBCMT ref: 6C05813A
                              • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C058145
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: ErrorLast_free
                              • String ID:
                              • API String ID: 2283115069-0
                              • Opcode ID: 76b7a98cfe109a2e02ce23eec87e2fec87b6f014e866f21292243628d13ec5f6
                              • Instruction ID: 3bd98d84e23e2c663b6b2d2e5f9e5d8f11bec8270a73bb091146227f6748ad09
                              • Opcode Fuzzy Hash: 76b7a98cfe109a2e02ce23eec87e2fec87b6f014e866f21292243628d13ec5f6
                              • Instruction Fuzzy Hash: A8110A71755204ABDA511AB98E84F6B22E9ABC277CBF10736FA20D7AC0DF218C355730
                              Function 6C0695AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteConsoleW.KERNEL32(00000000,?,6C067DDC,00000000,00000000,?,6C068241,00000000,00000001,00000000,6C05E7C0,?,6C05F976,?,?,6C05E7C0), ref: 6C0695C1
                              • GetLastError.KERNEL32(?,6C068241,00000000,00000001,00000000,6C05E7C0,?,6C05F976,?,?,6C05E7C0,?,6C05E7C0,?,6C05F40C,6C0691A6), ref: 6C0695CD
                                • Part of subcall function 6C06961E: CloseHandle.KERNEL32(FFFFFFFE,6C0695DD,?,6C068241,00000000,00000001,00000000,6C05E7C0,?,6C05F976,?,?,6C05E7C0,?,6C05E7C0), ref: 6C06962E
                              • ___initconout.LIBCMT ref: 6C0695DD
                                • Part of subcall function 6C0695FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C06959B,6C06822E,6C05E7C0,?,6C05F976,?,?,6C05E7C0,?), ref: 6C069612
                              • WriteConsoleW.KERNEL32(00000000,?,6C067DDC,00000000,?,6C068241,00000000,00000001,00000000,6C05E7C0,?,6C05F976,?,?,6C05E7C0,?), ref: 6C0695F2
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                              • String ID:
                              • API String ID: 2744216297-0
                              • Opcode ID: 2d70cc4ff119763fb463333ad7516c56b55b921ae8d9a0f4fae82425bc9de146
                              • Instruction ID: e7326e2e924010f8cc3b1cff1beac5303a90cf8866e8fe24b4862772d1b54505
                              • Opcode Fuzzy Hash: 2d70cc4ff119763fb463333ad7516c56b55b921ae8d9a0f4fae82425bc9de146
                              • Instruction Fuzzy Hash: 67F01C36200128BBCF131FD6CC44E993FB6FB0A7B5F044010FE09A6E20DA328860EB91
                              Function 6C081072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C081077
                                • Part of subcall function 6C080FF5: __EH_prolog.LIBCMT ref: 6C080FFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :$\
                              • API String ID: 3519838083-1166558509
                              • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction ID: e85010d1a5bff79934d6532ce640f6dded9bc9b6fc0588a80fa64f6bfb080a11
                              • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction Fuzzy Hash: 87E1DF709062499ACF25DFA4C890BEDB7F1BF1531CF10C219D8666BAD0DB70EA4ACB54
                              Function 6C0CD354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog__aullrem
                              • String ID: d%K
                              • API String ID: 3415659256-3110269457
                              • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                              • Instruction ID: 79d83ae9a6cc40a661eeb645c6bef9f2bb957975cb5bbf04735996f24bfcc2d9
                              • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                              • Instruction Fuzzy Hash: F681CE71B403099FDF00CF54C490BEEB7F5AF84348F248169E918ABA41D775EA09CBA2
                              Function 6C056814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog3_
                              • String ID: 8Q
                              • API String ID: 2427045233-4022487301
                              • Opcode ID: 69dcfbc5815337b2400ecf299fd6a0bd4f3486cdf429537a16be0ff2da20b315
                              • Instruction ID: b9a84e94ae57aa798b5fc2ec1e6f33bf055c0bc46e24cf21cbce8c611593ecb0
                              • Opcode Fuzzy Hash: 69dcfbc5815337b2400ecf299fd6a0bd4f3486cdf429537a16be0ff2da20b315
                              • Instruction Fuzzy Hash: EE71F674D442169BDF118F95CA407FEBAF9AF45318FA48229E820E7B40DB71D865CB60
                              Function 6C0A6C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$hfJ
                              • API String ID: 3519838083-1391159562
                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction ID: f2be135156296621b0bc21cb7e012392766e5e4f3b8531496ad1f7cdf6f8f7e7
                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction Fuzzy Hash: B1912670910209EFCB14DFE9C894ADEBBF4BF18308F54452EE456E7A91D774AA49CB20
                              Function 6C09BC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C09BC5D
                                • Part of subcall function 6C09A61A: __EH_prolog.LIBCMT ref: 6C09A61F
                                • Part of subcall function 6C09AA2E: __EH_prolog.LIBCMT ref: 6C09AA33
                                • Part of subcall function 6C09BEA5: __EH_prolog.LIBCMT ref: 6C09BEAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: WZJ
                              • API String ID: 3519838083-1089469559
                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction ID: ce42b735ff7eafcc618fe1aac8cb4303191e3b041b5c69af94766e567e190ef9
                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction Fuzzy Hash: 6A814931D01259EBCF25DFA4D890BDDBBF4AF09318F1040AAE511677A0DB306E49DB60
                              Function 6BF128E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 6BF12A76
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: ___std_exception_destroy
                              • String ID: Jbx$Jbx
                              • API String ID: 4194217158-1161259238
                              • Opcode ID: 534c9784f96c3fd611edfe7cd4082577ecdac35e585a50059d18cd7deafa4048
                              • Instruction ID: 03185c1be023607ad975466005fad6068ca933b458e76b9e4644e51204065936
                              • Opcode Fuzzy Hash: 534c9784f96c3fd611edfe7cd4082577ecdac35e585a50059d18cd7deafa4048
                              • Instruction Fuzzy Hash: 6551F7B2904204CFCB14CF58D88069FBBF5EF8A314F54896EE8499B351E336E995CB91
                              Function 6C0A2F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: <dJ$Q
                              • API String ID: 3519838083-2252229148
                              • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction ID: 43957401ee1415b24a585c7b085c8ef48d8e97460753efe00e153c8aa3f4ad4b
                              • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction Fuzzy Hash: AC517C71904249EBCF14DFD9C890EEDB7F1BF49318F10852EE515ABA51D731AA4ACB20
                              Function 6C09E9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $D^J
                              • API String ID: 3519838083-3977321784
                              • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction ID: c771c0eb10dfbeffebb09031037d619949edbb3e96b6e01f7deb1dbaa702ebeb
                              • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction Fuzzy Hash: 03415B20A085A06ED7269B28C4507EDFBE1BF17308F14A558C4B207ED1DB657D8BDBD4
                              Function 6C0605EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C067DC6), ref: 6C06070B
                              • __dosmaperr.LIBCMT ref: 6C060712
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr
                              • String ID: 8Q
                              • API String ID: 1659562826-4022487301
                              • Opcode ID: f600434ca27e0b636a66a1e1bd01fb187b810b983d3182408748e9d7ff14e5dd
                              • Instruction ID: 46a2adb788cf995cd6167d960325fa8285bd96a310be07d3a3b11adf7227300c
                              • Opcode Fuzzy Hash: f600434ca27e0b636a66a1e1bd01fb187b810b983d3182408748e9d7ff14e5dd
                              • Instruction Fuzzy Hash: 16415A7164C1D4AFD7119F1AC880BA97FE9EF8631CF548159E8808BE41D3719D11CB94
                              Function 6C0B812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: X&L$p|J
                              • API String ID: 3519838083-2944591232
                              • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction ID: 1296e3a66fe4b2c8c3a2244880b52bdc04fc8edc3dc2103edcff72091ff70c51
                              • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction Fuzzy Hash: 16315A31686D07CBD714EB58C905BAD77F5EB01718F600327D600B3EB2CB7299868A54
                              Function 6C0B7C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0|J$`)L
                              • API String ID: 3519838083-117937767
                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction ID: 7faeaa365199a273c17368f83a748f6dbf394126dfefb73da9d02e14747d5761
                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction Fuzzy Hash: 3C416E31605785DFCF25DF64C4907AABBF2FF45208F00442EE49AA7B50CB726918DBA6
                              Function 6C0BACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: 3333
                              • API String ID: 3732870572-2924271548
                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction ID: b0d941fb8f28fe555aba5fdba2343c3d8467170a7ef0cb9107d1198f4a7adb05
                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction Fuzzy Hash: F121A9B0A447046FD730CFB98880B5BFAFDEB48755F10892EA146E7B40D775E9088B65
                              Function 6C0B3906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$LuJ
                              • API String ID: 3519838083-205571748
                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction ID: f8283c2a9d3ecfcebf8d6310ab2b2dd07abc7b60ba27ffa341f139d82f479277
                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction Fuzzy Hash: AA01AD72E02209DBCB10CFA984806AEFBF4EF59704F50C42EE029F3A40C7389904CB99
                              Function 6C08F0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$xMJ
                              • API String ID: 3519838083-951924499
                              • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction ID: 382e765978e16d808f4e41c4376f8b965101fa83bbdbf4b314ccc6e54fc6342d
                              • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction Fuzzy Hash: 1E112A71A02209DBCF00CFA9C49069EB7F8FF59708B90C46ED569E7A40D7389A45CB95
                              Function 6C061418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6C061439
                              • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C05DD2A,?,00000004,?,4B42FCB6,?,?,6C052E7C,4B42FCB6,?), ref: 6C061475
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930866726.000000006BEC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BEC0000, based on PE: true
                              • Associated: 00000006.00000002.1930842269.000000006BEC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931910400.000000006C06B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1933414365.000000006C237000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: AllocHeap_free
                              • String ID: 8Q
                              • API String ID: 1080816511-4022487301
                              • Opcode ID: 071f93638542edf19077a5a2474df3815095891819eca141630fc2b19dbc339e
                              • Instruction ID: 75fc4f01af8ae91f88e13e1441ddee6e2921f73634e5eb334d2d870cdb69b27e
                              • Opcode Fuzzy Hash: 071f93638542edf19077a5a2474df3815095891819eca141630fc2b19dbc339e
                              • Instruction Fuzzy Hash: 40F0F6326012156BEB115E2B9C04B8F37FEDFC2BB8F51C119E82597E80DF20E41581A1
                              Function 6C0B6431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: |zJ
                              • API String ID: 3037903784-3782439380
                              • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction ID: 9e53f471beaa12ac84ff720adace16d94d8f1a20ae6ebcf69a894a6d5f4ce29c
                              • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction Fuzzy Hash: 9CE0ED32A05920ABEB1CCB49C800B9EF3E8FF55B18F10406F9012F3B40CFB2A8048681
                              Function 6C0AD143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: <oJ
                              • API String ID: 3037903784-2791053824
                              • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction ID: b870d946801a299b93188639858f6c0ad5b6e9a56a0984940ffcc6b11413856e
                              • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction Fuzzy Hash: B7E06572A05611EFD7189F88D410BDEF7E5EF45B14F11015EE42167B52CBB5A801C694
                              Function 6C0E24AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: @ K$DJ$T)K$X/K
                              • API String ID: 0-3815299647
                              • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                              • Instruction ID: a8203976acd05896383b469c198f2820e28d59d59c5212a95c95430b970c2062
                              • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                              • Instruction Fuzzy Hash: 6A91F5306853479FCB18EF65C4587EE73F2AF4930CF108819C8A65BB81DB75AA49CB61
                              Function 6C0D7E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931979184.000000006C07B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C07B000, based on PE: true
                              • Associated: 00000006.00000002.1932523911.000000006C146000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932560995.000000006C14C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bec0000_3KFFG52TBI.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                              • Instruction ID: a66d6a5a149a1a1d9c63e8891c5593a80faa072590818ad7c1445227d89f45ad
                              • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                              • Instruction Fuzzy Hash: 9E51C1309043599BCF28EF98D840BEEB7F1EF1431CF10451AE81167A94DB75BA49CBA6

                              Execution Graph

                              Execution Coverage:4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:0.3%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:30
                              execution_graph 73233 b1ffb1 __setusermatherr 73234 b1ffbd 73233->73234 73239 b20068 _controlfp 73234->73239 73236 b1ffc2 _initterm __getmainargs _initterm __p___initenv 73237 abc27c 73236->73237 73238 b2001d exit _XcptFilter 73237->73238 73239->73236 73240 b069f0 free 73241 a91368 73243 a9136d 73241->73243 73244 a9138c 73243->73244 73247 b17d80 WaitForSingleObject 73243->73247 73250 abf745 73243->73250 73254 b17ea0 SetEvent GetLastError 73243->73254 73248 b17d98 73247->73248 73249 b17d8e GetLastError 73247->73249 73248->73243 73249->73248 73251 abf74f __EH_prolog 73250->73251 73255 abf784 73251->73255 73253 abf765 73253->73243 73254->73243 73256 abf78e __EH_prolog 73255->73256 73264 a912d4 73256->73264 73259 a912d4 4 API calls 73260 abf7d4 73259->73260 73261 abf871 73260->73261 73272 a8c4d6 73260->73272 73278 b06b23 VirtualAlloc 73260->73278 73261->73253 73265 a91327 73264->73265 73266 a912e7 73264->73266 73265->73259 73267 a912ef _CxxThrowException 73266->73267 73268 a91304 73266->73268 73267->73268 73279 a81e40 free 73268->73279 73270 a9130b 73280 a81e0c 73270->73280 73276 a8c4e9 73272->73276 73273 a8c6f3 73273->73261 73276->73273 73277 a8c695 memmove 73276->73277 73285 a9111c 73276->73285 73290 a911b4 73276->73290 73277->73276 73278->73261 73279->73270 73281 a81e1c malloc 73280->73281 73282 a81e15 73280->73282 73283 a81e2a _CxxThrowException 73281->73283 73284 a81e3e 73281->73284 73282->73281 73283->73284 73284->73265 73286 a91130 73285->73286 73287 a9115f 73286->73287 73295 a8d331 73286->73295 73299 a8b668 73286->73299 73287->73276 73291 a911c1 73290->73291 73292 a911eb 73291->73292 73335 acae7c 73291->73335 73340 acaf27 73291->73340 73292->73276 73296 a8d355 73295->73296 73297 a8d374 73296->73297 73298 a8b668 10 API calls 73296->73298 73297->73286 73298->73297 73307 a8b675 73299->73307 73300 a8b864 73318 a87b7c 73300->73318 73303 a8b8aa GetLastError 73304 a8b6aa 73303->73304 73304->73286 73305 a8b81b 73305->73304 73309 a8b839 memcpy 73305->73309 73306 a8b7e7 73306->73300 73311 a87731 5 API calls 73306->73311 73307->73300 73307->73304 73307->73305 73307->73306 73310 a8b811 73307->73310 73312 a8b7ad 73307->73312 73322 a87731 73307->73322 73331 a87b4f ReadFile 73307->73331 73309->73304 73332 a8b8ec GetLastError 73310->73332 73315 a8b80d 73311->73315 73312->73307 73317 a8b8c7 73312->73317 73330 b06a20 VirtualAlloc 73312->73330 73315->73300 73315->73310 73317->73304 73319 a87b89 73318->73319 73333 a87b4f ReadFile 73319->73333 73321 a87b9a 73321->73303 73321->73304 73323 a8775c SetFilePointer 73322->73323 73324 a87740 73322->73324 73325 a87780 GetLastError 73323->73325 73329 a877a1 73323->73329 73324->73323 73326 a8778c 73325->73326 73325->73329 73334 a876d6 SetFilePointer GetLastError 73326->73334 73328 a87796 SetLastError 73328->73329 73329->73307 73330->73312 73331->73307 73332->73304 73333->73321 73334->73328 73336 acae86 73335->73336 73347 a97190 73336->73347 73360 a97140 73336->73360 73337 acaebb 73337->73291 73341 acaf36 73340->73341 73342 acb010 73341->73342 73345 acaeeb 107 API calls 73341->73345 73452 a8bd0c 73341->73452 73457 acad3a 73341->73457 73461 acaebf 107 API calls 73341->73461 73342->73291 73345->73341 73348 a9719a __EH_prolog 73347->73348 73349 a971b0 73348->73349 73353 a971dd 73348->73353 73390 a94d78 73349->73390 73351 a971b7 73351->73337 73364 a96fc5 73353->73364 73354 a972b4 73355 a94d78 VariantClear 73354->73355 73356 a972c0 73354->73356 73355->73356 73356->73351 73357 a97140 7 API calls 73356->73357 73357->73351 73358 a97236 73358->73351 73358->73354 73359 a972a3 SetFileSecurityW 73358->73359 73359->73354 73361 a9718d 73360->73361 73362 a9714b 73360->73362 73361->73337 73362->73361 73451 a94dff 7 API calls 2 library calls 73362->73451 73365 a96fcf __EH_prolog 73364->73365 73393 a944a6 73365->73393 73370 a9709e 73420 a81e40 free 73370->73420 73372 a97029 73374 a9706a 73372->73374 73415 a94dff 7 API calls 2 library calls 73372->73415 73373 a97051 73373->73374 73378 a911b4 107 API calls 73373->73378 73396 a968ac 73374->73396 73377 a970c0 73416 a86096 15 API calls 2 library calls 73377->73416 73378->73374 73379 a9712e 73379->73358 73381 a970d1 73382 a970e2 73381->73382 73417 a94dff 7 API calls 2 library calls 73381->73417 73387 a970e6 73382->73387 73418 a96b5e 69 API calls 2 library calls 73382->73418 73385 a970fd 73386 a97103 73385->73386 73385->73387 73419 a81e40 free 73386->73419 73387->73370 73389 a9710b 73389->73379 73440 aa9262 73390->73440 73421 a82e04 73393->73421 73398 a968b6 __EH_prolog 73396->73398 73397 a96921 73400 a96962 73397->73400 73404 a96998 73397->73404 73431 a96a17 6 API calls 2 library calls 73397->73431 73398->73397 73413 a968c5 73398->73413 73425 a87d4b 73398->73425 73400->73404 73432 a82dcd malloc _CxxThrowException 73400->73432 73403 a969e1 73435 a8bcf8 CloseHandle 73403->73435 73404->73403 73424 a87c3b SetFileTime 73404->73424 73406 a9697a 73433 a96b09 13 API calls __EH_prolog 73406->73433 73411 a9698c 73434 a81e40 free 73411->73434 73413->73370 73413->73377 73414 a96e71 12 API calls 2 library calls 73414->73372 73415->73373 73416->73381 73417->73382 73418->73385 73419->73389 73420->73379 73422 a81e0c ctype 2 API calls 73421->73422 73423 a82e11 73422->73423 73423->73372 73423->73374 73423->73414 73424->73403 73436 a877c8 73425->73436 73427 a87d76 73427->73397 73430 a94dff 7 API calls 2 library calls 73427->73430 73430->73397 73431->73400 73432->73406 73433->73411 73434->73404 73435->73413 73437 a87731 SetFilePointer GetLastError SetFilePointer GetLastError SetLastError 73436->73437 73438 a877db 73437->73438 73438->73427 73439 a87d3c SetEndOfFile 73438->73439 73439->73427 73441 aa926c __EH_prolog 73440->73441 73442 aa92fc 73441->73442 73446 aa92a4 73441->73446 73443 a8965d VariantClear 73442->73443 73445 a94d91 73443->73445 73445->73351 73447 a8965d 73446->73447 73448 a89685 73447->73448 73450 a89665 73447->73450 73448->73445 73449 a8967e VariantClear 73449->73448 73450->73448 73450->73449 73451->73361 73462 a87ca2 73452->73462 73456 a8bd3d 73456->73341 73458 acad44 __EH_prolog 73457->73458 73470 a96305 73458->73470 73459 acadbf 73459->73341 73461->73341 73465 a87caf 73462->73465 73464 a87cdb 73464->73456 73466 a8b8ec GetLastError 73464->73466 73465->73464 73467 a87c68 73465->73467 73466->73456 73468 a87c79 WriteFile 73467->73468 73469 a87c76 73467->73469 73468->73465 73469->73468 73471 a9630f __EH_prolog 73470->73471 73507 a962b9 73471->73507 73474 a96427 73476 a8965d VariantClear 73474->73476 73475 a9644a 73477 a8965d VariantClear 73475->73477 73499 a96445 73476->73499 73478 a9646b 73477->73478 73511 a95126 73478->73511 73483 a94d78 VariantClear 73484 a96499 73483->73484 73484->73499 73503 a964ca 73484->73503 73667 a95110 9 API calls 73484->73667 73486 a965de 73487 a9669e 73486->73487 73488 a965e7 73486->73488 73493 a966b8 73487->73493 73494 a96754 73487->73494 73487->73499 73492 a81e0c ctype 2 API calls 73488->73492 73495 a965f6 73488->73495 73489 a964da 73489->73486 73489->73499 73669 a9789c free memmove ctype 73489->73669 73492->73495 73497 a81e0c ctype 2 API calls 73493->73497 73557 a95bea 73494->73557 73670 aa36ea 73495->73670 73496 a9666b 73683 a81e40 free 73496->73683 73497->73499 73499->73459 73500 a9665c 73682 a831e5 malloc _CxxThrowException free _CxxThrowException 73500->73682 73503->73489 73503->73499 73668 a842e3 CharUpperW 73503->73668 73508 a962c9 73507->73508 73684 aa8fa4 73508->73684 73512 a95130 __EH_prolog 73511->73512 73513 a951b4 73512->73513 73519 a9518e 73512->73519 73744 a83097 malloc _CxxThrowException free SysStringLen ctype 73512->73744 73515 a8965d VariantClear 73513->73515 73513->73519 73517 a951bc 73515->73517 73516 a8965d VariantClear 73518 a9527f 73516->73518 73517->73519 73520 a95289 73517->73520 73521 a95206 73517->73521 73518->73499 73553 aa8b05 73518->73553 73519->73516 73520->73519 73522 a95221 73520->73522 73745 a83097 malloc _CxxThrowException free SysStringLen ctype 73521->73745 73524 a8965d VariantClear 73522->73524 73525 a9522d 73524->73525 73525->73518 73526 a95351 73525->73526 73746 a95459 malloc _CxxThrowException __EH_prolog 73525->73746 73526->73518 73533 a953a1 73526->73533 73751 a835e7 memmove 73526->73751 73529 a952ba 73747 a88011 5 API calls ctype 73529->73747 73531 a952cf 73546 a952fd 73531->73546 73748 a8823d 10 API calls 2 library calls 73531->73748 73533->73518 73752 a843b7 5 API calls 2 library calls 73533->73752 73536 a952e5 73537 a82fec 3 API calls 73536->73537 73539 a952f5 73537->73539 73538 a9540e 73754 a9789c free memmove ctype 73538->73754 73749 a81e40 free 73539->73749 73543 a953df 73543->73538 73544 a9541c 73543->73544 73753 a842e3 CharUpperW 73543->73753 73545 aa36ea 5 API calls 73544->73545 73547 a95427 73545->73547 73750 a954a0 free ctype 73546->73750 73548 a82fec 3 API calls 73547->73548 73549 a95433 73548->73549 73755 a81e40 free 73549->73755 73551 a9543b 73756 ab2db9 free ctype 73551->73756 73554 aa8b2e 73553->73554 73555 a8965d VariantClear 73554->73555 73556 a9648a 73555->73556 73556->73483 73556->73499 73558 a95bf4 __EH_prolog 73557->73558 73757 a954c0 73558->73757 73561 aa8b05 VariantClear 73562 a95c34 73561->73562 73606 a95e17 73562->73606 73772 a95630 73562->73772 73565 aa36ea 5 API calls 73566 a95c51 73565->73566 73567 a95c60 73566->73567 73875 a957c1 53 API calls 2 library calls 73566->73875 73793 a82f1c 73567->73793 73570 a95c6c 73573 a95caa 73570->73573 73876 a96217 4 API calls 2 library calls 73570->73876 73572 a95c91 73574 a82fec 3 API calls 73572->73574 73579 a82e04 2 API calls 73573->73579 73597 a95d49 73573->73597 73575 a95c9e 73574->73575 73877 a81e40 free 73575->73877 73577 a95d91 73589 a95da6 73577->73589 73796 a958be 73577->73796 73578 a95d55 73580 a82fec 3 API calls 73578->73580 73581 a95cd2 73579->73581 73583 a95d66 73580->73583 73878 a81e40 free 73581->73878 73584 a82fec 3 API calls 73589->73584 73666 a95d8c 73589->73666 73594 a95cf5 73594->73597 73597->73577 73597->73578 73606->73499 73667->73503 73668->73503 73669->73486 73671 aa36f4 __EH_prolog 73670->73671 73672 a82e04 2 API calls 73671->73672 73673 aa370a 73672->73673 73674 aa3736 73673->73674 74064 a81089 malloc _CxxThrowException free _CxxThrowException 73673->74064 74065 a831e5 malloc _CxxThrowException free _CxxThrowException 73673->74065 73675 a82f1c 2 API calls 73674->73675 73678 aa3742 73675->73678 74063 a81e40 free 73678->74063 73680 a96633 73680->73496 73680->73500 73681 a81089 malloc _CxxThrowException free _CxxThrowException 73680->73681 73681->73500 73682->73496 73683->73499 73685 aa8fae __EH_prolog 73684->73685 73718 aa7ebb 73685->73718 73690 a96302 73690->73474 73690->73475 73690->73499 73692 aa9020 73692->73690 73726 a82fec 73692->73726 73696 aa91b0 73741 aa8b9c 10 API calls 2 library calls 73696->73741 73697 aa9244 73743 a843b7 5 API calls 2 library calls 73697->73743 73698 aa9144 73706 aa917b 73698->73706 73735 a82f88 73698->73735 73702 aa91c0 73702->73690 73711 a82f88 3 API calls 73702->73711 73703 aa9100 73707 a8965d VariantClear 73703->73707 73704 aa90d6 73704->73703 73709 aa90e7 73704->73709 73734 aa8f2e 9 API calls 73704->73734 73705 aa904d 73705->73690 73705->73698 73705->73703 73705->73704 73733 a83097 malloc _CxxThrowException free SysStringLen ctype 73705->73733 73706->73696 73706->73697 73707->73690 73712 a8965d VariantClear 73709->73712 73716 aa91ff 73711->73716 73712->73698 73713 aa9112 73713->73703 73714 aa8b64 VariantClear 73713->73714 73715 aa9123 73714->73715 73715->73703 73715->73709 73716->73690 73742 a850ff free ctype 73716->73742 73720 aa7ee4 73718->73720 73721 aa7ec6 73718->73721 73719 a81e40 free ctype 73719->73721 73722 aa8b64 73720->73722 73721->73719 73721->73720 73723 aa8b05 VariantClear 73722->73723 73724 aa8b6f 73723->73724 73724->73690 73725 aa8f2e 9 API calls 73724->73725 73725->73692 73727 a82ffc 73726->73727 73728 a82ff8 73726->73728 73727->73728 73729 a81e0c ctype malloc _CxxThrowException 73727->73729 73728->73705 73732 aa8b80 VariantClear 73728->73732 73730 a83010 73729->73730 73731 a81e40 ctype free 73730->73731 73731->73728 73732->73705 73733->73704 73734->73713 73736 a82f9a 73735->73736 73737 a81e0c ctype malloc _CxxThrowException 73736->73737 73738 a82fbe 73736->73738 73739 a82fb4 73737->73739 73738->73706 73740 a81e40 ctype free 73739->73740 73740->73738 73741->73702 73742->73690 73743->73690 73744->73513 73745->73522 73746->73529 73747->73531 73748->73536 73749->73546 73750->73526 73751->73526 73752->73543 73753->73543 73754->73544 73755->73551 73756->73518 73758 a954ca __EH_prolog 73757->73758 73759 a95507 73758->73759 73761 a8965d VariantClear 73758->73761 73760 a8965d VariantClear 73759->73760 73762 a95567 73760->73762 73763 a95528 73761->73763 73762->73561 73762->73606 73763->73759 73764 a95572 73763->73764 73765 a8965d VariantClear 73764->73765 73766 a9558e 73765->73766 73906 a94cac VariantClear __EH_prolog 73766->73906 73768 a955a1 73768->73762 73907 a94cac VariantClear __EH_prolog 73768->73907 73770 a955b8 73770->73762 73908 a94cac VariantClear __EH_prolog 73770->73908 73773 a9563a __EH_prolog 73772->73773 73775 a95679 73773->73775 73909 aa3558 10 API calls 2 library calls 73773->73909 73776 a82f1c 2 API calls 73775->73776 73792 a9571a 73775->73792 73777 a95696 73776->73777 73910 aa3333 malloc _CxxThrowException free 73777->73910 73779 a956a2 73780 a956ad 73779->73780 73781 a956c5 73779->73781 73911 a97853 5 API calls 2 library calls 73780->73911 73783 a956b4 73781->73783 73912 a84adf wcscmp 73781->73912 73785 a95707 73783->73785 73914 a81089 malloc _CxxThrowException free _CxxThrowException 73783->73914 73915 a831e5 malloc _CxxThrowException free _CxxThrowException 73785->73915 73786 a956d2 73786->73783 73913 a97853 5 API calls 2 library calls 73786->73913 73789 a95712 73916 a81e40 free 73789->73916 73792->73565 73917 a82ba6 73793->73917 73797 a958c8 __EH_prolog 73796->73797 73875->73567 73876->73572 73877->73573 73878->73594 73906->73768 73907->73770 73908->73762 73909->73775 73910->73779 73911->73783 73912->73786 73913->73783 73914->73785 73915->73789 73916->73792 73918 a81e0c ctype malloc _CxxThrowException 73917->73918 73919 a82bbb 73918->73919 73919->73570 74063->73680 74064->73673 74065->73673 74066 aba42c 74067 aba449 74066->74067 74068 aba435 fputs 74066->74068 74225 ab545d 74067->74225 74224 a81fa0 fputc 74068->74224 74072 a82e04 2 API calls 74073 aba4a1 74072->74073 74229 aa1858 74073->74229 74075 aba4c9 74291 a81e40 free 74075->74291 74077 aba4d8 74078 aba4ee 74077->74078 74292 abc7d7 74077->74292 74080 aba50e 74078->74080 74300 ab57fb 74078->74300 74310 abc73e 74080->74310 74085 abac17 74488 ab2db9 free ctype 74085->74488 74086 a81e0c ctype 2 API calls 74088 aba53a 74086->74088 74090 aba54d 74088->74090 74446 abb0fa malloc _CxxThrowException __EH_prolog 74088->74446 74089 abac23 74091 abac3a 74089->74091 74093 abac35 74089->74093 74097 a82fec 3 API calls 74090->74097 74490 abb96d _CxxThrowException 74091->74490 74489 abb988 33 API calls __aulldiv 74093->74489 74096 abac42 74491 a81e40 free 74096->74491 74102 aba586 74097->74102 74099 abac4d 74492 aa3247 74099->74492 74328 abad06 74102->74328 74106 abac7d 74499 a811c2 free __EH_prolog ctype 74106->74499 74110 abac89 74500 abbe0c free __EH_prolog ctype 74110->74500 74114 abac98 74501 ab2db9 free ctype 74114->74501 74115 a82e04 2 API calls 74117 aba636 74115->74117 74346 aa4345 74117->74346 74202 abaae5 74487 ab2db9 free ctype 74202->74487 74224->74067 74226 ab5473 74225->74226 74227 ab5466 74225->74227 74226->74072 74502 a8275e malloc _CxxThrowException free ctype 74227->74502 74230 aa1862 __EH_prolog 74229->74230 74503 aa021a 74230->74503 74235 aa18b9 74517 aa1aa5 free __EH_prolog ctype 74235->74517 74237 aa1935 74528 aa1aa5 free __EH_prolog ctype 74237->74528 74238 aa18c7 74518 ab2db9 free ctype 74238->74518 74241 aa1944 74263 aa1966 74241->74263 74529 aa1d73 5 API calls __EH_prolog 74241->74529 74243 aa18d3 74243->74075 74246 aa1958 _CxxThrowException 74246->74263 74247 aa19be 74536 aaf1f1 malloc _CxxThrowException free _CxxThrowException 74247->74536 74249 a82e04 2 API calls 74249->74263 74250 aa18db 74250->74237 74519 aa0144 malloc _CxxThrowException free _CxxThrowException 74250->74519 74520 ac04d2 74250->74520 74526 a81524 malloc _CxxThrowException __EH_prolog ctype 74250->74526 74527 a81e40 free 74250->74527 74253 aa19d6 74255 aa7ebb free 74253->74255 74256 aa19e1 74255->74256 74257 a912d4 4 API calls 74256->74257 74259 aa19ea 74257->74259 74258 ac04d2 5 API calls 74258->74263 74260 aa7ebb free 74259->74260 74262 aa19f7 74260->74262 74264 a912d4 4 API calls 74262->74264 74263->74247 74263->74249 74263->74258 74530 a8631f 74263->74530 74534 a81524 malloc _CxxThrowException __EH_prolog ctype 74263->74534 74535 a81e40 free 74263->74535 74273 aa19ff 74264->74273 74266 aa1a4f 74538 a81e40 free 74266->74538 74268 a81524 malloc _CxxThrowException 74268->74273 74269 aa1a57 74539 ab2db9 free ctype 74269->74539 74271 aa1a64 74540 ab2db9 free ctype 74271->74540 74273->74266 74273->74268 74275 aa1a83 74273->74275 74537 a842e3 CharUpperW 74273->74537 74541 aa1d73 5 API calls __EH_prolog 74275->74541 74277 aa1a97 _CxxThrowException 74278 aa1aa5 __EH_prolog 74277->74278 74542 a81e40 free 74278->74542 74280 aa1ac8 74543 aa02e8 free ctype 74280->74543 74282 aa1ad1 74544 aa1eab free __EH_prolog ctype 74282->74544 74284 aa1add 74545 a81e40 free 74284->74545 74286 aa1ae5 74546 a81e40 free 74286->74546 74288 aa1aed 74547 ab2db9 free ctype 74288->74547 74290 aa1afa 74290->74075 74291->74077 74293 abc849 74292->74293 74296 abc7ea 74292->74296 74294 abc85a 74293->74294 74733 a81f91 fflush 74293->74733 74294->74078 74295 abc7fe fputs 74295->74293 74296->74295 74732 a825cb malloc _CxxThrowException free _CxxThrowException ctype 74296->74732 74301 ab5805 __EH_prolog 74300->74301 74309 ab5847 74301->74309 74734 a826dd 74301->74734 74307 ab583f 74754 a81e40 free 74307->74754 74309->74080 74311 abc748 __EH_prolog 74310->74311 74312 abc7d7 ctype 6 API calls 74311->74312 74313 abc75d 74312->74313 74793 a81e40 free 74313->74793 74315 abc768 74794 aa2c0b 74315->74794 74319 abc77d 74800 a81e40 free 74319->74800 74321 abc785 74801 a81e40 free 74321->74801 74323 abc78d 74802 a81e40 free 74323->74802 74325 abc795 74326 aa2c0b ctype free 74325->74326 74327 aba51d 74326->74327 74327->74086 74327->74202 74805 abad29 74328->74805 74331 abbf3e 74332 a82fec 3 API calls 74331->74332 74333 abbf85 74332->74333 74334 a82fec 3 API calls 74333->74334 74335 aba5ee 74334->74335 74336 a93a29 74335->74336 74337 a93a3b 74336->74337 74338 a93a37 74336->74338 74811 a93bd9 free ctype 74337->74811 74338->74115 74340 a93a42 74341 a93a6f 74340->74341 74342 a93a52 _CxxThrowException 74340->74342 74343 a93a67 74340->74343 74341->74338 74342->74343 74446->74090 74487->74085 74488->74089 74489->74091 74490->74096 74491->74099 74493 aa324e 74492->74493 74494 aa3260 74493->74494 75739 a81e40 free 74493->75739 75738 a81e40 free 74494->75738 74497 aa3267 74498 a81e40 free 74497->74498 74498->74106 74499->74110 74500->74114 74502->74226 74504 aa0224 __EH_prolog 74503->74504 74548 a93d66 74504->74548 74507 aa062e 74508 aa0638 __EH_prolog 74507->74508 74509 aa06de 74508->74509 74513 aa01bc malloc _CxxThrowException free _CxxThrowException memcpy 74508->74513 74516 aa06ee 74508->74516 74564 aa0703 74508->74564 74634 ab2db9 free ctype 74508->74634 74635 aa019a malloc _CxxThrowException free memcpy 74509->74635 74511 aa06e6 74636 aa1453 26 API calls 2 library calls 74511->74636 74513->74508 74516->74235 74516->74250 74517->74238 74518->74243 74519->74250 74521 ac04df 74520->74521 74522 ac0513 74520->74522 74523 ac04fd 74521->74523 74524 ac04e8 _CxxThrowException 74521->74524 74522->74250 74675 ac0551 malloc _CxxThrowException free memcpy ctype 74523->74675 74524->74523 74526->74250 74527->74250 74528->74241 74529->74246 74531 a89245 74530->74531 74676 a890da 74531->74676 74534->74263 74535->74263 74536->74253 74537->74273 74538->74269 74539->74271 74540->74243 74541->74277 74542->74280 74543->74282 74544->74284 74545->74286 74546->74288 74547->74290 74559 b1fb10 74548->74559 74550 a93d70 GetCurrentProcess 74560 a93e04 74550->74560 74552 a93d8d OpenProcessToken 74553 a93d9e LookupPrivilegeValueW 74552->74553 74554 a93de3 74552->74554 74553->74554 74556 a93dc0 AdjustTokenPrivileges 74553->74556 74555 a93e04 CloseHandle 74554->74555 74557 a93def 74555->74557 74556->74554 74558 a93dd5 GetLastError 74556->74558 74557->74507 74558->74554 74559->74550 74561 a93e0d 74560->74561 74562 a93e11 CloseHandle 74560->74562 74561->74552 74563 a93e21 74562->74563 74563->74552 74610 aa070d __EH_prolog 74564->74610 74565 aa0e1d 74672 aa0416 18 API calls 2 library calls 74565->74672 74567 aa0ea6 74674 acec78 free ctype 74567->74674 74568 aa0d11 74666 a87496 7 API calls 2 library calls 74568->74666 74571 aa0c13 74663 a81e40 free 74571->74663 74573 a82da9 2 API calls 74573->74610 74575 aa0de0 74668 ab2db9 free ctype 74575->74668 74576 a82da9 2 API calls 74613 aa0ab5 74576->74613 74577 aa0e47 74577->74567 74673 aa117d 68 API calls 2 library calls 74577->74673 74578 aa0c83 74578->74565 74578->74568 74579 aa0b40 74579->74508 74580 a82f1c 2 API calls 74608 aa0d29 74580->74608 74582 aa0df8 74670 a81e40 free 74582->74670 74583 a82e04 2 API calls 74583->74610 74585 a82e04 2 API calls 74585->74613 74589 aa0e02 74671 ab2db9 free ctype 74589->74671 74590 a82e04 2 API calls 74590->74608 74594 a82fec 3 API calls 74594->74610 74596 a82fec 3 API calls 74596->74608 74597 a82fec 3 API calls 74597->74613 74602 aa050b 44 API calls 74602->74613 74603 aa0df3 74669 a81e40 free 74603->74669 74605 a81e40 free ctype 74605->74608 74607 ac04d2 malloc _CxxThrowException free _CxxThrowException memcpy 74607->74610 74608->74575 74608->74580 74608->74582 74608->74590 74608->74596 74608->74603 74608->74605 74667 aa117d 68 API calls 2 library calls 74608->74667 74610->74573 74610->74578 74610->74579 74610->74583 74610->74594 74610->74607 74610->74613 74627 a81524 malloc _CxxThrowException 74610->74627 74628 aa0b48 74610->74628 74630 aa0b26 74610->74630 74631 a81e40 free ctype 74610->74631 74633 ab2db9 free ctype 74610->74633 74637 a82f4a malloc _CxxThrowException free ctype 74610->74637 74638 a81089 malloc _CxxThrowException free _CxxThrowException 74610->74638 74639 aa13eb 5 API calls 2 library calls 74610->74639 74640 aa050b 74610->74640 74645 aa0021 GetLastError 74610->74645 74646 a849bd 9 API calls 2 library calls 74610->74646 74647 aa0306 12 API calls 74610->74647 74648 a9ff00 5 API calls 2 library calls 74610->74648 74649 aa057d 16 API calls 2 library calls 74610->74649 74650 aa0f8e 24 API calls 2 library calls 74610->74650 74651 a8472e CharUpperW 74610->74651 74652 a98984 malloc _CxxThrowException free _CxxThrowException memcpy 74610->74652 74653 aa0ef4 68 API calls 2 library calls 74610->74653 74611 aa0c79 74665 a81e40 free 74611->74665 74612 aa0b30 74656 a81e40 free 74612->74656 74613->74571 74613->74576 74613->74585 74613->74597 74613->74602 74613->74611 74619 a81e40 free ctype 74613->74619 74654 a82f4a malloc _CxxThrowException free ctype 74613->74654 74659 a81089 malloc _CxxThrowException free _CxxThrowException 74613->74659 74660 aa13eb 5 API calls 2 library calls 74613->74660 74661 aa0ef4 68 API calls 2 library calls 74613->74661 74662 ab2db9 free ctype 74613->74662 74664 aa0021 GetLastError 74613->74664 74617 aa0b38 74657 a81e40 free 74617->74657 74619->74613 74627->74610 74658 ab2db9 free ctype 74628->74658 74655 a81e40 free 74630->74655 74631->74610 74633->74610 74634->74508 74635->74511 74636->74516 74637->74610 74638->74610 74639->74610 74641 a86c72 44 API calls 74640->74641 74644 aa051e 74641->74644 74642 aa0575 74642->74610 74643 a82f88 3 API calls 74643->74642 74644->74642 74644->74643 74645->74610 74646->74610 74647->74610 74648->74610 74649->74610 74650->74610 74651->74610 74652->74610 74653->74610 74654->74613 74655->74612 74656->74617 74657->74579 74658->74630 74659->74613 74660->74613 74661->74613 74662->74613 74663->74579 74664->74613 74665->74578 74666->74608 74667->74608 74668->74579 74669->74582 74670->74589 74671->74579 74672->74577 74673->74577 74674->74579 74675->74522 74677 a890e4 __EH_prolog 74676->74677 74678 a82f88 3 API calls 74677->74678 74680 a890f7 74678->74680 74679 a8915d 74681 a82e04 2 API calls 74679->74681 74680->74679 74685 a89109 74680->74685 74682 a89165 74681->74682 74683 a891be 74682->74683 74687 a89174 74682->74687 74726 a86332 6 API calls 2 library calls 74683->74726 74686 a89155 74685->74686 74717 a82e47 74685->74717 74686->74263 74690 a82f88 3 API calls 74687->74690 74688 a8917d 74714 a891ca 74688->74714 74724 a8859e malloc _CxxThrowException free _CxxThrowException 74688->74724 74690->74688 74694 a8912e 74697 a8914d 74694->74697 74722 a831e5 malloc _CxxThrowException free _CxxThrowException 74694->74722 74695 a89185 74700 a82e04 2 API calls 74695->74700 74723 a81e40 free 74697->74723 74701 a89197 74700->74701 74702 a891ce 74701->74702 74703 a8919f 74701->74703 74705 a82f88 3 API calls 74702->74705 74704 a891b9 74703->74704 74725 a81089 malloc _CxxThrowException free _CxxThrowException 74703->74725 74727 a83199 malloc _CxxThrowException free _CxxThrowException 74704->74727 74705->74704 74708 a891e6 74728 a88f57 memmove 74708->74728 74710 a891ee 74711 a82fec 3 API calls 74710->74711 74716 a891f2 74710->74716 74713 a89212 74711->74713 74729 a831e5 malloc _CxxThrowException free _CxxThrowException 74713->74729 74731 a81e40 free 74714->74731 74730 a81e40 free 74716->74730 74718 a82e57 74717->74718 74719 a82ba6 2 API calls 74718->74719 74720 a82e6a 74719->74720 74721 a88f57 memmove 74720->74721 74721->74694 74722->74697 74723->74686 74724->74695 74725->74704 74726->74688 74727->74708 74728->74710 74729->74716 74730->74714 74731->74686 74732->74295 74733->74294 74735 a81e0c ctype 2 API calls 74734->74735 74736 a826ea 74735->74736 74737 ab5678 74736->74737 74738 ab5689 74737->74738 74739 ab56b1 74737->74739 74741 ab5593 6 API calls 74738->74741 74755 ab5593 74739->74755 74743 ab56a5 74741->74743 74769 a828a1 74743->74769 74747 ab570e fputs 74753 a81fa0 fputc 74747->74753 74749 ab56ef 74750 ab5593 6 API calls 74749->74750 74751 ab5701 74750->74751 74752 ab5711 6 API calls 74751->74752 74752->74747 74753->74307 74754->74309 74756 ab55ad 74755->74756 74757 a828a1 5 API calls 74756->74757 74758 ab55b8 74757->74758 74774 a8286d 74758->74774 74761 a828a1 5 API calls 74762 ab55c7 74761->74762 74763 ab5711 74762->74763 74764 ab56e0 74763->74764 74765 ab5721 74763->74765 74764->74747 74773 a82881 malloc _CxxThrowException free memcpy _CxxThrowException 74764->74773 74766 a828a1 5 API calls 74765->74766 74767 ab572b 74766->74767 74782 ab55cd 6 API calls 74767->74782 74770 a828b0 74769->74770 74770->74770 74783 a8267f 74770->74783 74772 a828bf 74772->74739 74773->74749 74777 a81e9d 74774->74777 74778 a81ea8 74777->74778 74779 a81ead 74777->74779 74781 a8263c malloc _CxxThrowException free memcpy _CxxThrowException 74778->74781 74779->74761 74781->74779 74782->74764 74784 a826c2 74783->74784 74786 a82693 74783->74786 74784->74772 74785 a826c8 _CxxThrowException 74788 a826dd 74785->74788 74786->74785 74787 a826bc 74786->74787 74792 a82595 malloc _CxxThrowException free memcpy ctype 74787->74792 74789 a81e0c ctype 2 API calls 74788->74789 74791 a826ea 74789->74791 74791->74772 74792->74784 74793->74315 74803 a81e40 free 74794->74803 74796 aa2c16 74804 a81e40 free 74796->74804 74798 aa2c1e 74799 a81e40 free 74798->74799 74799->74319 74800->74321 74801->74323 74802->74325 74803->74796 74804->74798 74806 abad33 __EH_prolog 74805->74806 74807 a82e04 2 API calls 74806->74807 74808 abad5f 74807->74808 74809 a82e04 2 API calls 74808->74809 74810 aba5d8 74809->74810 74810->74331 74811->74340 75738->74497 75739->74493 75740 a87b20 75743 a87ab2 75740->75743 75744 a87ac5 75743->75744 75751 a8759a 75744->75751 75747 a87b03 75765 a87919 75747->75765 75748 a87aeb SetFileTime 75748->75747 75752 a875a4 __EH_prolog 75751->75752 75781 a8764c 75752->75781 75754 a87632 75754->75747 75754->75748 75755 a875af 75755->75754 75756 a875e9 75755->75756 75757 a875d4 CreateFileW 75755->75757 75756->75754 75758 a82e04 2 API calls 75756->75758 75757->75756 75759 a875fb 75758->75759 75784 a88b4a 75759->75784 75761 a87611 75762 a8762a 75761->75762 75763 a87615 CreateFileW 75761->75763 75789 a81e40 free 75762->75789 75763->75762 75766 a87aac 75765->75766 75767 a8793c 75765->75767 75767->75766 75768 a87945 DeviceIoControl 75767->75768 75769 a879e6 75768->75769 75770 a87969 75768->75770 75771 a879ef DeviceIoControl 75769->75771 75774 a87a14 75769->75774 75770->75769 75776 a879a7 75770->75776 75772 a87a22 DeviceIoControl 75771->75772 75771->75774 75773 a87a44 DeviceIoControl 75772->75773 75772->75774 75773->75774 75774->75766 75908 a8780d 8 API calls ctype 75774->75908 75907 a89252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 75776->75907 75777 a87aa5 75779 a877de 5 API calls 75777->75779 75779->75766 75780 a879d0 75780->75769 75782 a87656 CloseHandle 75781->75782 75783 a87661 75781->75783 75782->75783 75783->75755 75790 a88b80 75784->75790 75786 a88b6e 75786->75761 75788 a82f88 3 API calls 75788->75786 75789->75754 75792 a88b8a __EH_prolog 75790->75792 75791 a88b55 75791->75786 75791->75788 75792->75791 75793 a88c7b 75792->75793 75799 a88be1 75792->75799 75794 a88d23 75793->75794 75795 a88c8f 75793->75795 75796 a88e8a 75794->75796 75798 a88d3b 75794->75798 75795->75798 75802 a88c9e 75795->75802 75797 a82e47 2 API calls 75796->75797 75800 a88e96 75797->75800 75801 a82e04 2 API calls 75798->75801 75799->75791 75803 a82e47 2 API calls 75799->75803 75808 a82e47 2 API calls 75800->75808 75804 a88d43 75801->75804 75805 a82e47 2 API calls 75802->75805 75806 a88c05 75803->75806 75887 a86332 6 API calls 2 library calls 75804->75887 75817 a88ca7 75805->75817 75812 a88c24 75806->75812 75813 a88c17 75806->75813 75810 a88eb8 75808->75810 75809 a88d52 75840 a88d56 75809->75840 75888 a8859e malloc _CxxThrowException free _CxxThrowException 75809->75888 75899 a88f57 memmove 75810->75899 75815 a82e47 2 API calls 75812->75815 75877 a81e40 free 75813->75877 75822 a88c35 75815->75822 75823 a82e47 2 API calls 75817->75823 75819 a88ec4 75820 a88ec8 75819->75820 75821 a88ede 75819->75821 75900 a81e40 free 75820->75900 75902 a83221 malloc _CxxThrowException free _CxxThrowException 75821->75902 75878 a88f57 memmove 75822->75878 75827 a88cd0 75823->75827 75882 a88f57 memmove 75827->75882 75828 a88ed0 75901 a81e40 free 75828->75901 75829 a88c41 75833 a88c6b 75829->75833 75879 a831e5 malloc _CxxThrowException free _CxxThrowException 75829->75879 75830 a88eeb 75903 a831e5 malloc _CxxThrowException free _CxxThrowException 75830->75903 75881 a81e40 free 75833->75881 75834 a88cdc 75837 a88d13 75834->75837 75883 a83221 malloc _CxxThrowException free _CxxThrowException 75834->75883 75886 a81e40 free 75837->75886 75898 a81e40 free 75840->75898 75841 a88f06 75904 a831e5 malloc _CxxThrowException free _CxxThrowException 75841->75904 75843 a88ced 75884 a831e5 malloc _CxxThrowException free _CxxThrowException 75843->75884 75844 a82e04 2 API calls 75852 a88ddf 75844->75852 75845 a88c60 75880 a831e5 malloc _CxxThrowException free _CxxThrowException 75845->75880 75847 a88d65 75847->75840 75847->75844 75850 a88f11 75905 a81e40 free 75850->75905 75853 a88e0e 75852->75853 75857 a88df1 75852->75857 75855 a82f88 3 API calls 75853->75855 75859 a88e0c 75855->75859 75856 a88d08 75885 a831e5 malloc _CxxThrowException free _CxxThrowException 75856->75885 75889 a83199 malloc _CxxThrowException free _CxxThrowException 75857->75889 75858 a88c73 75906 a81e40 free 75858->75906 75891 a88f57 memmove 75859->75891 75863 a88e03 75890 a83199 malloc _CxxThrowException free _CxxThrowException 75863->75890 75864 a88e22 75866 a88e26 75864->75866 75867 a88e3b 75864->75867 75892 a83221 malloc _CxxThrowException free _CxxThrowException 75864->75892 75897 a81e40 free 75866->75897 75893 a88f34 malloc _CxxThrowException 75867->75893 75871 a88e49 75894 a831e5 malloc _CxxThrowException free _CxxThrowException 75871->75894 75873 a88e56 75895 a81e40 free 75873->75895 75875 a88e62 75896 a831e5 malloc _CxxThrowException free _CxxThrowException 75875->75896 75877->75791 75878->75829 75879->75845 75880->75833 75881->75858 75882->75834 75883->75843 75884->75856 75885->75837 75886->75858 75887->75809 75888->75847 75889->75863 75890->75859 75891->75864 75892->75867 75893->75871 75894->75873 75895->75875 75896->75866 75897->75840 75898->75791 75899->75819 75900->75828 75901->75791 75902->75830 75903->75841 75904->75850 75905->75858 75906->75791 75907->75780 75908->75777 75909 acbf67 75910 acbf85 75909->75910 75911 acbf74 75909->75911 75911->75910 75915 acbf8c 75911->75915 75916 acbf96 __EH_prolog 75915->75916 75932 acd144 75916->75932 75920 acbfd0 75939 a81e40 free 75920->75939 75922 acbfdb 75940 a81e40 free 75922->75940 75924 acbfe6 75941 acc072 free ctype 75924->75941 75926 acbff4 75942 a9aafa free VariantClear ctype 75926->75942 75928 acc023 75943 aa73d2 free VariantClear __EH_prolog ctype 75928->75943 75930 acbf7f 75931 a81e40 free 75930->75931 75931->75910 75933 acd14e __EH_prolog 75932->75933 75944 acd1b7 75933->75944 75937 acbfc5 75938 a81e40 free 75937->75938 75938->75920 75939->75922 75940->75924 75941->75926 75942->75928 75943->75930 75952 acd23c 75944->75952 75946 acd1ed 75959 a81e40 free 75946->75959 75948 acd209 75960 a81e40 free 75948->75960 75950 acd180 75951 ac8e04 memset 75950->75951 75951->75937 75961 acd2b8 75952->75961 75955 acd25e 75978 a81e40 free 75955->75978 75958 acd275 75958->75946 75959->75948 75960->75950 75980 a81e40 free 75961->75980 75963 acd2c8 75981 a81e40 free 75963->75981 75965 acd2dc 75982 a81e40 free 75965->75982 75967 acd2e7 75983 a81e40 free 75967->75983 75969 acd2f2 75984 a81e40 free 75969->75984 75971 acd2fd 75985 a81e40 free 75971->75985 75973 acd308 75986 a81e40 free 75973->75986 75975 acd313 75976 acd246 75975->75976 75987 a81e40 free 75975->75987 75976->75955 75979 a81e40 free 75976->75979 75978->75958 75979->75955 75980->75963 75981->75965 75982->75967 75983->75969 75984->75971 75985->75973 75986->75975 75987->75976 75988 abc2e6 75989 abc52f 75988->75989 75992 ab544f SetConsoleCtrlHandler 75989->75992 75991 abc53b 75992->75991 75993 aacefb 75994 aad0cc 75993->75994 75995 aacf03 75993->75995 75995->75994 76040 aacae9 VariantClear 75995->76040 75997 aacf59 75997->75994 76041 aacae9 VariantClear 75997->76041 75999 aacf71 75999->75994 76042 aacae9 VariantClear 75999->76042 76001 aacf87 76001->75994 76043 aacae9 VariantClear 76001->76043 76003 aacf9d 76003->75994 76044 aacae9 VariantClear 76003->76044 76005 aacfb3 76005->75994 76045 aacae9 VariantClear 76005->76045 76007 aacfc9 76007->75994 76046 a84504 malloc _CxxThrowException 76007->76046 76009 aacfdc 76010 a82e04 2 API calls 76009->76010 76012 aacfe7 76010->76012 76011 aad009 76014 aad07b 76011->76014 76016 aad080 76011->76016 76017 aad030 76011->76017 76012->76011 76013 a82f88 3 API calls 76012->76013 76013->76011 76054 a81e40 free 76014->76054 76051 aa7a0c CharUpperW 76016->76051 76020 a82e04 2 API calls 76017->76020 76018 aad0c4 76055 a81e40 free 76018->76055 76023 aad038 76020->76023 76022 aad08b 76052 a9fdbc 4 API calls 2 library calls 76022->76052 76024 a82e04 2 API calls 76023->76024 76026 aad046 76024->76026 76047 a9fdbc 4 API calls 2 library calls 76026->76047 76027 aad0a7 76029 a82fec 3 API calls 76027->76029 76031 aad0b3 76029->76031 76030 aad057 76032 a82fec 3 API calls 76030->76032 76053 a81e40 free 76031->76053 76034 aad063 76032->76034 76048 a81e40 free 76034->76048 76036 aad06b 76049 a81e40 free 76036->76049 76038 aad073 76050 a81e40 free 76038->76050 76040->75997 76041->75999 76042->76001 76043->76003 76044->76005 76045->76007 76046->76009 76047->76030 76048->76036 76049->76038 76050->76014 76051->76022 76052->76027 76053->76014 76054->76018 76055->75994 76056 b17da0 WaitForSingleObject 76057 b17dc1 76056->76057 76058 b17dbb GetLastError 76056->76058 76059 b17dce CloseHandle 76057->76059 76060 b17ddf 76057->76060 76058->76057 76059->76060 76061 b17dd9 GetLastError 76059->76061 76061->76060 76062 b06ba3 VirtualFree 76063 a8c3bd 76064 a8c3db 76063->76064 76065 a8c3ca 76063->76065 76065->76064 76067 a81e40 free 76065->76067 76067->76064 76068 ab993d 76152 abb5b1 76068->76152 76071 ab9963 76158 a91f33 76071->76158 76072 a81fb3 11 API calls 76072->76071 76074 ab9975 76075 ab99b7 GetStdHandle GetConsoleScreenBufferInfo 76074->76075 76076 ab99ce 76074->76076 76075->76076 76077 a81e0c ctype 2 API calls 76076->76077 76078 ab99dc 76077->76078 76279 aa7b48 76078->76279 76080 ab9a29 76296 abb96d _CxxThrowException 76080->76296 76082 ab9a30 76297 aa7018 8 API calls 2 library calls 76082->76297 76084 ab9a7c 76298 aaddb5 6 API calls 2 library calls 76084->76298 76085 ab9a66 _CxxThrowException 76085->76084 76087 ab9aa6 76089 ab9aaa _CxxThrowException 76087->76089 76092 ab9ac0 76087->76092 76088 ab9a37 76088->76084 76088->76085 76089->76092 76090 ab9b3a 76302 a81fa0 fputc 76090->76302 76092->76090 76094 ab9bfa _CxxThrowException 76092->76094 76299 aa7dd7 7 API calls 2 library calls 76092->76299 76300 abc077 6 API calls 76092->76300 76301 a81e40 free 76092->76301 76149 ab9be6 76094->76149 76095 ab9b63 fputs 76303 a81fa0 fputc 76095->76303 76098 ab9b79 strlen strlen 76100 ab9baa fputs fputc 76098->76100 76101 ab9e25 76098->76101 76100->76149 76311 a81fa0 fputc 76101->76311 76103 ab9e2c fputs 76312 a81fa0 fputc 76103->76312 76105 ab9f0c 76317 a81fa0 fputc 76105->76317 76109 ab9f13 fputs 76318 a81fa0 fputc 76109->76318 76111 ab9f9f 76113 abac3a 76111->76113 76116 abac35 76111->76116 76324 abb96d _CxxThrowException 76113->76324 76114 a82e04 2 API calls 76114->76149 76323 abb988 33 API calls __aulldiv 76116->76323 76119 abac42 76325 a81e40 free 76119->76325 76121 abb67d 12 API calls 76121->76149 76123 abac4d 76125 aa3247 free 76123->76125 76126 abac5d 76125->76126 76127 ab9f29 76127->76111 76140 ab9f77 fputs 76127->76140 76319 abb650 fputc fputs fputs fputc 76127->76319 76320 abb5e9 fputc fputs 76127->76320 76321 abbde4 fputc fputs 76127->76321 76130 ab9d2a fputs 76308 a821d8 fputs 76130->76308 76134 a831e5 malloc _CxxThrowException free _CxxThrowException 76134->76149 76136 ab9d5f fputs 76136->76149 76139 ab9e42 76139->76105 76146 ab9ee0 fputs 76139->76146 76313 abb650 fputc fputs fputs fputc 76139->76313 76314 a821d8 fputs 76139->76314 76315 abbde4 fputc fputs 76139->76315 76322 a81fa0 fputc 76140->76322 76316 a81fa0 fputc 76146->76316 76149->76100 76149->76101 76149->76114 76149->76121 76149->76130 76149->76134 76149->76136 76304 a821d8 fputs 76149->76304 76305 a8315e malloc _CxxThrowException free _CxxThrowException 76149->76305 76306 a83221 malloc _CxxThrowException free _CxxThrowException 76149->76306 76307 a81089 malloc _CxxThrowException free _CxxThrowException 76149->76307 76309 a81fa0 fputc 76149->76309 76310 a81e40 free 76149->76310 76153 abb5bc fputs 76152->76153 76154 ab994a 76152->76154 76330 a81fa0 fputc 76153->76330 76154->76071 76154->76072 76156 abb5d5 76156->76154 76157 abb5d9 fputs 76156->76157 76157->76154 76159 a91f6c 76158->76159 76160 a91f4f 76158->76160 76331 a929eb 76159->76331 76363 aa1d73 5 API calls __EH_prolog 76160->76363 76163 a91f5e _CxxThrowException 76163->76159 76165 a91fa3 76167 a91fbc 76165->76167 76169 a84fc0 5 API calls 76165->76169 76170 a91fda 76167->76170 76171 a82fec 3 API calls 76167->76171 76168 a91f95 _CxxThrowException 76168->76165 76169->76167 76172 a92022 wcscmp 76170->76172 76180 a92036 76170->76180 76171->76170 76173 a920af 76172->76173 76172->76180 76365 aa1d73 5 API calls __EH_prolog 76173->76365 76175 a920be _CxxThrowException 76175->76180 76176 a920a9 76366 a9393c 6 API calls 2 library calls 76176->76366 76178 a920f4 76367 a9393c 6 API calls 2 library calls 76178->76367 76180->76176 76185 a9219a 76180->76185 76181 a92108 76182 a92135 76181->76182 76368 a92e04 62 API calls 2 library calls 76181->76368 76189 a92159 76182->76189 76369 a92e04 62 API calls 2 library calls 76182->76369 76370 aa1d73 5 API calls __EH_prolog 76185->76370 76187 a921a9 _CxxThrowException 76187->76189 76188 a9227f 76336 a92aa9 76188->76336 76189->76188 76190 a92245 76189->76190 76371 aa1d73 5 API calls __EH_prolog 76189->76371 76193 a82fec 3 API calls 76190->76193 76196 a9225c 76193->76196 76195 a92237 _CxxThrowException 76195->76190 76196->76188 76372 aa1d73 5 API calls __EH_prolog 76196->76372 76197 a922d9 76198 a92302 76197->76198 76200 a82fec 3 API calls 76197->76200 76201 a84fc0 5 API calls 76198->76201 76199 a82fec 3 API calls 76199->76197 76200->76198 76203 a92315 76201->76203 76354 a9384c 76203->76354 76204 a92271 _CxxThrowException 76204->76188 76206 a92322 76210 a926c6 76206->76210 76213 a923a1 76206->76213 76207 a928ce 76208 a9293a 76207->76208 76223 a928d5 76207->76223 76214 a9293f 76208->76214 76215 a929a5 76208->76215 76209 a92700 76386 a932ec 14 API calls 2 library calls 76209->76386 76210->76207 76210->76209 76385 aa1d73 5 API calls __EH_prolog 76210->76385 76221 a9247a wcscmp 76213->76221 76240 a9248e 76213->76240 76393 a84eec 16 API calls 76214->76393 76217 a929ae _CxxThrowException 76215->76217 76271 a9264d 76215->76271 76216 a926f2 _CxxThrowException 76216->76209 76218 a92713 76224 a93a29 5 API calls 76218->76224 76220 a9294c 76394 a84ea1 8 API calls 76220->76394 76226 a924cf wcscmp 76221->76226 76221->76240 76223->76271 76392 aa1d73 5 API calls __EH_prolog 76223->76392 76235 a92722 76224->76235 76230 a924ef wcscmp 76226->76230 76226->76240 76227 a92953 76232 a84fc0 5 API calls 76227->76232 76231 a9250f 76230->76231 76230->76240 76376 aa1d73 5 API calls __EH_prolog 76231->76376 76232->76271 76233 a92920 _CxxThrowException 76233->76271 76237 a927cf 76235->76237 76239 a82fec 3 API calls 76235->76239 76236 a9251e _CxxThrowException 76238 a9252c 76236->76238 76241 a92880 76237->76241 76246 a9281f 76237->76246 76388 aa1d73 5 API calls __EH_prolog 76237->76388 76242 a92569 76238->76242 76377 a92e04 62 API calls 2 library calls 76238->76377 76243 a927a9 76239->76243 76240->76238 76373 a84eec 16 API calls 76240->76373 76374 a84ea1 8 API calls 76240->76374 76375 aa1d73 5 API calls __EH_prolog 76240->76375 76244 a9289b 76241->76244 76251 a82fec 3 API calls 76241->76251 76248 a9258c 76242->76248 76378 a92e04 62 API calls 2 library calls 76242->76378 76243->76237 76387 a83563 memmove 76243->76387 76244->76271 76391 aa1d73 5 API calls __EH_prolog 76244->76391 76246->76241 76253 a92847 76246->76253 76389 aa1d73 5 API calls __EH_prolog 76246->76389 76255 a925a4 76248->76255 76379 a92a61 malloc _CxxThrowException free _CxxThrowException memcpy 76248->76379 76249 a924c1 _CxxThrowException 76249->76226 76251->76244 76252 a92811 _CxxThrowException 76252->76246 76253->76241 76390 aa1d73 5 API calls __EH_prolog 76253->76390 76380 a84eec 16 API calls 76255->76380 76261 a925ad 76381 aa1b07 49 API calls 76261->76381 76262 a928c0 _CxxThrowException 76262->76207 76263 a92839 _CxxThrowException 76263->76253 76266 a92872 _CxxThrowException 76266->76241 76267 a925b4 76382 a84ea1 8 API calls 76267->76382 76269 a925bb 76270 a82fec 3 API calls 76269->76270 76273 a925d6 76269->76273 76270->76273 76271->76074 76272 a9261f 76272->76271 76274 a82fec 3 API calls 76272->76274 76273->76271 76273->76272 76383 aa1d73 5 API calls __EH_prolog 76273->76383 76276 a9263f 76274->76276 76384 a8859e malloc _CxxThrowException free _CxxThrowException 76276->76384 76277 a92611 _CxxThrowException 76277->76272 76280 aa7b52 __EH_prolog 76279->76280 76404 aa7eec 76280->76404 76282 aa7ca4 76282->76080 76284 a82e04 malloc _CxxThrowException 76291 aa7b63 76284->76291 76285 a830ea malloc _CxxThrowException free 76285->76291 76287 a81e40 free ctype 76287->76291 76290 ac04d2 5 API calls 76290->76291 76291->76282 76291->76284 76291->76285 76291->76287 76291->76290 76292 a8429a 3 API calls 76291->76292 76294 aa7c61 memcpy 76291->76294 76409 aa70ea 76291->76409 76412 aa7a40 76291->76412 76430 aa7cc3 6 API calls 76291->76430 76431 a912a5 76291->76431 76436 aa74eb malloc _CxxThrowException memcpy __EH_prolog ctype 76291->76436 76437 aa7193 76291->76437 76292->76291 76294->76291 76296->76082 76297->76088 76298->76087 76299->76092 76300->76092 76301->76092 76302->76095 76303->76098 76304->76149 76305->76149 76306->76149 76307->76149 76308->76149 76309->76149 76310->76149 76311->76103 76312->76139 76313->76139 76314->76139 76315->76139 76316->76139 76317->76109 76318->76127 76319->76127 76320->76127 76321->76127 76322->76127 76323->76113 76324->76119 76325->76123 76330->76156 76332 a82f1c 2 API calls 76331->76332 76333 a929fe 76332->76333 76395 a81e40 free 76333->76395 76335 a91f7e 76335->76165 76364 aa1d73 5 API calls __EH_prolog 76335->76364 76337 a92ab3 __EH_prolog 76336->76337 76338 a82e8a 2 API calls 76337->76338 76348 a92b0f 76337->76348 76340 a92af4 76338->76340 76339 a922ad 76339->76197 76339->76199 76396 a92a61 malloc _CxxThrowException free _CxxThrowException memcpy 76340->76396 76342 a92bc6 76402 aa1d73 5 API calls __EH_prolog 76342->76402 76343 a92b04 76397 a81e40 free 76343->76397 76346 a92bd6 _CxxThrowException 76346->76339 76348->76339 76348->76342 76351 a92b9f 76348->76351 76398 a92cb4 48 API calls 2 library calls 76348->76398 76399 a92bf5 8 API calls __EH_prolog 76348->76399 76400 a92a61 malloc _CxxThrowException free _CxxThrowException memcpy 76348->76400 76351->76339 76401 aa1d73 5 API calls __EH_prolog 76351->76401 76353 a92bb8 _CxxThrowException 76353->76342 76361 a93856 __EH_prolog 76354->76361 76355 a93917 76355->76206 76356 a82e04 malloc _CxxThrowException 76356->76361 76357 a82fec 3 API calls 76357->76361 76358 ac04d2 5 API calls 76358->76361 76359 a82f88 3 API calls 76359->76361 76361->76355 76361->76356 76361->76357 76361->76358 76361->76359 76362 a81e40 free ctype 76361->76362 76403 a93b76 malloc _CxxThrowException __EH_prolog ctype 76361->76403 76362->76361 76363->76163 76364->76168 76365->76175 76366->76178 76367->76181 76368->76182 76369->76189 76370->76187 76371->76195 76372->76204 76373->76240 76374->76240 76375->76249 76376->76236 76377->76242 76378->76248 76379->76255 76380->76261 76381->76267 76382->76269 76383->76277 76384->76271 76385->76216 76386->76218 76387->76237 76388->76252 76389->76263 76390->76266 76391->76262 76392->76233 76393->76220 76394->76227 76395->76335 76396->76343 76397->76348 76398->76348 76399->76348 76400->76348 76401->76353 76402->76346 76403->76361 76405 aa7ef7 76404->76405 76407 aa7f14 76404->76407 76406 aa7193 free 76405->76406 76405->76407 76445 a81e40 free 76405->76445 76406->76405 76407->76291 76410 a82e04 2 API calls 76409->76410 76411 aa7103 76410->76411 76411->76291 76413 aa7a4a __EH_prolog 76412->76413 76446 a8361b 6 API calls 2 library calls 76413->76446 76415 aa7a78 76447 a8361b 6 API calls 2 library calls 76415->76447 76417 aa7a83 76418 aa7b20 76417->76418 76420 a82e04 malloc _CxxThrowException 76417->76420 76424 a82fec 3 API calls 76417->76424 76425 ac04d2 5 API calls 76417->76425 76426 a82fec 3 API calls 76417->76426 76429 a81e40 free ctype 76417->76429 76448 aa7955 malloc _CxxThrowException __EH_prolog ctype 76417->76448 76449 ab2db9 free ctype 76418->76449 76420->76417 76421 aa7b2b 76450 ab2db9 free ctype 76421->76450 76423 aa7b37 76423->76291 76424->76417 76425->76417 76427 aa7aca wcscmp 76426->76427 76427->76417 76429->76417 76430->76291 76432 ac04d2 5 API calls 76431->76432 76433 a912ad 76432->76433 76434 a81e0c ctype 2 API calls 76433->76434 76435 a912b4 76434->76435 76435->76291 76436->76291 76438 aa719d __EH_prolog 76437->76438 76451 ab2db9 free ctype 76438->76451 76440 aa71b3 76452 aa71d5 free __EH_prolog ctype 76440->76452 76442 aa71bf 76453 a81e40 free 76442->76453 76444 aa71c7 76444->76291 76445->76405 76446->76415 76447->76417 76448->76417 76449->76421 76450->76423 76451->76440 76452->76442 76453->76444 76454 abadb7 76455 abadc1 __EH_prolog 76454->76455 76456 a826dd 2 API calls 76455->76456 76457 abae1d 76456->76457 76458 a82e04 2 API calls 76457->76458 76459 abae38 76458->76459 76460 a82e04 2 API calls 76459->76460 76461 abae44 76460->76461 76462 a82e04 2 API calls 76461->76462 76463 abae68 76462->76463 76464 abad29 2 API calls 76463->76464 76465 abae85 76464->76465 76470 abaf2d 76465->76470 76467 abae94 76468 a82e04 2 API calls 76467->76468 76469 abaeb2 76468->76469 76471 abaf37 __EH_prolog 76470->76471 76482 a934f4 malloc _CxxThrowException __EH_prolog 76471->76482 76473 abafac 76474 a82e04 2 API calls 76473->76474 76475 abafbb 76474->76475 76476 a82e04 2 API calls 76475->76476 76477 abafca 76476->76477 76478 a82e04 2 API calls 76477->76478 76479 abafd9 76478->76479 76480 a82e04 2 API calls 76479->76480 76481 abafe8 76480->76481 76481->76467 76482->76473 76483 ac8eb1 76488 ac8ed1 76483->76488 76486 ac8ec9 76489 ac8edb __EH_prolog 76488->76489 76497 ac9267 76489->76497 76493 ac8efd 76502 abe5f1 free ctype 76493->76502 76495 ac8eb9 76495->76486 76496 a81e40 free 76495->76496 76496->76486 76498 ac9271 __EH_prolog 76497->76498 76503 a81e40 free 76498->76503 76500 ac8ef1 76501 ac922b free CloseHandle GetLastError ctype 76500->76501 76501->76493 76502->76495 76503->76500 76504 ab5475 76505 a82fec 3 API calls 76504->76505 76506 ab54b4 76505->76506 76507 abc911 24 API calls 76506->76507 76508 ab54bb 76507->76508 76509 b069d0 76510 b069d4 76509->76510 76511 b069d7 malloc 76509->76511 76513 aad948 76543 aadac7 76513->76543 76515 aad94f 76516 a82e04 2 API calls 76515->76516 76517 aad97b 76516->76517 76518 a82e04 2 API calls 76517->76518 76519 aad987 76518->76519 76522 aad9e7 76519->76522 76551 a86404 76519->76551 76524 aada0f 76522->76524 76525 aada36 76522->76525 76576 a81e40 free 76524->76576 76527 aada94 76525->76527 76533 a82da9 2 API calls 76525->76533 76539 ac04d2 5 API calls 76525->76539 76578 a81524 malloc _CxxThrowException __EH_prolog ctype 76525->76578 76579 a81e40 free 76525->76579 76580 a81e40 free 76527->76580 76529 aad9bf 76574 a81e40 free 76529->76574 76530 aada17 76577 a81e40 free 76530->76577 76533->76525 76535 aad9c7 76575 a81e40 free 76535->76575 76536 aada9c 76581 a81e40 free 76536->76581 76539->76525 76540 aad9cf 76544 aadad1 __EH_prolog 76543->76544 76545 a82e04 2 API calls 76544->76545 76546 aadb33 76545->76546 76547 a82e04 2 API calls 76546->76547 76548 aadb3f 76547->76548 76549 a82e04 2 API calls 76548->76549 76550 aadb55 76549->76550 76550->76515 76552 a8631f 9 API calls 76551->76552 76553 a86414 76552->76553 76554 a86423 76553->76554 76555 a82f88 3 API calls 76553->76555 76556 a82f88 3 API calls 76554->76556 76555->76554 76557 a8643d 76556->76557 76558 a97e5a 76557->76558 76559 a97e64 __EH_prolog 76558->76559 76582 a98179 76559->76582 76562 aa7ebb free 76563 a97e7f 76562->76563 76564 a82fec 3 API calls 76563->76564 76565 a97e9a 76564->76565 76566 a82da9 2 API calls 76565->76566 76567 a97ea7 76566->76567 76568 a86c72 44 API calls 76567->76568 76569 a97eb7 76568->76569 76587 a81e40 free 76569->76587 76571 a97ecb 76572 a97ed8 76571->76572 76588 a8757d GetLastError 76571->76588 76572->76522 76572->76529 76574->76535 76575->76540 76576->76530 76577->76540 76578->76525 76579->76525 76580->76536 76581->76540 76584 a98906 76582->76584 76583 a97e77 76583->76562 76584->76583 76589 a98804 free ctype 76584->76589 76590 a81e40 free 76584->76590 76587->76571 76588->76572 76589->76584 76590->76584 76591 aad3c2 76592 aad3e9 76591->76592 76593 a8965d VariantClear 76592->76593 76594 aad42a 76593->76594 76595 aad883 2 API calls 76594->76595 76596 aad4b1 76595->76596 76682 aa8d4a 76596->76682 76599 aa8b05 VariantClear 76602 aad4e3 76599->76602 76600 aa2a72 2 API calls 76601 aad54c 76600->76601 76603 a82fec 3 API calls 76601->76603 76602->76600 76604 aad594 76603->76604 76605 aad5cd 76604->76605 76606 aad742 76604->76606 76608 aad7d9 76605->76608 76699 aa9317 76605->76699 76714 aacd49 malloc _CxxThrowException free 76606->76714 76717 a81e40 free 76608->76717 76609 aad754 76612 a82fec 3 API calls 76609->76612 76615 aad763 76612->76615 76613 aad7e1 76718 a81e40 free 76613->76718 76715 a81e40 free 76615->76715 76617 aad5f1 76620 ac04d2 5 API calls 76617->76620 76619 aad7e9 76623 aa326b free 76619->76623 76621 aad5f9 76620->76621 76705 aae332 76621->76705 76622 aad76b 76716 a81e40 free 76622->76716 76633 aad69a 76623->76633 76627 aad773 76629 aa326b free 76627->76629 76629->76633 76630 aad610 76712 a81e40 free 76630->76712 76632 aad618 76634 aa326b free 76632->76634 76635 aad2a8 76634->76635 76635->76633 76657 aad883 76635->76657 76638 a82fec 3 API calls 76639 aad361 76638->76639 76640 a82fec 3 API calls 76639->76640 76641 aad36d 76640->76641 76669 aad0e1 76641->76669 76643 aad380 76644 aad38a 76643->76644 76645 aad665 76643->76645 76646 ac04d2 5 API calls 76644->76646 76647 aad68b 76645->76647 76713 aacd49 malloc _CxxThrowException free 76645->76713 76648 aad392 76646->76648 76650 aa326b free 76647->76650 76651 aae332 2 API calls 76648->76651 76650->76633 76653 aad3a1 76651->76653 76652 aad67c 76654 a82fec 3 API calls 76652->76654 76655 aa326b free 76653->76655 76654->76647 76656 aad3b0 76655->76656 76658 aad88d __EH_prolog 76657->76658 76659 a82e04 2 API calls 76658->76659 76660 aad8c6 76659->76660 76661 a82e04 2 API calls 76660->76661 76662 aad8d2 76661->76662 76663 a82e04 2 API calls 76662->76663 76664 aad8de 76663->76664 76665 aa2b63 2 API calls 76664->76665 76666 aad8fa 76665->76666 76667 aa2b63 2 API calls 76666->76667 76668 aad34f 76667->76668 76668->76638 76670 aad0eb __EH_prolog 76669->76670 76671 aad10b 76670->76671 76672 aad138 76670->76672 76673 a81e0c ctype 2 API calls 76671->76673 76674 a81e0c ctype 2 API calls 76672->76674 76681 aad112 76672->76681 76673->76681 76675 aad14b 76674->76675 76676 a82fec 3 API calls 76675->76676 76677 aad17b 76676->76677 76719 a87b41 28 API calls 76677->76719 76679 aad18a 76679->76681 76720 a8757d GetLastError 76679->76720 76681->76643 76691 aa8d54 __EH_prolog 76682->76691 76683 aa8e09 76686 a8965d VariantClear 76683->76686 76684 aa8e15 76685 aa8e2d 76684->76685 76688 aa8e5e 76684->76688 76689 aa8e21 76684->76689 76685->76688 76690 aa8e2b 76685->76690 76687 aa8e11 76686->76687 76687->76599 76692 a8965d VariantClear 76688->76692 76722 a83097 malloc _CxxThrowException free SysStringLen ctype 76689->76722 76695 a8965d VariantClear 76690->76695 76697 aa8da4 76691->76697 76721 a82b55 malloc _CxxThrowException free _CxxThrowException ctype 76691->76721 76692->76687 76696 aa8e47 76695->76696 76696->76687 76723 aa8e7c 6 API calls __EH_prolog 76696->76723 76697->76683 76697->76684 76697->76687 76701 aa9321 __EH_prolog 76699->76701 76700 a8965d VariantClear 76702 aa93d0 76700->76702 76704 aa9360 76701->76704 76724 a89686 VariantClear 76701->76724 76702->76608 76702->76617 76704->76700 76706 aae33c __EH_prolog 76705->76706 76707 a81e0c ctype 2 API calls 76706->76707 76708 aae34a 76707->76708 76710 aad608 76708->76710 76725 aae3d1 malloc _CxxThrowException __EH_prolog 76708->76725 76711 a81e40 free 76710->76711 76711->76630 76712->76632 76713->76652 76714->76609 76715->76622 76716->76627 76717->76613 76718->76619 76719->76679 76720->76681 76721->76697 76722->76690 76723->76687 76724->76704 76725->76710 76726 a8b144 76727 a8b153 76726->76727 76729 a8b159 76726->76729 76728 a911b4 107 API calls 76727->76728 76728->76729 76730 aaa7c5 76747 aaa7e9 76730->76747 76779 aaa96b 76730->76779 76731 aaade3 76835 a81e40 free 76731->76835 76733 aaa952 76733->76779 76816 aae0b0 6 API calls 76733->76816 76734 aaadeb 76836 a81e40 free 76734->76836 76738 aaac1e 76822 a81e40 free 76738->76822 76739 aaae99 76740 a81e0c ctype 2 API calls 76739->76740 76745 aaaea9 memset memset 76740->76745 76743 ac04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76744 aaadf3 76743->76744 76744->76739 76744->76743 76748 aaaedd 76745->76748 76746 aaac26 76823 a81e40 free 76746->76823 76747->76733 76755 ac04d2 5 API calls 76747->76755 76815 aae0b0 6 API calls 76747->76815 76837 a81e40 free 76748->76837 76752 aaaee5 76838 a81e40 free 76752->76838 76755->76747 76756 aaaef0 76839 a81e40 free 76756->76839 76759 aac430 76841 a81e40 free 76759->76841 76762 aac438 76842 a81e40 free 76762->76842 76763 aaac6c 76824 a81e40 free 76763->76824 76765 aac443 76843 a81e40 free 76765->76843 76769 aaac85 76825 a81e40 free 76769->76825 76770 aac44e 76844 a81e40 free 76770->76844 76773 aaac2e 76840 a81e40 free 76773->76840 76774 aac459 76776 aaad88 76832 aa8125 free ctype 76776->76832 76779->76731 76779->76738 76779->76763 76779->76776 76781 aaad17 76779->76781 76783 aaacbc 76779->76783 76797 a9101c 76779->76797 76800 aa98f2 76779->76800 76806 aacc6f 76779->76806 76817 aa9531 5 API calls __EH_prolog 76779->76817 76818 aa80c1 malloc _CxxThrowException __EH_prolog 76779->76818 76819 aac820 5 API calls 2 library calls 76779->76819 76820 aa814d 6 API calls 76779->76820 76821 aa8125 free ctype 76779->76821 76829 aa8125 free ctype 76781->76829 76782 aaad93 76833 a81e40 free 76782->76833 76826 aa8125 free ctype 76783->76826 76787 aaadac 76834 a81e40 free 76787->76834 76789 aaacc7 76827 a81e40 free 76789->76827 76790 aaad3c 76830 a81e40 free 76790->76830 76793 aaad55 76831 a81e40 free 76793->76831 76794 aaace0 76828 a81e40 free 76794->76828 76799 a8b95a 6 API calls 76797->76799 76798 a91028 76798->76779 76799->76798 76801 aa98fc __EH_prolog 76800->76801 76845 aa9987 76801->76845 76803 aa9970 76803->76779 76804 aa9911 76804->76803 76849 aaef8d 12 API calls 2 library calls 76804->76849 76889 ac5505 76806->76889 76893 accf91 76806->76893 76901 acf445 76806->76901 76807 aacc8b 76811 aacccb 76807->76811 76907 aa979e VariantClear __EH_prolog 76807->76907 76809 aaccb1 76809->76811 76908 aacae9 VariantClear 76809->76908 76811->76779 76815->76747 76816->76779 76817->76779 76818->76779 76819->76779 76820->76779 76821->76779 76822->76746 76823->76773 76824->76769 76825->76773 76826->76789 76827->76794 76828->76773 76829->76790 76830->76793 76831->76773 76832->76782 76833->76787 76834->76773 76835->76734 76836->76744 76837->76752 76838->76756 76839->76773 76840->76759 76841->76762 76842->76765 76843->76770 76844->76774 76846 aa9991 __EH_prolog 76845->76846 76850 ad80aa 76846->76850 76847 aa99a8 76847->76804 76849->76803 76851 ad80b4 __EH_prolog 76850->76851 76852 a81e0c ctype 2 API calls 76851->76852 76853 ad80bf 76852->76853 76854 ad80d3 76853->76854 76856 acbdb5 76853->76856 76854->76847 76857 acbdbf __EH_prolog 76856->76857 76862 acbe69 76857->76862 76859 acbdef 76860 a82e04 2 API calls 76859->76860 76861 acbe16 76860->76861 76861->76854 76863 acbe73 __EH_prolog 76862->76863 76866 ac5e2b 76863->76866 76865 acbe7f 76865->76859 76867 ac5e35 __EH_prolog 76866->76867 76872 ac08b6 76867->76872 76869 ac5e41 76877 a9dfc9 malloc _CxxThrowException __EH_prolog 76869->76877 76871 ac5e57 76871->76865 76878 a89c60 76872->76878 76874 ac08c4 76883 a89c8f GetModuleHandleA GetProcAddress 76874->76883 76876 ac08f3 __aulldiv 76876->76869 76877->76871 76888 a89c4d GetCurrentProcess GetProcessAffinityMask 76878->76888 76880 a89c6e 76881 a89c80 GetSystemInfo 76880->76881 76882 a89c79 76880->76882 76881->76874 76882->76874 76884 a89cef GlobalMemoryStatus 76883->76884 76885 a89cc4 GlobalMemoryStatusEx 76883->76885 76886 a89d08 76884->76886 76885->76884 76887 a89cce 76885->76887 76886->76887 76887->76876 76888->76880 76890 ac550f __EH_prolog 76889->76890 76909 ac4e8a 76890->76909 76894 accf9b __EH_prolog 76893->76894 76895 acf445 14 API calls 76894->76895 76896 acd018 76895->76896 76900 acd01f 76896->76900 77125 ad1511 76896->77125 76898 acd08b 76898->76900 77131 ad2c5d 11 API calls 2 library calls 76898->77131 76900->76807 76902 acf455 76901->76902 77257 a91092 76902->77257 76905 acf478 76905->76807 76907->76809 76908->76811 76910 ac4e94 __EH_prolog 76909->76910 76911 a82e04 2 API calls 76910->76911 77014 ac4f1d 76910->77014 76912 ac4ed7 76911->76912 77041 a97fc5 76912->77041 76914 ac4f0a 76916 a8965d VariantClear 76914->76916 76915 ac4f37 76917 ac4f41 76915->76917 76918 ac4f63 76915->76918 76920 ac4f15 76916->76920 76921 a8965d VariantClear 76917->76921 76919 a82f88 3 API calls 76918->76919 76923 ac4f71 76919->76923 77062 a81e40 free 76920->77062 76922 ac4f4c 76921->76922 77063 a81e40 free 76922->77063 76926 a8965d VariantClear 76923->76926 76927 ac4f80 76926->76927 77064 a95bcf malloc _CxxThrowException 76927->77064 76929 ac4f9a 76930 a82e47 2 API calls 76929->76930 76931 ac4fad 76930->76931 76932 a82f1c 2 API calls 76931->76932 76933 ac4fbd 76932->76933 76934 a82e04 2 API calls 76933->76934 76935 ac4fd1 76934->76935 76936 a82e04 2 API calls 76935->76936 76945 ac4fdd 76936->76945 76937 ac5404 77103 a81e40 free 76937->77103 76939 ac540c 77104 a81e40 free 76939->77104 76941 ac5414 77105 a81e40 free 76941->77105 76944 ac5099 76947 a82da9 2 API calls 76944->76947 76945->76937 77065 a95bcf malloc _CxxThrowException 76945->77065 76946 ac541c 77106 a81e40 free 76946->77106 76949 ac50a9 76947->76949 76952 a82fec 3 API calls 76949->76952 76950 ac5424 77107 a81e40 free 76950->77107 76953 ac50b6 76952->76953 77066 a81e40 free 76953->77066 76954 ac542c 77108 a81e40 free 76954->77108 76957 ac50be 77067 a81e40 free 76957->77067 76959 ac50cd 76960 a82f88 3 API calls 76959->76960 76961 ac50e3 76960->76961 76962 ac5100 76961->76962 76963 ac50f1 76961->76963 77068 a83044 malloc _CxxThrowException free ctype 76962->77068 76964 a830ea 3 API calls 76963->76964 76966 ac50fe 76964->76966 77069 a91029 6 API calls 76966->77069 76968 ac511a 76969 ac516b 76968->76969 76970 ac5120 76968->76970 77076 a9089e malloc _CxxThrowException free _CxxThrowException memcpy 76969->77076 77070 a81e40 free 76970->77070 76973 ac5187 76977 ac04d2 5 API calls 76973->76977 76974 ac5128 77071 a81e40 free 76974->77071 76976 ac5130 77072 a81e40 free 76976->77072 76979 ac51ba 76977->76979 77077 ac0516 malloc _CxxThrowException ctype 76979->77077 76980 ac5138 77073 a81e40 free 76980->77073 76983 ac51c5 76988 ac522d 76983->76988 76989 ac51f5 76983->76989 76984 ac5140 77074 a81e40 free 76984->77074 76986 ac5148 77075 a81e40 free 76986->77075 76990 a82e04 2 API calls 76988->76990 77078 a81e40 free 76989->77078 77038 ac5235 76990->77038 76992 ac51fd 77079 a81e40 free 76992->77079 76995 ac5205 77080 a81e40 free 76995->77080 76996 ac532e 77089 a81e40 free 76996->77089 76998 ac520d 77081 a81e40 free 76998->77081 77001 ac5347 77001->76937 77003 ac5358 77001->77003 77002 ac5215 77082 a81e40 free 77002->77082 77090 a81e40 free 77003->77090 77005 ac53a3 77096 a81e40 free 77005->77096 77007 ac5360 77091 a81e40 free 77007->77091 77008 ac521d 77083 a81e40 free 77008->77083 77012 ac5368 77092 a81e40 free 77012->77092 77014->76807 77016 ac53bc 77097 a81e40 free 77016->77097 77017 ac5370 77093 a81e40 free 77017->77093 77021 ac53c4 77098 a81e40 free 77021->77098 77022 ac5378 77094 a81e40 free 77022->77094 77024 ac04d2 5 API calls 77024->77038 77026 ac53cc 77099 a81e40 free 77026->77099 77027 ac5380 77095 a81e40 free 77027->77095 77031 ac53d4 77100 a81e40 free 77031->77100 77033 ac53dc 77101 a81e40 free 77033->77101 77035 ac53e4 77102 a81e40 free 77035->77102 77038->76996 77038->77005 77038->77024 77039 a82e04 2 API calls 77038->77039 77084 ac545c 5 API calls 2 library calls 77038->77084 77085 a91029 6 API calls 77038->77085 77086 a9089e malloc _CxxThrowException free _CxxThrowException memcpy 77038->77086 77087 ac0516 malloc _CxxThrowException ctype 77038->77087 77088 a81e40 free 77038->77088 77039->77038 77042 a97fcf __EH_prolog 77041->77042 77044 a98061 77042->77044 77046 a9805c 77042->77046 77047 a98019 77042->77047 77051 a97ff4 77042->77051 77043 a9800a 77118 a89736 VariantClear 77043->77118 77044->77046 77059 a98025 77044->77059 77117 a89630 VariantClear 77046->77117 77050 a9801e 77047->77050 77047->77051 77048 a980b8 77055 a8965d VariantClear 77048->77055 77052 a98042 77050->77052 77053 a98022 77050->77053 77051->77043 77109 a8950d 77051->77109 77115 a89597 VariantClear 77052->77115 77056 a98032 77053->77056 77053->77059 77058 a980c0 77055->77058 77114 a89604 VariantClear 77056->77114 77058->76914 77058->76915 77059->77043 77116 a895df VariantClear 77059->77116 77062->77014 77063->77014 77064->76929 77065->76944 77066->76957 77067->76959 77068->76966 77069->76968 77070->76974 77071->76976 77072->76980 77073->76984 77074->76986 77075->77014 77076->76973 77077->76983 77078->76992 77079->76995 77080->76998 77081->77002 77082->77008 77083->77014 77084->77038 77085->77038 77086->77038 77087->77038 77088->77038 77089->77001 77090->77007 77091->77012 77092->77017 77093->77022 77094->77027 77095->77014 77096->77016 77097->77021 77098->77026 77099->77031 77100->77033 77101->77035 77102->77014 77103->76939 77104->76941 77105->76946 77106->76950 77107->76954 77108->77014 77119 a89767 77109->77119 77111 a89518 SysAllocStringLen 77112 a89539 _CxxThrowException 77111->77112 77113 a8954f 77111->77113 77112->77113 77113->77043 77114->77043 77115->77043 77116->77043 77117->77043 77118->77048 77120 a89779 77119->77120 77121 a89770 77119->77121 77124 a89686 VariantClear 77120->77124 77121->77111 77123 a89780 77123->77111 77124->77123 77126 ad151b __EH_prolog 77125->77126 77132 ad10d3 77126->77132 77129 ad1589 77129->76898 77130 ad1552 _CxxThrowException 77130->76898 77130->77129 77131->76900 77133 ad10dd __EH_prolog 77132->77133 77134 acd1b7 free 77133->77134 77135 ad10f2 77134->77135 77136 ad12ef 77135->77136 77141 a91168 10 API calls 77135->77141 77145 ad11f4 77135->77145 77136->77129 77136->77130 77137 ad139e 77137->77136 77138 ad13c4 77137->77138 77139 a81e0c ctype 2 API calls 77137->77139 77164 a91168 77138->77164 77139->77138 77141->77145 77143 ad13da 77146 ad13f9 77143->77146 77156 ad13de 77143->77156 77202 acef67 _CxxThrowException 77143->77202 77145->77136 77163 a8b95a 6 API calls 77145->77163 77167 acf047 77146->77167 77149 ad14ba 77206 ad0943 50 API calls 2 library calls 77149->77206 77151 ad1450 77171 ad06ae 77151->77171 77153 ad14e7 77207 ab2db9 free ctype 77153->77207 77208 a81e40 free 77156->77208 77159 ad148e 77160 acf047 _CxxThrowException 77159->77160 77161 ad14ac 77160->77161 77161->77149 77205 acef67 _CxxThrowException 77161->77205 77163->77137 77165 a9111c 10 API calls 77164->77165 77166 a9117b 77165->77166 77166->77143 77168 acf063 77167->77168 77169 acf072 77168->77169 77209 acef67 _CxxThrowException 77168->77209 77169->77149 77169->77151 77203 acef67 _CxxThrowException 77169->77203 77172 ad06b8 __EH_prolog 77171->77172 77210 ad03f4 77172->77210 77174 acb8dc ctype free 77176 ad08a6 77174->77176 77175 a912a5 5 API calls 77198 ad0715 77175->77198 77240 a81e40 free 77176->77240 77178 ad08e3 _CxxThrowException 77180 ad08f7 77178->77180 77179 ad08ae 77241 a81e40 free 77179->77241 77183 acb8dc ctype free 77180->77183 77181 a8429a 3 API calls 77181->77198 77185 ad0914 77183->77185 77184 ad08b6 77242 a81e40 free 77184->77242 77244 a81e40 free 77185->77244 77186 a81e0c ctype 2 API calls 77186->77198 77189 ad08be 77243 acc149 free ctype 77189->77243 77190 ad091c 77245 a81e40 free 77190->77245 77193 ad08d0 77193->77153 77193->77159 77204 acef67 _CxxThrowException 77193->77204 77194 ad0924 77246 a81e40 free 77194->77246 77196 ac81ec 29 API calls 77196->77198 77197 ad092c 77247 acc149 free ctype 77197->77247 77198->77175 77198->77178 77198->77180 77198->77181 77198->77186 77198->77196 77200 ad0877 77198->77200 77201 acef67 _CxxThrowException 77198->77201 77200->77174 77201->77198 77202->77146 77203->77151 77204->77159 77205->77149 77206->77153 77207->77156 77208->77136 77209->77169 77211 acf047 _CxxThrowException 77210->77211 77212 ad0407 77211->77212 77213 ad0475 77212->77213 77215 acf047 _CxxThrowException 77212->77215 77214 ad049a 77213->77214 77251 acfa3f 22 API calls 2 library calls 77213->77251 77216 ad04b8 77214->77216 77252 ad159a malloc _CxxThrowException free ctype 77214->77252 77218 ad0421 77215->77218 77217 ad04e8 77216->77217 77221 ad04cd 77216->77221 77254 ad7c4a malloc _CxxThrowException free ctype 77217->77254 77222 ad043e 77218->77222 77248 acef67 _CxxThrowException 77218->77248 77253 acfff0 9 API calls 2 library calls 77221->77253 77249 acf93c 7 API calls 2 library calls 77222->77249 77224 ad0492 77226 acf047 _CxxThrowException 77224->77226 77226->77214 77228 ad04db 77233 acf047 _CxxThrowException 77228->77233 77230 ad04e3 77235 ad054a 77230->77235 77256 acef67 _CxxThrowException 77230->77256 77231 ad0446 77232 ad046d 77231->77232 77250 acef67 _CxxThrowException 77231->77250 77234 acf047 _CxxThrowException 77232->77234 77233->77230 77234->77213 77235->77198 77236 ad04f3 77236->77230 77255 a9089e malloc _CxxThrowException free _CxxThrowException memcpy 77236->77255 77240->77179 77241->77184 77242->77189 77243->77193 77244->77190 77245->77194 77246->77197 77247->77193 77248->77222 77249->77231 77250->77232 77251->77224 77252->77216 77253->77228 77254->77236 77255->77236 77256->77235 77259 a8b95a 6 API calls 77257->77259 77258 a910aa 77258->76905 77260 acf1b2 77258->77260 77259->77258 77261 acf1bc __EH_prolog 77260->77261 77262 a91168 10 API calls 77261->77262 77264 acf1d3 77262->77264 77263 acf1e6 77263->76905 77264->77263 77265 acf21c _CxxThrowException 77264->77265 77266 acf231 memcpy 77264->77266 77265->77266 77267 acf24c 77266->77267 77267->77263 77268 acf2f0 memmove 77267->77268 77269 acf31a memcpy 77267->77269 77268->77267 77269->77263 77270 ac0343 77275 ac035f 77270->77275 77273 ac0358 77276 ac0369 __EH_prolog 77275->77276 77292 a9139e 77276->77292 77281 ac0143 ctype free 77282 ac039a 77281->77282 77302 a81e40 free 77282->77302 77284 ac03a2 77303 a81e40 free 77284->77303 77286 ac03aa 77304 ac03d8 77286->77304 77291 a81e40 free 77291->77273 77293 a913ae 77292->77293 77294 a913b3 77292->77294 77320 b17ea0 SetEvent GetLastError 77293->77320 77296 ac01c4 77294->77296 77300 ac01ce __EH_prolog 77296->77300 77297 ac0203 77321 a81e40 free 77297->77321 77299 ac020b 77299->77281 77300->77297 77322 a81e40 free 77300->77322 77302->77284 77303->77286 77305 ac03e2 __EH_prolog 77304->77305 77306 a9139e ctype 2 API calls 77305->77306 77307 ac03fb 77306->77307 77323 b17d50 77307->77323 77309 ac0403 77310 b17d50 ctype 2 API calls 77309->77310 77311 ac040b 77310->77311 77312 b17d50 ctype 2 API calls 77311->77312 77313 ac03b7 77312->77313 77314 ac004a 77313->77314 77315 ac0054 __EH_prolog 77314->77315 77329 a81e40 free 77315->77329 77317 ac0067 77330 a81e40 free 77317->77330 77319 ac006f 77319->77273 77319->77291 77320->77294 77321->77299 77322->77300 77324 b17d59 CloseHandle 77323->77324 77325 b17d7b 77323->77325 77326 b17d75 77324->77326 77327 b17d64 GetLastError 77324->77327 77325->77309 77326->77325 77327->77325 77328 b17d6e 77327->77328 77328->77309 77329->77317 77330->77319 77331 a8b5d9 77332 a8b5e6 77331->77332 77333 a8b5f7 77331->77333 77332->77333 77337 a8b5fe 77332->77337 77338 a8b608 __EH_prolog 77337->77338 77344 b06a40 VirtualFree 77338->77344 77340 a8b63d 77341 a8764c CloseHandle 77340->77341 77342 a8b5f1 77341->77342 77343 a81e40 free 77342->77343 77343->77333 77344->77340 77345 b06bc6 77346 b06bca 77345->77346 77347 b06bcd 77345->77347 77347->77346 77348 b06bd1 malloc 77347->77348 77348->77346 77349 a91ade 77350 a91ae8 __EH_prolog 77349->77350 77400 a813f5 77350->77400 77353 a91b32 6 API calls 77355 a91b8d 77353->77355 77364 a91bf8 77355->77364 77418 a91ea4 9 API calls 77355->77418 77356 a91b24 _CxxThrowException 77356->77353 77358 a91bdf 77359 a827bb 3 API calls 77358->77359 77360 a91bec 77359->77360 77419 a81e40 free 77360->77419 77362 a91c89 77414 a91eb9 77362->77414 77364->77362 77420 aa1d73 5 API calls __EH_prolog 77364->77420 77368 a91cb2 _CxxThrowException 77368->77362 77401 a813ff __EH_prolog 77400->77401 77402 aa7ebb free 77401->77402 77403 a8142b 77402->77403 77404 a81438 77403->77404 77421 a81212 free ctype 77403->77421 77406 a81e0c ctype 2 API calls 77404->77406 77409 a8144d 77406->77409 77407 a814f4 77407->77353 77417 aa1d73 5 API calls __EH_prolog 77407->77417 77408 ac04d2 5 API calls 77408->77409 77409->77407 77409->77408 77412 a81507 77409->77412 77422 a81265 5 API calls 2 library calls 77409->77422 77423 a81524 malloc _CxxThrowException __EH_prolog ctype 77409->77423 77413 a82fec 3 API calls 77412->77413 77413->77407 77424 a89313 GetCurrentProcess OpenProcessToken 77414->77424 77417->77356 77418->77358 77419->77364 77420->77368 77421->77404 77422->77409 77423->77409 77425 a8933a LookupPrivilegeValueW 77424->77425 77426 a89390 77424->77426 77427 a8934c AdjustTokenPrivileges 77425->77427 77428 a89382 77425->77428 77427->77428 77429 a89372 GetLastError 77427->77429 77430 a89385 CloseHandle 77428->77430 77429->77430 77430->77426 77431 a9459e 77432 a945ab 77431->77432 77436 a945bc 77431->77436 77432->77436 77437 a945c3 77432->77437 77438 a945cd __EH_prolog 77437->77438 77466 a979b2 free ctype 77438->77466 77440 a945e8 77467 a81e40 free 77440->77467 77442 a945f3 77468 ab2db9 free ctype 77442->77468 77444 a94609 77469 a81e40 free 77444->77469 77446 a94610 77470 a81e40 free 77446->77470 77448 a9461b 77471 a81e40 free 77448->77471 77450 a94626 77472 a9794c free ctype 77450->77472 77452 a94638 77473 ab2db9 free ctype 77452->77473 77454 a9465b 77474 a81e40 free 77454->77474 77456 a9468e 77475 a81e40 free 77456->77475 77458 a946ae 77476 a94733 free __EH_prolog ctype 77458->77476 77460 a946be 77477 a81e40 free 77460->77477 77462 a946e8 77478 a81e40 free 77462->77478 77464 a945b6 77465 a81e40 free 77464->77465 77465->77436 77466->77440 77467->77442 77468->77444 77469->77446 77470->77448 77471->77450 77472->77452 77473->77454 77474->77456 77475->77458 77476->77460 77477->77462 77478->77464 77479 abacd3 77480 abace0 77479->77480 77481 abacf1 77479->77481 77480->77481 77485 abacf8 77480->77485 77487 abc0b3 __EH_prolog 77485->77487 77486 abc0ed 77494 a81e40 free 77486->77494 77487->77486 77490 aa7193 free 77487->77490 77493 a81e40 free 77487->77493 77489 abaceb 77492 a81e40 free 77489->77492 77490->77487 77492->77481 77493->77487 77494->77489 77495 a842d1 77496 a842bd 77495->77496 77497 a842c5 77496->77497 77498 a81e0c ctype 2 API calls 77496->77498 77498->77497 77499 aff190 77500 a81e0c ctype 2 API calls 77499->77500 77501 aff1b0 77500->77501

                              Executed Functions

                              Function 00A89313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1028 a89313-a89338 GetCurrentProcess OpenProcessToken 1029 a8933a-a8934a LookupPrivilegeValueW 1028->1029 1030 a89390 1028->1030 1032 a8934c-a89370 AdjustTokenPrivileges 1029->1032 1033 a89382 1029->1033 1031 a89393-a89398 1030->1031 1032->1033 1034 a89372-a89380 GetLastError 1032->1034 1035 a89385-a8938e CloseHandle 1033->1035 1034->1035 1035->1031
                              APIs
                              • GetCurrentProcess.KERNEL32(00000020,00A91EC5,?,7597AB50,?,?,?,?,00A91EC5,00A91CEF), ref: 00A89329
                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00A91EC5,00A91CEF), ref: 00A89330
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00A89342
                              • AdjustTokenPrivileges.KERNELBASE(00A91EC5,00000000,?,00000000,00000000,00000000), ref: 00A89368
                              • GetLastError.KERNEL32 ref: 00A89372
                              • CloseHandle.KERNELBASE(00A91EC5,?,?,?,?,00A91EC5,00A91CEF), ref: 00A89388
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeRestorePrivilege
                              • API String ID: 3398352648-1684392131
                              • Opcode ID: 2429b202fd5b1e3f53247f7fed63c574fae99a2e13860e7ccb136ff77db039a0
                              • Instruction ID: 55fc745a7ffd689e250f1f2d7233a4b23487458dc55fadb657c6a827c3a0ffbb
                              • Opcode Fuzzy Hash: 2429b202fd5b1e3f53247f7fed63c574fae99a2e13860e7ccb136ff77db039a0
                              • Instruction Fuzzy Hash: D9018076945218ABCB206BF19C49BEF7F7CEF06340F080168E942E2190DA74860AD7A0
                              Function 00A93D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1036 a93d66-a93d9c call b1fb10 GetCurrentProcess call a93e04 OpenProcessToken 1041 a93d9e-a93dbe LookupPrivilegeValueW 1036->1041 1042 a93de3-a93dfe call a93e04 1036->1042 1041->1042 1044 a93dc0-a93dd3 AdjustTokenPrivileges 1041->1044 1044->1042 1046 a93dd5-a93de1 GetLastError 1044->1046 1046->1042
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A93D6B
                              • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A93D7D
                              • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A93D94
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00A93DB6
                              • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A93DCB
                              • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A93DD5
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeSecurityPrivilege
                              • API String ID: 3475889169-2333288578
                              • Opcode ID: 54d15e2dba3cc73b156ae58ab6dff659371b0e20a95c1291d20e8da5be3ec2fa
                              • Instruction ID: d1cf890e4459748bdd0bab3ff48a87de2657979dfb45805bda36c0fbb4ca1f24
                              • Opcode Fuzzy Hash: 54d15e2dba3cc73b156ae58ab6dff659371b0e20a95c1291d20e8da5be3ec2fa
                              • Instruction Fuzzy Hash: 08110CB1A41119AFDF20AFA4DD95AFFBBBCFF04344F404529E412E2191DB748A09CA60
                              Function 00AC81EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AC81F1
                                • Part of subcall function 00ACF749: _CxxThrowException.MSVCRT(?,00B34A58), ref: 00ACF792
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionH_prologThrow
                              • String ID:
                              • API String ID: 461045715-3916222277
                              • Opcode ID: dfb8c7e66397c4905b94c31797ab9a4840998572476ce955b74db0b6e063a9e9
                              • Instruction ID: d577955d34be1f284537e44776dfc659f079363dbbcac0ee1cb97d2d0e55838b
                              • Opcode Fuzzy Hash: dfb8c7e66397c4905b94c31797ab9a4840998572476ce955b74db0b6e063a9e9
                              • Instruction Fuzzy Hash: D9927C30900249DFDF15DFA8C984FAEBBB5BF18304F26409DE815AB292CB799D45CB61
                              Function 00A86868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A8686D
                                • Part of subcall function 00A86848: FindClose.KERNELBASE(00000000,?,00A86880), ref: 00A86853
                              • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 00A868A5
                              • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 00A868DE
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: Find$FileFirst$CloseH_prolog
                              • String ID:
                              • API String ID: 3371352514-0
                              • Opcode ID: 872200a9b8dcc1e99e3b0e82ef9cf215508484e01652d6bdf48beb2d8d9ec570
                              • Instruction ID: 8a505380a28988dca7aa181176fb86214534d63cd32c315ed2e69e5796394a76
                              • Opcode Fuzzy Hash: 872200a9b8dcc1e99e3b0e82ef9cf215508484e01652d6bdf48beb2d8d9ec570
                              • Instruction Fuzzy Hash: 7611DD31900209DBEB20FFA4D952AFDBBB8EF50320F204269E9A457191DB318E86DB40
                              Function 00ABA013 Relevance: 56.7, APIs: 15, Strings: 17, Instructions: 690COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 aba013-aba01a 1 aba37a-aba544 call ac04d2 call a81524 call ac04d2 call a81524 call a81e0c 0->1 2 aba020-aba02d call a91ac8 0->2 62 aba551 1->62 63 aba546-aba54f call abb0fa 1->63 8 aba22e-aba235 2->8 9 aba033-aba03a 2->9 10 aba23b-aba24d call abb4f6 8->10 11 aba367-aba375 call abb55f 8->11 13 aba03c-aba042 9->13 14 aba054-aba089 call ab92d3 9->14 29 aba259-aba2fb call aa7ebb call a827bb call a826dd call aa3d70 call abad99 call a827bb 10->29 30 aba24f-aba253 10->30 28 abac23-abac2a 11->28 13->14 19 aba044-aba04f call a830ea 13->19 26 aba08b-aba091 14->26 27 aba099 14->27 19->14 26->27 32 aba093-aba097 26->32 33 aba09d-aba0de call a82fec call abb369 27->33 34 abac3a-abac66 call abb96d call a81e40 call aa3247 28->34 35 abac2c-abac33 28->35 94 aba2fd 29->94 95 aba303-aba362 call abb6ab call ab2db9 call a81e40 * 2 call abbff8 29->95 30->29 32->33 57 aba0ea-aba0fa 33->57 58 aba0e0-aba0e4 33->58 67 abac68-abac6a 34->67 68 abac6e-abacb5 call a81e40 call a811c2 call abbe0c call ab2db9 34->68 35->34 39 abac35 35->39 45 abac35 call abb988 39->45 45->34 64 aba10d 57->64 65 aba0fc-aba102 57->65 58->57 71 aba553-aba55c 62->71 63->71 66 aba114-aba19e call a82fec call aa7ebb call abad99 64->66 65->64 72 aba104-aba10b 65->72 102 aba1a2 call aaf8e0 66->102 67->68 77 aba55e-aba560 71->77 78 aba564-aba5c1 call a82fec call abb277 71->78 72->66 77->78 96 aba5cd-aba652 call abad06 call abbf3e call a93a29 call a82e04 call aa4345 78->96 97 aba5c3-aba5c7 78->97 94->95 95->28 137 aba676-aba6c8 call aa2096 96->137 138 aba654-aba671 call aa375c call abb96d 96->138 97->96 106 aba1a7-aba1b1 102->106 110 aba1b3-aba1bb call abc7d7 106->110 111 aba1c0-aba1c9 106->111 110->111 117 aba1cb 111->117 118 aba1d1-aba229 call abb6ab call ab2db9 call a81e40 call abbfa4 call ab940b 111->118 117->118 118->28 143 aba6cd-aba6d6 137->143 138->137 146 aba6d8-aba6dd call abc7d7 143->146 147 aba6e2-aba6e5 143->147 146->147 150 aba72e-aba73a 147->150 151 aba6e7-aba6ee 147->151 152 aba79e-aba7aa 150->152 153 aba73c-aba74a call a81fa0 150->153 154 aba722-aba725 151->154 155 aba6f0-aba71d call a81fa0 fputs call a81fa0 call a81fb3 call a81fa0 151->155 156 aba7d9-aba7e5 152->156 157 aba7ac-aba7b2 152->157 167 aba74c-aba753 153->167 168 aba755-aba799 fputs call a82201 call a81fa0 fputs call a82201 call a81fa0 153->168 154->150 158 aba727 154->158 155->154 163 aba818-aba81a 156->163 164 aba7e7-aba7ed 156->164 157->156 161 aba7b4-aba7d4 fputs call a82201 call a81fa0 157->161 158->150 161->156 169 aba899-aba8a5 163->169 172 aba81c-aba82b 163->172 164->169 170 aba7f3-aba813 fputs call a82201 call a81fa0 164->170 167->152 167->168 168->152 176 aba8e9-aba8ed 169->176 177 aba8a7-aba8ad 169->177 170->163 179 aba82d-aba84c fputs call a82201 call a81fa0 172->179 180 aba851-aba85d 172->180 183 aba8ef 176->183 184 aba8f6-aba8f8 176->184 177->183 188 aba8af-aba8c2 call a81fa0 177->188 179->180 180->169 182 aba85f-aba872 call a81fa0 180->182 182->169 208 aba874-aba894 fputs call a82201 call a81fa0 182->208 183->184 193 abaaaf-abaaeb call aa43b3 call a81e40 call abc104 call abad82 184->193 194 aba8fe-aba90a 184->194 188->183 207 aba8c4-aba8e4 fputs call a82201 call a81fa0 188->207 248 abac0b-abac1e call ab2db9 * 2 193->248 249 abaaf1-abaaf7 193->249 202 abaa73-abaa89 call a81fa0 194->202 203 aba910-aba91f 194->203 202->193 219 abaa8b-abaaaa fputs call a82201 call a81fa0 202->219 203->202 210 aba925-aba929 203->210 207->176 208->169 210->193 216 aba92f-aba93d 210->216 223 aba96a-aba971 216->223 224 aba93f-aba964 fputs call a82201 call a81fa0 216->224 219->193 225 aba98f-aba9a8 fputs call a82201 223->225 226 aba973-aba97a 223->226 224->223 239 aba9ad-aba9bd call a81fa0 225->239 226->225 232 aba97c-aba982 226->232 232->225 237 aba984-aba98d 232->237 237->225 242 abaa06-abaa1f fputs call a82201 237->242 239->242 252 aba9bf-abaa01 fputs call a82201 call a81fa0 fputs call a82201 call a81fa0 239->252 250 abaa24-abaa29 call a81fa0 242->250 248->28 249->248 257 abaa2e-abaa4b fputs call a82201 250->257 252->242 262 abaa50-abaa5b call a81fa0 257->262 262->193 269 abaa5d-abaa71 call a81fa0 call ab710e 262->269 269->193
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$ExceptionThrow
                              • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                              • API String ID: 3665150552-429544124
                              • Opcode ID: ee5aedefc4aedbde987deda1d725a937de644e3feeafb2064f363099b5c2e26c
                              • Instruction ID: 70979f1f87747902b489d347c97b29ee1149af0c72232f310e9f78cd0c4fd2fb
                              • Opcode Fuzzy Hash: ee5aedefc4aedbde987deda1d725a937de644e3feeafb2064f363099b5c2e26c
                              • Instruction Fuzzy Hash: C8529E31D04258DFCF26EBA4C995BEDBBB9BF54304F14409AE04A67292EB706E85CF11
                              Function 00ABA42C Relevance: 56.5, APIs: 15, Strings: 17, Instructions: 503COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 274 aba42c-aba433 275 aba449-aba4df call ab545d call a82e04 call aa1858 call a81e40 274->275 276 aba435-aba444 fputs call a81fa0 274->276 286 aba4ee-aba4f1 275->286 287 aba4e1-aba4e9 call abc7d7 275->287 276->275 289 aba50e-aba520 call abc73e 286->289 290 aba4f3-aba4fa 286->290 287->286 295 abac0b-abac2a call ab2db9 * 2 289->295 296 aba526-aba544 call a81e0c 289->296 290->289 292 aba4fc-aba509 call ab57fb 290->292 292->289 306 abac3a-abac66 call abb96d call a81e40 call aa3247 295->306 307 abac2c-abac33 295->307 304 aba551 296->304 305 aba546-aba54f call abb0fa 296->305 309 aba553-aba55c 304->309 305->309 327 abac68-abac6a 306->327 328 abac6e-abacb5 call a81e40 call a811c2 call abbe0c call ab2db9 306->328 307->306 310 abac35 call abb988 307->310 313 aba55e-aba560 309->313 314 aba564-aba5c1 call a82fec call abb277 309->314 310->306 313->314 325 aba5cd-aba652 call abad06 call abbf3e call a93a29 call a82e04 call aa4345 314->325 326 aba5c3-aba5c7 314->326 348 aba676-aba6d6 call aa2096 325->348 349 aba654-aba671 call aa375c call abb96d 325->349 326->325 327->328 355 aba6d8-aba6dd call abc7d7 348->355 356 aba6e2-aba6e5 348->356 349->348 355->356 358 aba72e-aba73a 356->358 359 aba6e7-aba6ee 356->359 360 aba79e-aba7aa 358->360 361 aba73c-aba74a call a81fa0 358->361 362 aba722-aba725 359->362 363 aba6f0-aba71d call a81fa0 fputs call a81fa0 call a81fb3 call a81fa0 359->363 364 aba7d9-aba7e5 360->364 365 aba7ac-aba7b2 360->365 375 aba74c-aba753 361->375 376 aba755-aba799 fputs call a82201 call a81fa0 fputs call a82201 call a81fa0 361->376 362->358 366 aba727 362->366 363->362 371 aba818-aba81a 364->371 372 aba7e7-aba7ed 364->372 365->364 369 aba7b4-aba7d4 fputs call a82201 call a81fa0 365->369 366->358 369->364 377 aba899-aba8a5 371->377 380 aba81c-aba82b 371->380 372->377 378 aba7f3-aba813 fputs call a82201 call a81fa0 372->378 375->360 375->376 376->360 384 aba8e9-aba8ed 377->384 385 aba8a7-aba8ad 377->385 378->371 387 aba82d-aba84c fputs call a82201 call a81fa0 380->387 388 aba851-aba85d 380->388 391 aba8ef 384->391 392 aba8f6-aba8f8 384->392 385->391 396 aba8af-aba8c2 call a81fa0 385->396 387->388 388->377 390 aba85f-aba872 call a81fa0 388->390 390->377 416 aba874-aba894 fputs call a82201 call a81fa0 390->416 391->392 401 abaaaf-abaaeb call aa43b3 call a81e40 call abc104 call abad82 392->401 402 aba8fe-aba90a 392->402 396->391 415 aba8c4-aba8e4 fputs call a82201 call a81fa0 396->415 401->295 456 abaaf1-abaaf7 401->456 410 abaa73-abaa89 call a81fa0 402->410 411 aba910-aba91f 402->411 410->401 427 abaa8b-abaaaa fputs call a82201 call a81fa0 410->427 411->410 418 aba925-aba929 411->418 415->384 416->377 418->401 424 aba92f-aba93d 418->424 431 aba96a-aba971 424->431 432 aba93f-aba964 fputs call a82201 call a81fa0 424->432 427->401 433 aba98f-aba9a8 fputs call a82201 431->433 434 aba973-aba97a 431->434 432->431 447 aba9ad-aba9bd call a81fa0 433->447 434->433 440 aba97c-aba982 434->440 440->433 445 aba984-aba98d 440->445 445->433 450 abaa06-abaa4b fputs call a82201 call a81fa0 fputs call a82201 445->450 447->450 458 aba9bf-abaa01 fputs call a82201 call a81fa0 fputs call a82201 call a81fa0 447->458 466 abaa50-abaa5b call a81fa0 450->466 456->295 458->450 466->401 473 abaa5d-abaa71 call a81fa0 call ab710e 466->473 473->401
                              APIs
                              • fputs.MSVCRT(Scanning the drive for archives:), ref: 00ABA43E
                                • Part of subcall function 00A81FA0: fputc.MSVCRT ref: 00A81FA7
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputcfputs
                              • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                              • API String ID: 269475090-3104439828
                              • Opcode ID: 4ec1615cd02391320336417763a0695bb80dbfeb1138221dfc1ef8d866abb661
                              • Instruction ID: 97bcc2f93edc2e33ced0f4e3f6d056e77b9fbad6b83428f354cdec04e690533a
                              • Opcode Fuzzy Hash: 4ec1615cd02391320336417763a0695bb80dbfeb1138221dfc1ef8d866abb661
                              • Instruction Fuzzy Hash: 82228F31900258DFDF2AEBA4C955BEDFBF9AF54300F10409AE449632A2DB716E84CF11
                              Function 00AB993D Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 569COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 478 ab993d-ab9950 call abb5b1 481 ab9963-ab997e call a91f33 478->481 482 ab9952-ab995e call a81fb3 478->482 486 ab998f-ab9998 481->486 487 ab9980-ab998a 481->487 482->481 488 ab999a-ab99a6 486->488 489 ab99a8 486->489 487->486 488->489 490 ab99ab-ab99b5 488->490 489->490 491 ab99b7-ab99cc GetStdHandle GetConsoleScreenBufferInfo 490->491 492 ab99d5-ab9a04 call a81e0c call abacb6 490->492 491->492 493 ab99ce-ab99d2 491->493 500 ab9a0c-ab9a24 call aa7b48 492->500 501 ab9a06-ab9a08 492->501 493->492 503 ab9a29-ab9a48 call abb96d call aa7018 call a91aa4 500->503 501->500 510 ab9a4a-ab9a4c 503->510 511 ab9a7c-ab9aa8 call aaddb5 503->511 512 ab9a4e-ab9a55 510->512 513 ab9a66-ab9a77 _CxxThrowException 510->513 518 ab9aaa-ab9abb _CxxThrowException 511->518 519 ab9ac0-ab9ade 511->519 512->513 515 ab9a57-ab9a64 call a91ac8 512->515 513->511 515->511 515->513 518->519 521 ab9b3a-ab9b55 519->521 522 ab9ae0-ab9b04 call aa7dd7 519->522 525 ab9b5c-ab9ba4 call a81fa0 fputs call a81fa0 strlen * 2 521->525 526 ab9b57 521->526 529 ab9bfa-ab9c0b _CxxThrowException 522->529 530 ab9b0a-ab9b0e 522->530 541 ab9baa-ab9be4 fputs fputc 525->541 542 ab9e25-ab9e4d call a81fa0 fputs call a81fa0 525->542 526->525 531 ab9c10 529->531 530->529 533 ab9b14-ab9b38 call abc077 call a81e40 530->533 535 ab9c12-ab9c25 531->535 533->521 533->522 544 ab9c27-ab9c33 535->544 545 ab9be6-ab9bf0 535->545 541->544 541->545 554 ab9f0c-ab9f34 call a81fa0 fputs call a81fa0 542->554 555 ab9e53 542->555 552 ab9c81-ab9cb1 call abb67d call a82e04 544->552 553 ab9c35-ab9c3d 544->553 545->531 548 ab9bf2-ab9bf8 545->548 548->535 594 ab9cb3-ab9cb7 552->594 595 ab9d10-ab9d28 call abb67d 552->595 556 ab9c6b-ab9c80 call a821d8 553->556 557 ab9c3f-ab9c4a 553->557 577 ab9f3a 554->577 578 abac23-abac2a 554->578 558 ab9e5a-ab9e6f call abb650 555->558 556->552 560 ab9c4c-ab9c52 557->560 561 ab9c54 557->561 573 ab9e7b-ab9e7e call a821d8 558->573 574 ab9e71-ab9e79 558->574 567 ab9c56-ab9c69 560->567 561->567 567->556 567->557 586 ab9e83-ab9f06 call abbde4 fputs call a81fa0 573->586 574->586 581 ab9f41-ab9f9d call abb650 call abb5e9 call abbde4 fputs call a81fa0 577->581 582 abac3a-abac66 call abb96d call a81e40 call aa3247 578->582 583 abac2c-abac33 578->583 662 ab9f9f 581->662 616 abac68-abac6a 582->616 617 abac6e-abacb5 call a81e40 call a811c2 call abbe0c call ab2db9 582->617 583->582 588 abac35 call abb988 583->588 586->554 586->558 588->582 600 ab9cb9-ab9cbc call a8315e 594->600 601 ab9cc1-ab9cdd call a831e5 594->601 620 ab9d4b-ab9d53 595->620 621 ab9d2a-ab9d4a fputs call a821d8 595->621 600->601 611 ab9cdf-ab9d00 call a83221 call a831e5 call a81089 601->611 612 ab9d05-ab9d0e 601->612 611->612 612->594 612->595 616->617 625 ab9d59-ab9d5d 620->625 626 ab9dff-ab9e1f call a81fa0 call a81e40 620->626 621->620 633 ab9d5f-ab9d6d fputs 625->633 634 ab9d6e-ab9d82 625->634 626->541 626->542 633->634 639 ab9df0-ab9df9 634->639 640 ab9d84-ab9d88 634->640 639->625 639->626 646 ab9d8a-ab9d94 640->646 647 ab9d95-ab9d9f 640->647 646->647 652 ab9da1-ab9da3 647->652 653 ab9da5-ab9db1 647->653 652->653 659 ab9dd8-ab9dee 652->659 660 ab9db8 653->660 661 ab9db3-ab9db6 653->661 659->639 659->640 663 ab9dbb-ab9dce 660->663 661->663 662->578 670 ab9dd0-ab9dd3 663->670 671 ab9dd5 663->671 670->659 671->659
                              APIs
                                • Part of subcall function 00ABB5B1: fputs.MSVCRT ref: 00ABB5CA
                                • Part of subcall function 00ABB5B1: fputs.MSVCRT ref: 00ABB5E1
                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 00AB99BD
                              • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 00AB99C4
                              • _CxxThrowException.MSVCRT(?,00B355B8), ref: 00AB9A77
                              • _CxxThrowException.MSVCRT(?,00B355B8), ref: 00AB9ABB
                                • Part of subcall function 00A81FB3: __EH_prolog.LIBCMT ref: 00A81FB8
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                              • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$N
                              • API String ID: 377453556-3661318601
                              • Opcode ID: b1e6a349a8e96da690021f515cac4cdd5d68e9a472bc03bad4d3c775eaba4f58
                              • Instruction ID: 12583a6332e39788ead5cdf9fc44350938f619e6463d42a5fb39d55ae032a6a8
                              • Opcode Fuzzy Hash: b1e6a349a8e96da690021f515cac4cdd5d68e9a472bc03bad4d3c775eaba4f58
                              • Instruction Fuzzy Hash: 2B228E31900208DFDF15EFA4D986BEEBBB5FF49310F20409AE545A7292CB359A85CF61
                              Function 00A91ADE Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 672 a91ade-a91b14 call b1fb10 call a813f5 677 a91b32-a91b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->677 678 a91b16-a91b2d call aa1d73 _CxxThrowException 672->678 680 a91b9d-a91b9f 677->680 681 a91b8d-a91b91 677->681 678->677 684 a91ba0-a91bcd 680->684 681->680 683 a91b93-a91b97 681->683 683->680 685 a91b99-a91b9b 683->685 686 a91bf9-a91c12 684->686 687 a91bcf-a91bf8 call a91ea4 call a827bb call a81e40 684->687 685->684 688 a91c20 686->688 689 a91c14-a91c18 686->689 687->686 692 a91c27-a91c2b 688->692 689->688 691 a91c1a-a91c1e 689->691 691->688 691->692 694 a91c2d 692->694 695 a91c34-a91c3e 692->695 694->695 697 a91c49-a91c53 695->697 698 a91c40-a91c43 695->698 700 a91c5e-a91c68 697->700 701 a91c55-a91c58 697->701 698->697 703 a91c6a-a91c6d 700->703 704 a91c73-a91c79 700->704 701->700 703->704 706 a91cc9-a91cd2 704->706 707 a91c7b-a91c87 704->707 708 a91cea call a91eb9 706->708 709 a91cd4-a91ce6 706->709 710 a91c89-a91c93 707->710 711 a91c95-a91ca1 call a91ed1 707->711 715 a91cef-a91cf8 708->715 709->708 710->706 716 a91cc0-a91cc3 711->716 717 a91ca3-a91cbb call aa1d73 _CxxThrowException 711->717 718 a91cfa-a91d0a 715->718 719 a91d37-a91d40 715->719 716->706 717->716 723 a91d10 718->723 724 a91dc2-a91dd4 wcscmp 718->724 721 a91e93-a91ea1 719->721 722 a91d46-a91d52 719->722 722->721 728 a91d58-a91d93 call a826dd call a8280c call a83221 call a83bbf 722->728 727 a91d17-a91d1f call a89399 723->727 726 a91dda-a91de6 call a91ed1 724->726 724->727 726->727 736 a91dec-a91e04 call aa1d73 _CxxThrowException 726->736 727->719 735 a91d21-a91d32 call b06a60 call a89313 727->735 756 a91d9f-a91da3 728->756 757 a91d95-a91d9c 728->757 735->719 745 a91e09-a91e0c 736->745 748 a91e0e 745->748 749 a91e31-a91e4a call a91f0c GetCurrentProcess SetProcessAffinityMask 745->749 752 a91e10-a91e12 748->752 753 a91e14-a91e2c call aa1d73 _CxxThrowException 748->753 761 a91e4c-a91e82 GetLastError call a83221 call a858a9 call a831e5 call a81e40 749->761 762 a91e83-a91e92 call a83172 call a81e40 749->762 752->749 752->753 753->749 756->745 760 a91da5-a91dbd call aa1d73 _CxxThrowException 756->760 757->756 760->724 761->762 762->721
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A91AE3
                                • Part of subcall function 00A813F5: __EH_prolog.LIBCMT ref: 00A813FA
                              • _CxxThrowException.MSVCRT(?,00B36010), ref: 00A91B2D
                              • _fileno.MSVCRT ref: 00A91B3E
                              • _isatty.MSVCRT ref: 00A91B47
                              • _fileno.MSVCRT ref: 00A91B5D
                              • _isatty.MSVCRT ref: 00A91B60
                              • _fileno.MSVCRT ref: 00A91B73
                              • _CxxThrowException.MSVCRT(?,00B36010), ref: 00A91CBB
                              • _CxxThrowException.MSVCRT(?,00B36010), ref: 00A91DBD
                              • wcscmp.MSVCRT ref: 00A91DCA
                              • _CxxThrowException.MSVCRT(?,00B36010), ref: 00A91E04
                              • _isatty.MSVCRT ref: 00A91B76
                                • Part of subcall function 00AA1D73: __EH_prolog.LIBCMT ref: 00AA1D78
                              • _CxxThrowException.MSVCRT(?,00B36010), ref: 00A91E2C
                              • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00A91E3B
                              • SetProcessAffinityMask.KERNEL32(00000000), ref: 00A91E42
                              • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00A91E4C
                              Strings
                              • Unsupported switch postfix for -slp, xrefs: 00A91DF1
                              • Unsupported switch postfix -bb, xrefs: 00A91CA8
                              • unsupported value -stm, xrefs: 00A91E19
                              • : ERROR : , xrefs: 00A91E52
                              • SeLockMemoryPrivilege, xrefs: 00A91D28
                              • Set process affinity mask: , xrefs: 00A91D74
                              • Unsupported switch postfix -stm, xrefs: 00A91DAA
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                              • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                              • API String ID: 1826148334-1115009270
                              • Opcode ID: 0d229970769e6bfe88f7452762bc285f1574b45e8cfc9e86fd9dabbfeda009da
                              • Instruction ID: a847c7c42b81cd8ec3645eb137670f019c6dd244cdcc1bd7321d6b6af89e5ce1
                              • Opcode Fuzzy Hash: 0d229970769e6bfe88f7452762bc285f1574b45e8cfc9e86fd9dabbfeda009da
                              • Instruction Fuzzy Hash: B4C1C531A00246AFDF11EFB4C989BEDBFF5AF19304F148499E489972A2CB74AD45CB50
                              Function 00AB8012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 777 ab8012-ab8032 call b1fb10 780 ab8038-ab806c fputs call ab8341 777->780 781 ab8285 777->781 785 ab80c8-ab80cd 780->785 786 ab806e-ab8071 780->786 783 ab8287-ab8295 781->783 787 ab80cf-ab80d4 785->787 788 ab80d6-ab80df 785->788 789 ab808b-ab808d 786->789 790 ab8073-ab8089 fputs call a81fa0 786->790 791 ab80e2-ab8110 call ab8341 call ab8622 787->791 788->791 793 ab808f-ab8094 789->793 794 ab8096-ab809f 789->794 790->785 804 ab811e-ab812f call ab8565 791->804 805 ab8112-ab8119 call ab831f 791->805 797 ab80a2-ab80c7 call a82e47 call ab85c6 call a81e40 793->797 794->797 797->785 804->783 812 ab8135-ab813f 804->812 805->804 813 ab814d-ab815b 812->813 814 ab8141-ab8148 call ab82bb 812->814 813->783 817 ab8161-ab8164 813->817 814->813 818 ab81b6-ab81c0 817->818 819 ab8166-ab8186 817->819 820 ab8276-ab827f 818->820 821 ab81c6-ab81e1 fputs 818->821 823 ab8298-ab829d 819->823 824 ab818c-ab8196 call ab8565 819->824 820->780 820->781 821->820 826 ab81e7-ab81fb 821->826 827 ab82b1-ab82b9 SysFreeString 823->827 831 ab819b-ab819d 824->831 829 ab81fd-ab821f 826->829 830 ab8273 826->830 827->783 834 ab829f-ab82a1 829->834 835 ab8221-ab8245 829->835 830->820 831->823 832 ab81a3-ab81b4 SysFreeString 831->832 832->818 832->819 836 ab82ae 834->836 838 ab82a3-ab82ab call a8965d 835->838 839 ab8247-ab8271 call ab84a7 call a8965d SysFreeString 835->839 836->827 838->836 839->829 839->830
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AB8017
                              • fputs.MSVCRT ref: 00AB804D
                                • Part of subcall function 00AB8341: __EH_prolog.LIBCMT ref: 00AB8346
                                • Part of subcall function 00AB8341: fputs.MSVCRT ref: 00AB835B
                                • Part of subcall function 00AB8341: fputs.MSVCRT ref: 00AB8364
                              • fputs.MSVCRT ref: 00AB807A
                                • Part of subcall function 00A81FA0: fputc.MSVCRT ref: 00A81FA7
                                • Part of subcall function 00A8965D: VariantClear.OLEAUT32(?), ref: 00A8967F
                              • SysFreeString.OLEAUT32(00000000), ref: 00AB81AA
                              • fputs.MSVCRT ref: 00AB81CD
                              • SysFreeString.OLEAUT32(00000000), ref: 00AB8267
                              • SysFreeString.OLEAUT32(00000000), ref: 00AB82B1
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                              • String ID: --$----$Path$Type$Warning: The archive is open with offset
                              • API String ID: 2889736305-3797937567
                              • Opcode ID: 66726f9c979841ab422100bbc25e853909d3bfac3cc715c828f3d0e5b3c8e96b
                              • Instruction ID: 3a6a8a4bdc51c21124d8ec7274f52e25c1133951436ac023cd5e3bc0574bb2b8
                              • Opcode Fuzzy Hash: 66726f9c979841ab422100bbc25e853909d3bfac3cc715c828f3d0e5b3c8e96b
                              • Instruction Fuzzy Hash: 56917D31A00605EFDB14EFA8DD85AEEB7B9FF48350F104169E416A7292DF74AD06CB60
                              Function 00AB6766 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 846 ab6766-ab6792 call b1fb10 EnterCriticalSection 849 ab67af-ab67b7 846->849 850 ab6794-ab6799 call abc7d7 846->850 852 ab67b9 call a81f91 849->852 853 ab67be-ab67c3 849->853 854 ab679e-ab67ac 850->854 852->853 856 ab67c9-ab67d5 853->856 857 ab6892-ab68a8 853->857 854->849 858 ab6817-ab682f 856->858 859 ab67d7-ab67dd 856->859 860 ab68ae-ab68b4 857->860 861 ab6941 857->861 864 ab6873-ab687b 858->864 865 ab6831-ab6842 call a81fa0 858->865 859->858 862 ab67df-ab67eb 859->862 860->861 863 ab68ba-ab68c2 860->863 866 ab6943-ab695a 861->866 867 ab67ed 862->867 868 ab67f3-ab6801 862->868 869 ab6933-ab693f call abc5cd 863->869 870 ab68c4-ab68e6 call a81fa0 fputs 863->870 864->869 872 ab6881-ab6887 864->872 865->864 883 ab6844-ab686c fputs call a82201 865->883 867->868 868->864 874 ab6803-ab6815 fputs 868->874 869->866 885 ab68fb-ab6917 call a94f2a call a81fb3 call a81e40 870->885 886 ab68e8-ab68f9 fputs 870->886 872->869 873 ab688d 872->873 879 ab692e call a81f91 873->879 880 ab686e call a81fa0 874->880 879->869 880->864 883->880 889 ab691c-ab6928 call a81fa0 885->889 886->889 889->879
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AB676B
                              • EnterCriticalSection.KERNEL32(00B42938), ref: 00AB6781
                              • fputs.MSVCRT ref: 00AB680B
                              • LeaveCriticalSection.KERNEL32(00B42938), ref: 00AB6944
                                • Part of subcall function 00ABC7D7: fputs.MSVCRT ref: 00ABC840
                              • fputs.MSVCRT ref: 00AB6851
                                • Part of subcall function 00A82201: fputs.MSVCRT ref: 00A8221E
                              • fputs.MSVCRT ref: 00AB68D9
                              • fputs.MSVCRT ref: 00AB68F6
                                • Part of subcall function 00A81FA0: fputc.MSVCRT ref: 00A81FA7
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                              • String ID: v$Sub items Errors:
                              • API String ID: 2670240366-2468115448
                              • Opcode ID: dd625c469463d869aeb9bb9aceabd76c09b0fedcd92dccb507613ce0d186abf3
                              • Instruction ID: 44333ef955eef757b2110d38acd42500b1887466a1504f14c333926829aff6b5
                              • Opcode Fuzzy Hash: dd625c469463d869aeb9bb9aceabd76c09b0fedcd92dccb507613ce0d186abf3
                              • Instruction Fuzzy Hash: D0519D31600640CFCB25AFA4D995AEAB7F6FF88310F54442EE19A87262DB346C45CB50
                              Function 00AB6359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 898 ab6359-ab6373 call b1fb10 901 ab639e-ab63af call ab5a4d 898->901 902 ab6375-ab6385 call abc7d7 898->902 907 ab65ee-ab65f1 901->907 908 ab63b5-ab63cd 901->908 902->901 909 ab6387-ab639b 902->909 912 ab65f3-ab65fb 907->912 913 ab6624-ab663c 907->913 910 ab63cf 908->910 911 ab63d2-ab63d4 908->911 909->901 910->911 916 ab63df-ab63e7 911->916 917 ab63d6-ab63d9 911->917 918 ab66ea call abc5cd 912->918 919 ab6601-ab6607 call ab8012 912->919 914 ab663e call a81f91 913->914 915 ab6643-ab664b 913->915 914->915 915->918 922 ab6651-ab668f fputs call a8211a call a81fa0 call ab8685 915->922 923 ab63e9-ab63f2 call a81fa0 916->923 924 ab6411-ab6413 916->924 917->916 921 ab64b1-ab64bc call ab6700 917->921 930 ab66ef-ab66fd 918->930 933 ab660c-ab660e 919->933 944 ab64be-ab64c1 921->944 945 ab64c7-ab64cf 921->945 922->930 986 ab6691-ab6697 922->986 923->924 949 ab63f4-ab640c call a8210c call a81fa0 923->949 931 ab6442-ab6446 924->931 932 ab6415-ab641d 924->932 935 ab6448-ab6450 931->935 936 ab6497-ab649f 931->936 939 ab642a-ab643b 932->939 940 ab641f-ab6425 call ab6134 932->940 933->930 941 ab6614-ab661f call a81fa0 933->941 946 ab647f-ab6490 935->946 947 ab6452-ab647a fputs call a81fa0 call a81fb3 call a81fa0 935->947 936->921 950 ab64a1-ab64ac call a81fa0 call a81f91 936->950 939->931 940->939 941->918 944->945 952 ab65a2-ab65a6 944->952 953 ab64f9-ab64fb 945->953 954 ab64d1-ab64da call a81fa0 945->954 946->936 947->946 949->924 950->921 959 ab65da-ab65e6 952->959 960 ab65a8-ab65b6 952->960 965 ab652a-ab652e 953->965 966 ab64fd-ab6505 953->966 954->953 983 ab64dc-ab64f4 call a8210c call a81fa0 954->983 959->908 974 ab65ec 959->974 968 ab65b8-ab65ca call ab6244 960->968 969 ab65d3 960->969 970 ab657f-ab6587 965->970 971 ab6530-ab6538 965->971 977 ab6512-ab6523 966->977 978 ab6507-ab650d call ab6134 966->978 968->969 995 ab65cc-ab65ce call a81f91 968->995 969->959 970->952 985 ab6589-ab6595 call a81fa0 970->985 981 ab653a-ab6562 fputs call a81fa0 call a81fb3 call a81fa0 971->981 982 ab6567-ab6578 971->982 974->907 977->965 978->977 981->982 982->970 983->953 985->952 1007 ab6597-ab659d call a81f91 985->1007 993 ab6699-ab669f 986->993 994 ab66df-ab66e5 call a81f91 986->994 1000 ab66b3-ab66ce call a94f2a call a81fb3 call a81e40 993->1000 1001 ab66a1-ab66b1 fputs 993->1001 994->918 995->969 1002 ab66d3-ab66da call a81fa0 1000->1002 1001->1002 1002->994 1007->952
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AB635E
                              • fputs.MSVCRT ref: 00AB645F
                                • Part of subcall function 00ABC7D7: fputs.MSVCRT ref: 00ABC840
                              • fputs.MSVCRT ref: 00AB6547
                              • fputs.MSVCRT ref: 00AB665F
                              • fputs.MSVCRT ref: 00AB66AE
                                • Part of subcall function 00A81F91: fflush.MSVCRT ref: 00A81F93
                                • Part of subcall function 00A81FB3: __EH_prolog.LIBCMT ref: 00A81FB8
                                • Part of subcall function 00A81E40: free.MSVCRT ref: 00A81E44
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog$fflushfree
                              • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                              • API String ID: 1750297421-1898165966
                              • Opcode ID: 0a5cf8696e1face183d426abafebe35bdde19c1dfaf3ffaa44b5f2879a3e67fa
                              • Instruction ID: 6f3b600c574665989fed61e86d60009b56793e4aa69c30d7cce61bba5339638d
                              • Opcode Fuzzy Hash: 0a5cf8696e1face183d426abafebe35bdde19c1dfaf3ffaa44b5f2879a3e67fa
                              • Instruction Fuzzy Hash: 8CB15B30601B058FDB28EF64CAA1BEAB7F9BF44304F04452EE65A57292CB78AD55CF50
                              Function 00A89C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1016 a89c8f-a89cc2 GetModuleHandleA GetProcAddress 1017 a89cef-a89d06 GlobalMemoryStatus 1016->1017 1018 a89cc4-a89ccc GlobalMemoryStatusEx 1016->1018 1020 a89d08 1017->1020 1021 a89d0b-a89d0d 1017->1021 1018->1017 1019 a89cce-a89cd7 1018->1019 1022 a89cd9 1019->1022 1023 a89ce5 1019->1023 1020->1021 1024 a89d11-a89d15 1021->1024 1025 a89cdb-a89cde 1022->1025 1026 a89ce0-a89ce3 1022->1026 1027 a89ce8-a89ced 1023->1027 1025->1023 1025->1026 1026->1027 1027->1024
                              APIs
                              • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00A89CB3
                              • GetProcAddress.KERNEL32(00000000), ref: 00A89CBA
                              • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00A89CC8
                              • GlobalMemoryStatus.KERNEL32(?), ref: 00A89CFA
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                              • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                              • API String ID: 180289352-802862622
                              • Opcode ID: e4625afaede34c6d4d95b68afa40d575a59988409b1fdae3053b761c6fc8c2d8
                              • Instruction ID: 6a2dbba37a46a9128c4624a0348f10f78e1662fbb66c2a5936ccb1e5ab9066c1
                              • Opcode Fuzzy Hash: e4625afaede34c6d4d95b68afa40d575a59988409b1fdae3053b761c6fc8c2d8
                              • Instruction Fuzzy Hash: 811117B09002099FDF20EFA4D88ABAEBBF5BF14705F144419E446A7240DB79E984CB54
                              Function 00B1FF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                              • String ID:
                              • API String ID: 4012487245-0
                              • Opcode ID: 2b02ebbb4861103753b20d4784bb8be5dc8431dc1fbfbba90691a2c7a93cc67b
                              • Instruction ID: 95e52c110d89a2d6d040af0e929d3f6e9b0d54f78d457627ab1ebd2c90b3ebf6
                              • Opcode Fuzzy Hash: 2b02ebbb4861103753b20d4784bb8be5dc8431dc1fbfbba90691a2c7a93cc67b
                              • Instruction Fuzzy Hash: DA213B75900608EFDB20AFA4EC46AAEBBB8FB0E721F100255F511A32E2CB745641DB64
                              Function 00B1FFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                              • String ID:
                              • API String ID: 279829931-0
                              • Opcode ID: afd61a68b61882780bed734a9cc8979d8f6ae725b9f2c60978e6d670b23c3c33
                              • Instruction ID: 07e05d0317d925aa8e4e1f0e449eae69270aa4285e235db00050f269688debe7
                              • Opcode Fuzzy Hash: afd61a68b61882780bed734a9cc8979d8f6ae725b9f2c60978e6d670b23c3c33
                              • Instruction Fuzzy Hash: 71014CB5910618EFDB14AFE0EC46DEE7BB9FF0C701B000049F505B3262DA759911DB20
                              Function 00AA1858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • __EH_prolog.LIBCMT ref: 00AA185D
                                • Part of subcall function 00AA021A: __EH_prolog.LIBCMT ref: 00AA021F
                                • Part of subcall function 00AA062E: __EH_prolog.LIBCMT ref: 00AA0633
                              • _CxxThrowException.MSVCRT(?,00B36010), ref: 00AA1961
                                • Part of subcall function 00AA1AA5: __EH_prolog.LIBCMT ref: 00AA1AAA
                              Strings
                              • Duplicate archive path:, xrefs: 00AA1A8D
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID: Duplicate archive path:
                              • API String ID: 2366012087-4000988232
                              • Opcode ID: f45f502c362d49e2dd2b8dc2207e5f5676637607ac8b0deb3b2c9e5100487072
                              • Instruction ID: 4045dd9527c97cd1e068acdb4e892be8ab6f7158e208ead29dca602dac892dfb
                              • Opcode Fuzzy Hash: f45f502c362d49e2dd2b8dc2207e5f5676637607ac8b0deb3b2c9e5100487072
                              • Instruction Fuzzy Hash: 8A817031D00259EFCF25EFA4D691ADEB7B5EF09310F1041A9E516772A2DB30AE05CB60
                              Function 00ACF1B2 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1520 acf1b2-acf1ce call b1fb10 call a91168 1524 acf1d3-acf1d5 1520->1524 1525 acf36a-acf378 1524->1525 1526 acf1db-acf1e4 call acf3e4 1524->1526 1529 acf1ed-acf1f2 1526->1529 1530 acf1e6-acf1e8 1526->1530 1531 acf1f4-acf1f9 1529->1531 1532 acf203-acf21a 1529->1532 1530->1525 1531->1532 1533 acf1fb-acf1fe 1531->1533 1535 acf21c-acf22c _CxxThrowException 1532->1535 1536 acf231-acf248 memcpy 1532->1536 1533->1525 1535->1536 1537 acf24c-acf257 1536->1537 1538 acf25c-acf25e 1537->1538 1539 acf259 1537->1539 1540 acf260-acf26f 1538->1540 1541 acf281-acf299 1538->1541 1539->1538 1542 acf279-acf27b 1540->1542 1543 acf271 1540->1543 1549 acf29b-acf2a0 1541->1549 1550 acf311-acf313 1541->1550 1542->1541 1546 acf315-acf318 1542->1546 1544 acf277 1543->1544 1545 acf273-acf275 1543->1545 1544->1542 1545->1542 1545->1544 1548 acf357-acf368 1546->1548 1548->1525 1549->1546 1551 acf2a2-acf2b5 call acf37b 1549->1551 1550->1548 1555 acf2b7-acf2cf call b1e1a0 1551->1555 1556 acf2f0-acf30c memmove 1551->1556 1559 acf31a-acf355 memcpy 1555->1559 1560 acf2d1-acf2eb call acf37b 1555->1560 1556->1537 1559->1548 1560->1555 1564 acf2ed 1560->1564 1564->1556
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: e83ca953951032c7d01d10fde9f749be30fc075ed757b4162491b7220546b271
                              • Instruction ID: fa32c0aab8c87ede79e5c09786e38079bda3f32d9dbe9ef006df76eef8de1d8b
                              • Opcode Fuzzy Hash: e83ca953951032c7d01d10fde9f749be30fc075ed757b4162491b7220546b271
                              • Instruction Fuzzy Hash: 48516F76A00205AFDF14DFA4C885FFEB3B6FF88354F16842DE911AB241D774A9458BA0
                              Function 00A86C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1565 a86c72-a86c8e call b1fb10 1568 a86c90-a86c94 1565->1568 1569 a86c96-a86c9e 1565->1569 1568->1569 1570 a86cd3-a86cdc call a88664 1568->1570 1571 a86ca0-a86ca4 1569->1571 1572 a86ca6-a86cae 1569->1572 1578 a86ce2-a86d02 call a867f0 call a82f88 call a887df 1570->1578 1579 a86d87-a86d92 call a888c6 1570->1579 1571->1570 1571->1572 1572->1570 1573 a86cb0-a86cb5 1572->1573 1573->1570 1575 a86cb7-a86cce call a867f0 call a82f88 1573->1575 1591 a8715d-a8715f 1575->1591 1602 a86d4a-a86d61 call a87b41 1578->1602 1603 a86d04-a86d09 1578->1603 1586 a86d98-a86d9e 1579->1586 1587 a86f4c-a86f62 call a887fa 1579->1587 1586->1587 1590 a86da4-a86dc7 call a82e47 * 2 1586->1590 1599 a86f64-a86f66 1587->1599 1600 a86f67-a86f74 call a885e2 1587->1600 1612 a86dc9-a86dcf 1590->1612 1613 a86dd4-a86dda 1590->1613 1594 a87118-a87126 1591->1594 1599->1600 1614 a86fd1-a86fd8 1600->1614 1615 a86f76-a86f7c 1600->1615 1617 a86d63-a86d65 1602->1617 1618 a86d67-a86d6b 1602->1618 1603->1602 1606 a86d0b-a86d38 call a89252 1603->1606 1606->1602 1625 a86d3a-a86d45 1606->1625 1612->1613 1619 a86ddc-a86def call a82407 1613->1619 1620 a86df1-a86df9 call a83221 1613->1620 1621 a86fda-a86fde 1614->1621 1622 a86fe4-a86feb 1614->1622 1615->1614 1623 a86f7e-a86f8a call a86bf5 1615->1623 1626 a86d7a-a86d82 call a8764c 1617->1626 1627 a86d78 1618->1627 1628 a86d6d-a86d75 1618->1628 1619->1620 1640 a86dfe-a86e0b call a887df 1619->1640 1620->1640 1621->1622 1631 a870e5-a870ea call a86868 1621->1631 1632 a8701d-a87024 call a88782 1622->1632 1633 a86fed-a86ff7 call a86bf5 1622->1633 1623->1631 1643 a86f90-a86f93 1623->1643 1625->1591 1653 a87116 1626->1653 1627->1626 1628->1627 1645 a870ef-a870f3 1631->1645 1632->1631 1650 a8702a-a87035 1632->1650 1633->1631 1648 a86ffd-a87000 1633->1648 1654 a86e0d-a86e10 1640->1654 1655 a86e43-a86e50 call a86c72 1640->1655 1643->1631 1649 a86f99-a86fb6 call a867f0 call a82f88 1643->1649 1651 a8710c 1645->1651 1652 a870f5-a870f7 1645->1652 1648->1631 1656 a87006-a8701b call a867f0 1648->1656 1685 a86fb8-a86fbd 1649->1685 1686 a86fc2-a86fc5 call a8717b 1649->1686 1650->1631 1658 a8703b-a87044 call a88578 1650->1658 1660 a8710e-a87111 call a86848 1651->1660 1652->1651 1659 a870f9-a87102 1652->1659 1653->1594 1662 a86e1e-a86e36 call a867f0 1654->1662 1663 a86e12-a86e15 1654->1663 1680 a86f3a-a86f4b call a81e40 * 2 1655->1680 1681 a86e56 1655->1681 1676 a86fca-a86fcc 1656->1676 1658->1631 1679 a8704a-a87054 call a8717b 1658->1679 1659->1651 1668 a87104-a87107 call a8717b 1659->1668 1660->1653 1683 a86e58-a86e7e call a82f1c call a82e04 1662->1683 1684 a86e38-a86e41 call a82fec 1662->1684 1663->1655 1669 a86e17-a86e1c 1663->1669 1668->1651 1669->1655 1669->1662 1676->1660 1693 a87064-a87097 call a82e47 call a81089 * 2 call a86868 1679->1693 1694 a87056-a8705f call a82f88 1679->1694 1680->1587 1681->1683 1703 a86e83-a86e99 call a86bb5 1683->1703 1684->1683 1685->1686 1686->1676 1727 a87099-a870af wcscmp 1693->1727 1728 a870bf-a870cc call a86bf5 1693->1728 1705 a87155-a87158 call a86848 1694->1705 1711 a86e9b-a86e9f 1703->1711 1712 a86ecf-a86ed1 1703->1712 1705->1591 1715 a86ea1-a86eae call a822bf 1711->1715 1716 a86ec7-a86ec9 SetLastError 1711->1716 1714 a86f09-a86f35 call a81e40 * 2 call a86848 call a81e40 * 2 1712->1714 1714->1653 1725 a86eb0-a86ec5 call a81e40 call a82e04 1715->1725 1726 a86ed3-a86ed9 1715->1726 1716->1712 1725->1703 1730 a86edb-a86ee0 1726->1730 1731 a86eec-a86f07 call a831e5 1726->1731 1734 a870bb 1727->1734 1735 a870b1-a870b6 1727->1735 1742 a87129-a87133 call a867f0 1728->1742 1743 a870ce-a870d1 1728->1743 1730->1731 1737 a86ee2-a86ee8 1730->1737 1731->1714 1734->1728 1741 a87147-a87154 call a82f88 call a81e40 1735->1741 1737->1731 1741->1705 1760 a8713a 1742->1760 1761 a87135-a87138 1742->1761 1748 a870d8-a870e4 call a81e40 1743->1748 1749 a870d3-a870d6 1743->1749 1748->1631 1749->1742 1749->1748 1764 a87141-a87144 1760->1764 1761->1764 1764->1741
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A86C77
                              • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00A86EC9
                                • Part of subcall function 00A86C72: wcscmp.MSVCRT ref: 00A870A5
                                • Part of subcall function 00A86BF5: __EH_prolog.LIBCMT ref: 00A86BFA
                                • Part of subcall function 00A86BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00A86C1A
                                • Part of subcall function 00A86BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00A86C49
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                              • String ID: :$DATA
                              • API String ID: 3316598575-2587938151
                              • Opcode ID: e3923487a5f18f6f43f2b0160c47db38d248452f81920ff30b64920ffea1b37b
                              • Instruction ID: 19f5b0ab3c613611ff212821bc22d65236fd7cb872e5aebc787043029b00e57f
                              • Opcode Fuzzy Hash: e3923487a5f18f6f43f2b0160c47db38d248452f81920ff30b64920ffea1b37b
                              • Instruction Fuzzy Hash: CAE126709006099EEF25FFA4C985BFEBBB1BF14314F204519E8866B2E1DB70AD49CB51
                              Function 00A96FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A96FCA
                                • Part of subcall function 00A96E71: __EH_prolog.LIBCMT ref: 00A96E76
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                              • API String ID: 3519838083-394804653
                              • Opcode ID: a13d4873dcc1b916b6e225c5c6c5186b5ec8f4d2205d495aba729dfc83bfd7f5
                              • Instruction ID: 7231c8fb700f974460391e8055d4b8e95341f5c202abb796f35bd940a2def05b
                              • Opcode Fuzzy Hash: a13d4873dcc1b916b6e225c5c6c5186b5ec8f4d2205d495aba729dfc83bfd7f5
                              • Instruction Fuzzy Hash: 4741B472B19284DBCF21DFA48591AEEFBF5BF49300F6445AEE086A7211C6306E45C771
                              Function 00AB84A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: =
                              • API String ID: 2614055831-2525689732
                              • Opcode ID: 3bbbb89271688738aad25de8f8c7b35d608213ab3b0237e9da3de9996752cd9f
                              • Instruction ID: 1427992c32d77dc2a8535f20aa72a7bd2c2aafa3030041b05db58e700f39d39b
                              • Opcode Fuzzy Hash: 3bbbb89271688738aad25de8f8c7b35d608213ab3b0237e9da3de9996752cd9f
                              • Instruction Fuzzy Hash: 42218E32904118EFCF15FB94EA42BEEBBB9EF48310F20006AE40172192DF756E45CB94
                              Function 00AB8341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AB8346
                              • fputs.MSVCRT ref: 00AB835B
                              • fputs.MSVCRT ref: 00AB8364
                                • Part of subcall function 00AB83BF: __EH_prolog.LIBCMT ref: 00AB83C4
                                • Part of subcall function 00AB83BF: fputs.MSVCRT ref: 00AB8401
                                • Part of subcall function 00AB83BF: fputs.MSVCRT ref: 00AB8437
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: =
                              • API String ID: 2614055831-2525689732
                              • Opcode ID: 19b141a9bb36e49e0b86bd19dba786670588cd490065ec7ee02cd2add6d3a5dd
                              • Instruction ID: ef89bb792e9fd740f3ff91017586bb3d636c64e373c530c1d791d8bb7a84e87f
                              • Opcode Fuzzy Hash: 19b141a9bb36e49e0b86bd19dba786670588cd490065ec7ee02cd2add6d3a5dd
                              • Instruction Fuzzy Hash: 4D01D631A04004EBCB15BBA8D952BEEBFB9EF84710F00401AF405561A2CF794A57DBD1
                              Function 00B17DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,00A9AB57), ref: 00B17DAA
                              • GetLastError.KERNEL32(?,00000000,00A9AB57), ref: 00B17DBB
                              • CloseHandle.KERNELBASE(00000000,?,00000000,00A9AB57), ref: 00B17DCF
                              • GetLastError.KERNEL32(?,00000000,00A9AB57), ref: 00B17DD9
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$CloseHandleObjectSingleWait
                              • String ID:
                              • API String ID: 1796208289-0
                              • Opcode ID: 3c0663d93c7a315da6c9bda2d64521f28046ad08aba9db791f07c7c218529b1d
                              • Instruction ID: cde476610b27c25a8112e87d4ae287c9374e98f3274eeccc4c99b1bba721666f
                              • Opcode Fuzzy Hash: 3c0663d93c7a315da6c9bda2d64521f28046ad08aba9db791f07c7c218529b1d
                              • Instruction Fuzzy Hash: 56F0DAB134820A47EB305ABDAC88FA66AE8EF55375B6007B9E961D31D0DE60D8818660
                              Function 00AA2096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AA209B
                                • Part of subcall function 00A8757D: GetLastError.KERNEL32(00A8D14C), ref: 00A8757D
                                • Part of subcall function 00AA2C6C: __EH_prolog.LIBCMT ref: 00AA2C71
                                • Part of subcall function 00A81E40: free.MSVCRT ref: 00A81E44
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLastfree
                              • String ID: Cannot find archive file$The item is a directory
                              • API String ID: 683690243-1569138187
                              • Opcode ID: 07ef8979d5e50ee192e2202b8fc7ac000ad1d1c68de78dc1d7ed95a225ae1948
                              • Instruction ID: 9758f2693563d9e8fb937fbc8c2a474bbf2b73819b0c6fcb0044c3881db34dda
                              • Opcode Fuzzy Hash: 07ef8979d5e50ee192e2202b8fc7ac000ad1d1c68de78dc1d7ed95a225ae1948
                              • Instruction Fuzzy Hash: 51723770D00258DFCB25DFA8C984BEEBBB5BF5A300F14409AE859A7292C7749E91CF51
                              Function 00ABC911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: CountTickfputs
                              • String ID: .
                              • API String ID: 290905099-4150638102
                              • Opcode ID: 8a1fd91e20e6605da8a424bb8ac4594e7daeec0d684f9f9b9fc7546cf45b4d66
                              • Instruction ID: 4ca71b09ea4da700fc7b29a671090d7b34ef08f417156ac55f0b86a42a39b010
                              • Opcode Fuzzy Hash: 8a1fd91e20e6605da8a424bb8ac4594e7daeec0d684f9f9b9fc7546cf45b4d66
                              • Instruction Fuzzy Hash: 9D714630600B049FDB25EF68CA91FAEB7FAAF81710F00481DE49797A42DB70B949CB11
                              Function 00AC08B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A89C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00A89CB3
                                • Part of subcall function 00A89C8F: GetProcAddress.KERNEL32(00000000), ref: 00A89CBA
                                • Part of subcall function 00A89C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00A89CC8
                              • __aulldiv.LIBCMT ref: 00AC093F
                              • __aulldiv.LIBCMT ref: 00AC094B
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                              • String ID: 3333
                              • API String ID: 3520896023-2924271548
                              • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                              • Instruction ID: a80105a3ef347cf4e36e1cce15985bda46b7dacc0804a8b396a363214d90bff5
                              • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                              • Instruction Fuzzy Hash: 66219AB1A00704AFE730DF7A8881F6BFAFDEB84750F04896EB18AD3642D6709940C755
                              Function 00AAA7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A81E40: free.MSVCRT ref: 00A81E44
                              • memset.MSVCRT ref: 00AAAEBA
                              • memset.MSVCRT ref: 00AAAECD
                                • Part of subcall function 00AC04D2: _CxxThrowException.MSVCRT(?,00B34A58), ref: 00AC04F8
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: memset$ExceptionThrowfree
                              • String ID: Split
                              • API String ID: 1404239998-1882502421
                              • Opcode ID: a0cc4956fbc03606d367f5ed83bde1851095946a7a013e3e4f8ac12283b3e945
                              • Instruction ID: b7aa180e5bd473a4778c03d854b2c61c1cfaae22e96087c6d27fe44deb8082f5
                              • Opcode Fuzzy Hash: a0cc4956fbc03606d367f5ed83bde1851095946a7a013e3e4f8ac12283b3e945
                              • Instruction Fuzzy Hash: 89423B30A00249DFDF25DFA4C984BADBBF5BF1A314F1440A9E449A7291CB75AE85CF12
                              Function 00A8759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A8759F
                                • Part of subcall function 00A8764C: CloseHandle.KERNELBASE(00000000,?,00A875AF,00000002,?,00000000,00000000), ref: 00A87657
                              • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 00A875E5
                              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00A87626
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: CreateFile$CloseH_prologHandle
                              • String ID:
                              • API String ID: 449569272-0
                              • Opcode ID: 846400061e19d9c580ecc2f0ea86e686da368f4df3d16aecaf35c1b42d411121
                              • Instruction ID: 3e1960bb8929de78b573cda99601ad79707b8b66576ac4322d03d81874fbacd1
                              • Opcode Fuzzy Hash: 846400061e19d9c580ecc2f0ea86e686da368f4df3d16aecaf35c1b42d411121
                              • Instruction Fuzzy Hash: A111D07280020AEFCF11BFA4DC418EEBBBAFF14354B108939F860521A1DB358D61EB90
                              Function 00AB83BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00AB8437
                              • fputs.MSVCRT ref: 00AB8401
                                • Part of subcall function 00A81FB3: __EH_prolog.LIBCMT ref: 00A81FB8
                              • __EH_prolog.LIBCMT ref: 00AB83C4
                                • Part of subcall function 00A81FA0: fputc.MSVCRT ref: 00A81FA7
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputs$fputc
                              • String ID:
                              • API String ID: 678540050-0
                              • Opcode ID: 121eb7a5d82ccb8ef233dcec38a926b333b41b02be41b92bf2fc4d51fe40cc0c
                              • Instruction ID: 5839ae325a43644371bd165c2f3bf3a536b7aefa76c3678dfbd7ba0ff8872e26
                              • Opcode Fuzzy Hash: 121eb7a5d82ccb8ef233dcec38a926b333b41b02be41b92bf2fc4d51fe40cc0c
                              • Instruction Fuzzy Hash: 2F118631B041159BCF05B7A4EA136BEBBBDEF44750F00002AF50193292DF691D42C7D4
                              Function 00A87731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,00A877DB,?,?,00000000,?,00A87832,?), ref: 00A87773
                              • GetLastError.KERNEL32(?,00A877DB,?,?,00000000,?,00A87832,?,?,?,?,00000000), ref: 00A87780
                              • SetLastError.KERNEL32(00000000,?,?,00A877DB,?,?,00000000,?,00A87832,?,?,?,?,00000000), ref: 00A87797
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$FilePointer
                              • String ID:
                              • API String ID: 1156039329-0
                              • Opcode ID: f100e63c309a829d523d1ee776010834f428e01491475655731189deea9fd937
                              • Instruction ID: d657cef96eb5b36e1bfdd987061dd596c96d47fdaf7f2631f08f638dd172ade0
                              • Opcode Fuzzy Hash: f100e63c309a829d523d1ee776010834f428e01491475655731189deea9fd937
                              • Instruction Fuzzy Hash: 6C11BC31604305AFEF21DF68CC85BAE7BE5AF48320F208429F81697291DBB0DD51DB60
                              Function 00A85A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A85A91
                              • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00A85AB7
                              • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00A85AEC
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: AttributesFile$H_prolog
                              • String ID:
                              • API String ID: 3790360811-0
                              • Opcode ID: fd77181f59ce3dc49d0dc392784a924038f9d9b3bab5e275d148e7e19d5ae55f
                              • Instruction ID: 08c78beefcc76b262c14359066337446376da182bab6e2f525fa9150df5a889c
                              • Opcode Fuzzy Hash: fd77181f59ce3dc49d0dc392784a924038f9d9b3bab5e275d148e7e19d5ae55f
                              • Instruction Fuzzy Hash: A901F532E00615ABCF15BBA0E9856FEF7BAFF50390F148466EC11A3191DB394C02DB50
                              Function 00AB5883 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(00B42938), ref: 00AB588B
                              • LeaveCriticalSection.KERNEL32(00B42938), ref: 00AB58BC
                                • Part of subcall function 00ABC911: GetTickCount.KERNEL32 ref: 00ABC926
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$CountEnterLeaveTick
                              • String ID: v
                              • API String ID: 1056156058-3261393531
                              • Opcode ID: 15360337db0b7f389701964fc628bb0a562649d5c08ff9cb34a6f66e310da1ab
                              • Instruction ID: 8d80a5ef2ecb6b9909794c2350717d71780ea758c1d84cc90107004be4199251
                              • Opcode Fuzzy Hash: 15360337db0b7f389701964fc628bb0a562649d5c08ff9cb34a6f66e310da1ab
                              • Instruction Fuzzy Hash: 25E0E576605210EFC314EF28D908EDA7BE9AFD8321F0505BEF50987362CB309949CBA5
                              Function 00A95BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A95BEF
                                • Part of subcall function 00A954C0: __EH_prolog.LIBCMT ref: 00A954C5
                                • Part of subcall function 00A95630: __EH_prolog.LIBCMT ref: 00A95635
                                • Part of subcall function 00AA36EA: __EH_prolog.LIBCMT ref: 00AA36EF
                                • Part of subcall function 00A957C1: __EH_prolog.LIBCMT ref: 00A957C6
                                • Part of subcall function 00A958BE: __EH_prolog.LIBCMT ref: 00A958C3
                              Strings
                              • Cannot seek to begin of file, xrefs: 00A9610F
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Cannot seek to begin of file
                              • API String ID: 3519838083-2298593816
                              • Opcode ID: aa1c9bc8623655bdabbb674ab759ad7e693bfb966db57b3b17b4e0fe7da77bbf
                              • Instruction ID: b8ab1f9357349f113035947adfcababe81fe116d15037146dc4c7fb27024df3d
                              • Opcode Fuzzy Hash: aa1c9bc8623655bdabbb674ab759ad7e693bfb966db57b3b17b4e0fe7da77bbf
                              • Instruction Fuzzy Hash: 5C122130A046499FDF26EFB4C985BEEBBF5AF08310F14406DE44667292DB70AE85CB51
                              Function 00AC4E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AC4E8F
                                • Part of subcall function 00A8965D: VariantClear.OLEAUT32(?), ref: 00A8967F
                                • Part of subcall function 00A81E40: free.MSVCRT ref: 00A81E44
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ClearH_prologVariantfree
                              • String ID: file
                              • API String ID: 904627215-2359244304
                              • Opcode ID: 8aebc74eadecf45c7162822ec30ebdf6f3abce0ab12afaccca4850e98ebef7b2
                              • Instruction ID: 0cb33337ba09bb5d2dba4e71fb94123de8c56d03f942d4008340e814f17ac021
                              • Opcode Fuzzy Hash: 8aebc74eadecf45c7162822ec30ebdf6f3abce0ab12afaccca4850e98ebef7b2
                              • Instruction Fuzzy Hash: 41122930E00649DFCF15EBA4CA95BEDBBB6BF54344F248068F405AB252DB71AE46CB50
                              Function 00AA2CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AA2CE0
                                • Part of subcall function 00A85E10: __EH_prolog.LIBCMT ref: 00A85E15
                                • Part of subcall function 00A941EC: _CxxThrowException.MSVCRT(?,00B34A58), ref: 00A9421A
                                • Part of subcall function 00A8965D: VariantClear.OLEAUT32(?), ref: 00A8967F
                              Strings
                              • Cannot create output directory, xrefs: 00AA3070
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ClearExceptionThrowVariant
                              • String ID: Cannot create output directory
                              • API String ID: 814188403-1181934277
                              • Opcode ID: b5dc92eb34f27402cdf84c54645b17a3f0aa32be8caf072e636497d071f0caed
                              • Instruction ID: 859aa038d796462d908c99e291db8e77ec7022b47090bb85cca18d869d4dcdaa
                              • Opcode Fuzzy Hash: b5dc92eb34f27402cdf84c54645b17a3f0aa32be8caf072e636497d071f0caed
                              • Instruction Fuzzy Hash: E8F19031904289DFCF25EFA8CA90AEEBFB5BF1A300F1440ADE44567292DB319E55CB51
                              Function 00ABC7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00ABC840
                                • Part of subcall function 00A825CB: _CxxThrowException.MSVCRT(?,00B34A58), ref: 00A825ED
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowfputs
                              • String ID:
                              • API String ID: 1334390793-399585960
                              • Opcode ID: 63aed311d8b3cccfb51f3409f125742f6dcb67bdb8192336ff9a48626694818c
                              • Instruction ID: 494517dac94b533f749009b0677f16f2a9849c2c89498ba16518f0cda1376eb4
                              • Opcode Fuzzy Hash: 63aed311d8b3cccfb51f3409f125742f6dcb67bdb8192336ff9a48626694818c
                              • Instruction Fuzzy Hash: EB11C1716047449FDB25CF58C8C1BAAFBEAEF89314F04446EE1868B251DBB5BD44CBA0
                              Function 00AB6086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Open
                              • API String ID: 1795875747-71445658
                              • Opcode ID: 1c1a7482f2bc3667ef2004e006081de09d693ad2ee516c0f8cd87dcbfdcc0b6f
                              • Instruction ID: e01b4526fca8ad86d54d4f600f699fae9b80d4577c54c93ecd7796d3dd81be14
                              • Opcode Fuzzy Hash: 1c1a7482f2bc3667ef2004e006081de09d693ad2ee516c0f8cd87dcbfdcc0b6f
                              • Instruction Fuzzy Hash: C11173315057049FC720EF34EA91ADABBE9EF54310F50893EE19A83112DB35A905CF50
                              Function 00A958BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A958C3
                                • Part of subcall function 00A86C72: __EH_prolog.LIBCMT ref: 00A86C77
                                • Part of subcall function 00A81E40: free.MSVCRT ref: 00A81E44
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: bbc5619c5e32fdd1ce7fdefa1c367cb149efd3cc037a718f10e723b70817e3ad
                              • Instruction ID: 9516033bfac060d51978252aa0ff51f0bc0d2f7da3ef49047649adafad795c1e
                              • Opcode Fuzzy Hash: bbc5619c5e32fdd1ce7fdefa1c367cb149efd3cc037a718f10e723b70817e3ad
                              • Instruction Fuzzy Hash: 0B91D231F009059FDF26EBB4C982AFEBBF6AF44350F244468E942A7251EB319D45CB60
                              Function 00AD06AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AD06B3
                              • _CxxThrowException.MSVCRT(?,00B3D480), ref: 00AD08F2
                                • Part of subcall function 00A81E0C: malloc.MSVCRT ref: 00A81E1F
                                • Part of subcall function 00A81E0C: _CxxThrowException.MSVCRT(?,00B34B28), ref: 00A81E39
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrow$H_prologmalloc
                              • String ID:
                              • API String ID: 3044594480-0
                              • Opcode ID: 27d64163c8b30575b7cbced8ee5bedd9f34868a3d41ea64a90a66d034e165ae9
                              • Instruction ID: 36aca82e007c77c95c3a7b809f2499d7c3e696b360921d17c0efef7a401a0e0a
                              • Opcode Fuzzy Hash: 27d64163c8b30575b7cbced8ee5bedd9f34868a3d41ea64a90a66d034e165ae9
                              • Instruction Fuzzy Hash: 0B912875D00249DFCB21DFA8C991FEEBBB5BF08304F14419AE459A7252CB30AE45DBA1
                              Function 00A97190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 4ded3e88312ed6c3856114fe8e234f30209ca0c539c6b5b7b9f929005bb23d89
                              • Instruction ID: f23cd508d75c124035734065cca10573c4cdd53ab3c6cc85c6e21e1c41f11c57
                              • Opcode Fuzzy Hash: 4ded3e88312ed6c3856114fe8e234f30209ca0c539c6b5b7b9f929005bb23d89
                              • Instruction Fuzzy Hash: C9518F71618B40AFDF26DF64C490AEBBBF5BF45300F58899DE4DA4B212D730A984DB60
                              Function 00AA7B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AA7B4D
                              • memcpy.MSVCRT(00000000,00B427DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 00AA7C65
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prologmemcpy
                              • String ID:
                              • API String ID: 2991061955-0
                              • Opcode ID: 817138b638f63d47cfe2264ef68bc530943f8eeeaec7feb7ff95e0b919a5bd7e
                              • Instruction ID: d9e9346a4d297a6af5bf4a57fd052d11304932b61ea6e725f1b7fe171c891ef7
                              • Opcode Fuzzy Hash: 817138b638f63d47cfe2264ef68bc530943f8eeeaec7feb7ff95e0b919a5bd7e
                              • Instruction Fuzzy Hash: 26417B71A04219DFCF24EFA4CA51EEEBBF4BF05310F104469E456A7292DB31AE09CB60
                              Function 00AD1511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AD1516
                                • Part of subcall function 00AD10D3: __EH_prolog.LIBCMT ref: 00AD10D8
                              • _CxxThrowException.MSVCRT(?,00B3D480), ref: 00AD1561
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID:
                              • API String ID: 2366012087-0
                              • Opcode ID: b0d9857d64812ba3731434bfea3e8f54a2093b8a73fb340cb0aece494af0bba4
                              • Instruction ID: 07623934d7e972c0c5739fd0e46cedf02b228bee465965cd7663bc29a214fd91
                              • Opcode Fuzzy Hash: b0d9857d64812ba3731434bfea3e8f54a2093b8a73fb340cb0aece494af0bba4
                              • Instruction Fuzzy Hash: DD01A232504249BEDF118F94D815BEF7FB8EF85354F04449AF44A5A211C3BAA991C7A1
                              Function 00AB57FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AB5800
                              • fputs.MSVCRT ref: 00AB5830
                                • Part of subcall function 00A81FA0: fputc.MSVCRT ref: 00A81FA7
                                • Part of subcall function 00A81E40: free.MSVCRT ref: 00A81E44
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputcfputsfree
                              • String ID:
                              • API String ID: 195749403-0
                              • Opcode ID: d180f383716b032532b1282aa6708dd96a3884af5f5b57e647995117e2f9eca0
                              • Instruction ID: 6f2db212d9ff098b938705d15f52a528c30b41ca2d3e120a8ff2f020513d7013
                              • Opcode Fuzzy Hash: d180f383716b032532b1282aa6708dd96a3884af5f5b57e647995117e2f9eca0
                              • Instruction Fuzzy Hash: 74F08C32904514DFCB1AFBA4EA127EEBBB5FF04350F00442AE506A31A2CF346D96CB84
                              Function 00ABB5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$fputc
                              • String ID:
                              • API String ID: 1185151155-0
                              • Opcode ID: 0ae4393faac44cacb97ee8119cfbfb9fc3b53b78b2250a1aff6c805fd7d14c98
                              • Instruction ID: f23a273160930ee6e1ff509bbf7a21fe45edbcaaa70caee2807f8ff716c7c14a
                              • Opcode Fuzzy Hash: 0ae4393faac44cacb97ee8119cfbfb9fc3b53b78b2250a1aff6c805fd7d14c98
                              • Instruction Fuzzy Hash: 72E08C372191106FD6262B48FC0289827A9DF89361335012BE640A3264AF532D1A5AA4
                              Function 00A8950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SysAllocStringLen.OLEAUT32(?,?), ref: 00A8952C
                              • _CxxThrowException.MSVCRT(?,00B355B8), ref: 00A8954A
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: AllocExceptionStringThrow
                              • String ID:
                              • API String ID: 3773818493-0
                              • Opcode ID: 3e61d45ac75336642b0ab0e9f478371334b7816b8a55cdeb53a89fcd1f57f8b4
                              • Instruction ID: e8b266509f0c9278052df88700615f0a4fdf33fb34dff696e31635b785bd6b9b
                              • Opcode Fuzzy Hash: 3e61d45ac75336642b0ab0e9f478371334b7816b8a55cdeb53a89fcd1f57f8b4
                              • Instruction Fuzzy Hash: A0F0ED72650305AFC724EFA8D946D9B7BECEF15780B40846AF949CB210EB75E944C790
                              Function 00B17E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast_beginthreadex
                              • String ID:
                              • API String ID: 4034172046-0
                              • Opcode ID: 12993e5e1be8cc38104f41a16e285faaa679ddb6322cb5528c3a5d2633f768e0
                              • Instruction ID: 477749a42bae9531268374641d363f2fddd296a142bdf8ff75a2f08018ffbfa2
                              • Opcode Fuzzy Hash: 12993e5e1be8cc38104f41a16e285faaa679ddb6322cb5528c3a5d2633f768e0
                              • Instruction Fuzzy Hash: ACE086B32852026BE3109B508C01FB776DCDB90740F8044ADB945C7180EA60CD41C3A1
                              Function 00A89C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,00A89C6E), ref: 00A89C52
                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 00A89C59
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: Process$AffinityCurrentMask
                              • String ID:
                              • API String ID: 1231390398-0
                              • Opcode ID: 5341ce8c87e8292c7df849b6ae0dfc33e07eb698deb47fc26c8bbb19c768ccfe
                              • Instruction ID: 236774290e68e01e140d8c685b8e02f84116760028315599919578b54d9f27fc
                              • Opcode Fuzzy Hash: 5341ce8c87e8292c7df849b6ae0dfc33e07eb698deb47fc26c8bbb19c768ccfe
                              • Instruction Fuzzy Hash: 0AB092B2400100EBCE209BA09D0CC1B3F2CEE042013004645B109C3011CA36C0468B68
                              Function 00A8B668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 00A8B843
                              • GetLastError.KERNEL32 ref: 00A8B8AA
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLastmemcpy
                              • String ID:
                              • API String ID: 2523627151-0
                              • Opcode ID: 65d195cd8c86000cfae33f722a7f39f1d7e20cf3afe73db7befcab9369a90ddf
                              • Instruction ID: cc23618150832345c6cf54e6d5abf86c348b6414988e662ce0777c0b5e87cd6e
                              • Opcode Fuzzy Hash: 65d195cd8c86000cfae33f722a7f39f1d7e20cf3afe73db7befcab9369a90ddf
                              • Instruction Fuzzy Hash: 27815B71A20705DFDB74EF25C980AAAB7F6BF84314F144A2EE84687A50E734F845CB60
                              Function 00A81E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 2436765578-0
                              • Opcode ID: cb605d4825f58f2d84cf57df71c4edc1412b993bf9ff49695a6de719c6f7e1eb
                              • Instruction ID: 3ad1dae3ab2826305fedff8c5500387ee2e7dc9070e55c40e7ae449e27faf59a
                              • Opcode Fuzzy Hash: cb605d4825f58f2d84cf57df71c4edc1412b993bf9ff49695a6de719c6f7e1eb
                              • Instruction Fuzzy Hash: E4E08C3000424CAACF106FA0D804BA93FAC9B00356F409055F80C9E111D670C7D28744
                              Function 00ACB05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 0c638506f2cfd6c02de977305f48a361ffd986d775d8849c085a4eea8d23a25a
                              • Instruction ID: e8c49dee9ab01772acaa90e89e3bba67bfab0940aecc85b016eafece93a4dcad
                              • Opcode Fuzzy Hash: 0c638506f2cfd6c02de977305f48a361ffd986d775d8849c085a4eea8d23a25a
                              • Instruction Fuzzy Hash: 3B52B030910249DFDF11CFA8C599FAEBBB5AF49304F29409DE805AB291CB76DE45CB21
                              Function 00A96305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 75753714ce3fd7852d598e7dec2d279cf7385aef83d2b420d377662f2a0082d9
                              • Instruction ID: fe4d4b4647b670a66165f11f33acc0237826bc11f757665f8412032491956f3f
                              • Opcode Fuzzy Hash: 75753714ce3fd7852d598e7dec2d279cf7385aef83d2b420d377662f2a0082d9
                              • Instruction Fuzzy Hash: 09F1EC71B04785DFCF21DFA4C590AAABBF1BF19304F5848AEE48A9B211D730AD44CB11
                              Function 00AD10D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: b11801a5ca8cc45e9d5a708bbe9eb989f9e9c310868967e0cf0bf45f4eab5713
                              • Instruction ID: 85ca55a3ea93646fd342b32b14361f1c462464acbf4e9536d5a7e8cc88f4372b
                              • Opcode Fuzzy Hash: b11801a5ca8cc45e9d5a708bbe9eb989f9e9c310868967e0cf0bf45f4eab5713
                              • Instruction Fuzzy Hash: 2AD16970A04745AFDB68CFA8C880BEEBBF1BF58304F10452EE556AB751D775A884CB90
                              Function 00ACCF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00ACCF96
                                • Part of subcall function 00AD1511: __EH_prolog.LIBCMT ref: 00AD1516
                                • Part of subcall function 00AD1511: _CxxThrowException.MSVCRT(?,00B3D480), ref: 00AD1561
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID:
                              • API String ID: 2366012087-0
                              • Opcode ID: 6e0ffbdc99da2f9328d50b382f0f8d6338ca689b219d58f904a0a34d749c06c3
                              • Instruction ID: b62bbaf0a4199b6d635b28b7f124056352fad2fbfd975234ede9f995ba343427
                              • Opcode Fuzzy Hash: 6e0ffbdc99da2f9328d50b382f0f8d6338ca689b219d58f904a0a34d749c06c3
                              • Instruction Fuzzy Hash: 9E516D71900289DFCB11DFA8C9C8FAEBBB4AF49304F1844AEE45AD7242C7759E45CB21
                              Function 00ABF784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 86dba655154c97823a00bb50364be2bdc774b42545279c1d6a046b555d003199
                              • Instruction ID: 1a66ebd1474293e412858c97b8b3bb9572999b92a004042516a770ebccee762d
                              • Opcode Fuzzy Hash: 86dba655154c97823a00bb50364be2bdc774b42545279c1d6a046b555d003199
                              • Instruction Fuzzy Hash: 36516974A00606CFCB14CFA4C8909AAFBF6FF89300B14496DE592AB752D731A946CF90
                              Function 00ACAD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 6d4b87c39d23c123e3488a222dddc12395dc8a46b7458feb767ea9e12156e4f4
                              • Instruction ID: b1b328c3a438489ff1b460ce0273786e03200f196d3a07ccb353207494d3e54a
                              • Opcode Fuzzy Hash: 6d4b87c39d23c123e3488a222dddc12395dc8a46b7458feb767ea9e12156e4f4
                              • Instruction Fuzzy Hash: 2C41CF70A0065AEFDB21CF64C484F7ABBB0BF24318F158A6DD45697691C770ED81CB81
                              Function 00A94250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A94255
                                • Part of subcall function 00A9440B: __EH_prolog.LIBCMT ref: 00A94410
                                • Part of subcall function 00A81E0C: malloc.MSVCRT ref: 00A81E1F
                                • Part of subcall function 00A81E0C: _CxxThrowException.MSVCRT(?,00B34B28), ref: 00A81E39
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 3744649731-0
                              • Opcode ID: 717897095356df203d16280b7c60401f94a989c75cc6c8f4225f4609b39399ee
                              • Instruction ID: a76419cc970c44a71358af7a0f55f57174b18d24b2767bcf1cf503df9cc49901
                              • Opcode Fuzzy Hash: 717897095356df203d16280b7c60401f94a989c75cc6c8f4225f4609b39399ee
                              • Instruction Fuzzy Hash: D351E7B1901744CFC726DF69C284ADAFBF0BF19304F5488AEC49E57652D7B0A608CB51
                              Function 00AAD0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AAD0E6
                                • Part of subcall function 00A81E0C: malloc.MSVCRT ref: 00A81E1F
                                • Part of subcall function 00A81E0C: _CxxThrowException.MSVCRT(?,00B34B28), ref: 00A81E39
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionH_prologThrowmalloc
                              • String ID:
                              • API String ID: 3978722251-0
                              • Opcode ID: 9c8de2d6e00191b611e69d3e5727422e16fe0b4481b35b601c987aefdfa5cdc0
                              • Instruction ID: c90fa755775d336759db73694a91e3d1d07ad2aba2c3cf8da7bb7fe711945ee8
                              • Opcode Fuzzy Hash: 9c8de2d6e00191b611e69d3e5727422e16fe0b4481b35b601c987aefdfa5cdc0
                              • Instruction Fuzzy Hash: DA41C371A002159FCB11DFA8C984BAEBBF8BF46310F244599E486E76C2CB70DD41CB90
                              Function 00A97FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A97FCA
                                • Part of subcall function 00A8950D: SysAllocStringLen.OLEAUT32(?,?), ref: 00A8952C
                                • Part of subcall function 00A8950D: _CxxThrowException.MSVCRT(?,00B355B8), ref: 00A8954A
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: AllocExceptionH_prologStringThrow
                              • String ID:
                              • API String ID: 1940201546-0
                              • Opcode ID: a78bff4706b1f5b124cd39051b54cbdf012c837bd5d61c166f35a46a3b56f926
                              • Instruction ID: 82eb1f3058c3687cde24702e01045e65e29fd3e606313a8ecc2c055aa4148b68
                              • Opcode Fuzzy Hash: a78bff4706b1f5b124cd39051b54cbdf012c837bd5d61c166f35a46a3b56f926
                              • Instruction Fuzzy Hash: 43319E72A20109DACF18AFA4C9559FE7BF0FF2A310F444069E016B7562EE3A9A08D751
                              Function 00ABADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00ABADBC
                                • Part of subcall function 00ABAD29: __EH_prolog.LIBCMT ref: 00ABAD2E
                                • Part of subcall function 00ABAF2D: __EH_prolog.LIBCMT ref: 00ABAF32
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 17b845401dffc026ef888b45c3a6e32c326b076a9427b6d8bff87668338ea287
                              • Instruction ID: a189daa68d2ea8bf1a1275e200081e505660be310c6590b8b02fd2f19e008764
                              • Opcode Fuzzy Hash: 17b845401dffc026ef888b45c3a6e32c326b076a9427b6d8bff87668338ea287
                              • Instruction Fuzzy Hash: 3E41B97144ABC0DEC326DF7881656DAFFE06F35200F94899EC4EA43A52D670A60CC76A
                              Function 00AA062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 8296014f7ca3761256095a878e5a0fd972b396c9aab51c7c2f4ab3263d51dbc2
                              • Instruction ID: be02a44a7e588fc1209ddbd426ac85ee66260f2b33c17376dbe8140e0e31d24c
                              • Opcode Fuzzy Hash: 8296014f7ca3761256095a878e5a0fd972b396c9aab51c7c2f4ab3263d51dbc2
                              • Instruction Fuzzy Hash: B6313EB0D00209DFCB14DF95C991CEEBBB5FF86364B10811EE41A67281C7715D01CBA0
                              Function 00AA98F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AA98F7
                                • Part of subcall function 00AA9987: __EH_prolog.LIBCMT ref: 00AA998C
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 835bfc1306a9784e038ab5fc9c308e94452ae614232f359ffb562b077edde9ba
                              • Instruction ID: c206213c5118595d0476d953c48aed308d2cba207c3579f9ff1d991f7e92094a
                              • Opcode Fuzzy Hash: 835bfc1306a9784e038ab5fc9c308e94452ae614232f359ffb562b077edde9ba
                              • Instruction Fuzzy Hash: 34114935600245AFDB14CF69C894BABB3A9FF9A350F14895CE956DB2A1CB31E800CB60
                              Function 00AA021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AA021F
                                • Part of subcall function 00A93D66: __EH_prolog.LIBCMT ref: 00A93D6B
                                • Part of subcall function 00A93D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A93D7D
                                • Part of subcall function 00A93D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A93D94
                                • Part of subcall function 00A93D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00A93DB6
                                • Part of subcall function 00A93D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A93DCB
                                • Part of subcall function 00A93D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A93DD5
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID:
                              • API String ID: 1532160333-0
                              • Opcode ID: c9c6e9ca3d7900ef845b90d0835eb71bc82b666541af649259e04c7776db7d70
                              • Instruction ID: 8920b2ed7f47339e7c59df3fcd0abdeb16fdcdaeed12670425025cf1eb8a2ec9
                              • Opcode Fuzzy Hash: c9c6e9ca3d7900ef845b90d0835eb71bc82b666541af649259e04c7776db7d70
                              • Instruction Fuzzy Hash: 782139B1946B90CFC721CF6A82D0686FFF4BB19604B9499AEC0DA83B12C370A548CF55
                              Function 00AA1C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AA1C74
                                • Part of subcall function 00A86C72: __EH_prolog.LIBCMT ref: 00A86C77
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 0f03685db6db27c21f61d829163eceb2f61a984ea76098f804431b90130d368c
                              • Instruction ID: d2599bf8ec61368d9c05ac51e75d3d37eece629f9bec9de64b1fc53634406359
                              • Opcode Fuzzy Hash: 0f03685db6db27c21f61d829163eceb2f61a984ea76098f804431b90130d368c
                              • Instruction Fuzzy Hash: 16116D31A00604ABDF19FBE4DA52BFEBBB9AF05364F000068E846631D2DF655D46C794
                              Function 00A97E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A97E5F
                                • Part of subcall function 00A86C72: __EH_prolog.LIBCMT ref: 00A86C77
                                • Part of subcall function 00A81E40: free.MSVCRT ref: 00A81E44
                                • Part of subcall function 00A8757D: GetLastError.KERNEL32(00A8D14C), ref: 00A8757D
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLastfree
                              • String ID:
                              • API String ID: 683690243-0
                              • Opcode ID: 9e3d2b766a8c54ff4736100c5b180c741d98b6cdf0e288ef7a4c563ab0634c75
                              • Instruction ID: ce2d7049fdc4fe4de0050477d718eaace3eb9a3e5927788eb9c9946148363e4e
                              • Opcode Fuzzy Hash: 9e3d2b766a8c54ff4736100c5b180c741d98b6cdf0e288ef7a4c563ab0634c75
                              • Instruction Fuzzy Hash: EF01CE726447009EC721FF64D992AEEBBF1EF45310B10466EE88253692CA34A909CB50
                              Function 00ACBF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00ACBF91
                                • Part of subcall function 00ACD144: __EH_prolog.LIBCMT ref: 00ACD149
                                • Part of subcall function 00A81E40: free.MSVCRT ref: 00A81E44
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 837430ee116a2694ac4ae7de91cdad7c126efd36a78071beba26ea598990dce1
                              • Instruction ID: 4b6feadd25d204beff5716f46ca8de4ddd07a3a4f3c99998bc54d60c39923800
                              • Opcode Fuzzy Hash: 837430ee116a2694ac4ae7de91cdad7c126efd36a78071beba26ea598990dce1
                              • Instruction Fuzzy Hash: DB117071501B14DFCB24EF64DA05BDABBF8BF00344F10896DE4AB93592DBB0AA04CB80
                              Function 00ACBDB5 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00ACBDBA
                                • Part of subcall function 00ACBE69: __EH_prolog.LIBCMT ref: 00ACBE6E
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: b6a3464c9a4b413d58b809981a6f71a46248dde171b72e75e6246e075a445154
                              • Instruction ID: 80e330707c5d274371a1fbfd8042018246a02d40eed5a76f199cb727ae79e905
                              • Opcode Fuzzy Hash: b6a3464c9a4b413d58b809981a6f71a46248dde171b72e75e6246e075a445154
                              • Instruction Fuzzy Hash: 1F11E6B2901B54CFC320DF5AD588A86FBE4BB18304F54C9AED0AE57712C7B0A548CB61
                              Function 00A87AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                              Download Yara Rule
                              APIs
                              • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00A81AD1,00000000,00000002,00000002,?,00A87B3E,?,00000000), ref: 00A87AFD
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: a05b36913aec47b335cae563ffde2d8424e4fc0a55661607a0e064aae9efa097
                              • Instruction ID: ef2d4762a79524668c824ece804bcc72752779bdfec684a38f7d2931cc5b62dd
                              • Opcode Fuzzy Hash: a05b36913aec47b335cae563ffde2d8424e4fc0a55661607a0e064aae9efa097
                              • Instruction Fuzzy Hash: 2D01A230104248BFDF26AF54CC09BEE7FA59F05360F248149B8A6532E1C770DE61D750
                              Function 00ABACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00ABC0B8
                                • Part of subcall function 00AA7193: __EH_prolog.LIBCMT ref: 00AA7198
                                • Part of subcall function 00A81E40: free.MSVCRT ref: 00A81E44
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: e118aabfb098a86587b44b138ae7833f746d44591e4243d59d2a4c2115d23476
                              • Instruction ID: 26e365599856e447fcc0f605ae22ee1cacb0388cc5b22b63aa67fd3d7fd1fa73
                              • Opcode Fuzzy Hash: e118aabfb098a86587b44b138ae7833f746d44591e4243d59d2a4c2115d23476
                              • Instruction Fuzzy Hash: F9F0B472A04612DBD725AB49E941BEEF3EDEF54770F10016FE401A7612CBB19C118690
                              Function 00AC035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AC0364
                                • Part of subcall function 00AC01C4: __EH_prolog.LIBCMT ref: 00AC01C9
                                • Part of subcall function 00AC0143: __EH_prolog.LIBCMT ref: 00AC0148
                                • Part of subcall function 00A81E40: free.MSVCRT ref: 00A81E44
                                • Part of subcall function 00AC03D8: __EH_prolog.LIBCMT ref: 00AC03DD
                                • Part of subcall function 00AC004A: __EH_prolog.LIBCMT ref: 00AC004F
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 8a4e09668c511b34be7afe5ae7f6c87e64c6d69de3d8df80470c4e2ae9d2f7dc
                              • Instruction ID: c195b30ede010d37b7d7dd04aa438cfd1f464b9918a27d4257d0e4e5b5459b5a
                              • Opcode Fuzzy Hash: 8a4e09668c511b34be7afe5ae7f6c87e64c6d69de3d8df80470c4e2ae9d2f7dc
                              • Instruction Fuzzy Hash: 45F02831A18B50DFCB1AFFA8D622BADBBE8AF00314F11469DE456632D2CFB45B048744
                              Function 00AB8565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: a6f2b0938f2630b12974f19a6c106aa21e56336af5f64d0d4c6804ec67af66bb
                              • Instruction ID: c5c98f46065a7c8a21a7772ccf53119487586fedbc9ad7c1bd50cef44ac19d08
                              • Opcode Fuzzy Hash: a6f2b0938f2630b12974f19a6c106aa21e56336af5f64d0d4c6804ec67af66bb
                              • Instruction Fuzzy Hash: 74F09672E1111AEBCB14EF98D8409EFBB79FF44750F14816AF419E7251DB348A05CB94
                              Function 00AC5505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AC550A
                                • Part of subcall function 00AC4E8A: __EH_prolog.LIBCMT ref: 00AC4E8F
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 7ce7c6b9fcfa81b8286a70b4bf60b453b752f80c32b812330e72697eece3f010
                              • Instruction ID: 78a2803cdde97aa0c71a75b9ab0340325814f83e241da3965129a4618a52f9dc
                              • Opcode Fuzzy Hash: 7ce7c6b9fcfa81b8286a70b4bf60b453b752f80c32b812330e72697eece3f010
                              • Instruction Fuzzy Hash: FCF06576A04519EBCB019F58E811FDE7BB9FF84360F11445DF41557241DB71ED008BA0
                              Function 00AA9987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: ec90b05e3c3c1a998076c60485fc6a28f85f278b0420dbbb7ad9e4003627b84a
                              • Instruction ID: 4ddf557569a31249c2f27ec9fe9f9a0a3ea65ff28fcee3ba66c0561689a0d817
                              • Opcode Fuzzy Hash: ec90b05e3c3c1a998076c60485fc6a28f85f278b0420dbbb7ad9e4003627b84a
                              • Instruction Fuzzy Hash: C7E0ED76604108EFC714EF98D855F9BB7B8EF49354F10845EB40A97251C7759900CA64
                              Function 00AC5E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AC5E30
                                • Part of subcall function 00AC08B6: __aulldiv.LIBCMT ref: 00AC093F
                                • Part of subcall function 00A9DFC9: __EH_prolog.LIBCMT ref: 00A9DFCE
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$__aulldiv
                              • String ID:
                              • API String ID: 604474441-0
                              • Opcode ID: c94d42ed4313c0ed2728735d03ba2c1f8991d3152f068e81db6cd951c6de4229
                              • Instruction ID: b4aea4353c6e8959bf3d3db9957b9c245be6734ff16af9d97680db4fa971c95a
                              • Opcode Fuzzy Hash: c94d42ed4313c0ed2728735d03ba2c1f8991d3152f068e81db6cd951c6de4229
                              • Instruction Fuzzy Hash: EFE0C971A15760DFCB55EFB8A651B9EB6E4BB08700F00596EA046D3B41DAB4A9008B91
                              Function 00AC8ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AC8ED6
                                • Part of subcall function 00AC9267: __EH_prolog.LIBCMT ref: 00AC926C
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: ed6341b9007e63b60d3930180a04278bd159033ba965caa7b0d5e1567eca52de
                              • Instruction ID: 322e62619c6b9c01c1ad114af86c96e51f7fc9ae435795f1a9c0c8756e4f1fdd
                              • Opcode Fuzzy Hash: ed6341b9007e63b60d3930180a04278bd159033ba965caa7b0d5e1567eca52de
                              • Instruction Fuzzy Hash: A0E0D872A14930DAC71DEB64E622BEEB7E8EF04704F00065DA04393582CFB46704C781
                              Function 00A87C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00A87C8B
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: 750272da884a88f7da26339d783ff182492225daf34e7b69cd42741a24f6bc70
                              • Instruction ID: 520185ee08c74e38222f1dcc700ea82f87689693478dad485e6ae349d5ac22ec
                              • Opcode Fuzzy Hash: 750272da884a88f7da26339d783ff182492225daf34e7b69cd42741a24f6bc70
                              • Instruction Fuzzy Hash: ABE01A75600209FBCF11CFA5D801B8E7BB9EB09755F20C06AF919AB260D739DA50DF54
                              Function 00ACBE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00ACBE6E
                                • Part of subcall function 00AC5E2B: __EH_prolog.LIBCMT ref: 00AC5E30
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 3c399a58c37ea4c68d24caed32f85f08dde6429d3ee8fef6ec601998619b15f2
                              • Instruction ID: 3c4f569e6116ea26b58eba421a53912ce5c06aa32725b6bfe68347e0db3dee14
                              • Opcode Fuzzy Hash: 3c399a58c37ea4c68d24caed32f85f08dde6429d3ee8fef6ec601998619b15f2
                              • Instruction Fuzzy Hash: 96E09272A28A608BD715EB24D415BDDB7E8BB00305F00855EE096D3282CFB46A08C7A1
                              Function 00A82201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: 092cdb6e6531859437342808e644f9b05ee9f5270c46c90866b58dc5438e7083
                              • Instruction ID: ba8879aff72bd267803af34291ad1445463bb36eb2dc993a850679668a9bd84f
                              • Opcode Fuzzy Hash: 092cdb6e6531859437342808e644f9b05ee9f5270c46c90866b58dc5438e7083
                              • Instruction Fuzzy Hash: E0D01232504119ABCF156B94DC06CDD7BBCEF0C214700441AF541F2150EA75E5158794
                              Function 00ABF745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00ABF74A
                                • Part of subcall function 00ABF784: __EH_prolog.LIBCMT ref: 00ABF789
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 6725f3d385924624d91d70dd0cb832b5244456474abbfb25f2a228f336565b1c
                              • Instruction ID: 12fd4b652bd7e793d59f6a5c1474f7c8d624311f7bb254ee79b549042af8fccc
                              • Opcode Fuzzy Hash: 6725f3d385924624d91d70dd0cb832b5244456474abbfb25f2a228f336565b1c
                              • Instruction Fuzzy Hash: 3ED012B2A55214BFD7149B45ED12BEFBBBCEB40754F10056EF00561141C7B5590086A4
                              Function 00A87B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,00A8785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00A87B65
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: 883e264ee5bd235e8ed31186340308327541a5879b42325137dd2abadb5a76f6
                              • Instruction ID: 3cbcdceb14034472d55771ae9afb4d0058800b58a0e074467f9cad41e5bf2f2c
                              • Opcode Fuzzy Hash: 883e264ee5bd235e8ed31186340308327541a5879b42325137dd2abadb5a76f6
                              • Instruction Fuzzy Hash: F7E0EC75200208FBDF11CF90CC01F8E7BB9AF49755F208058E905A6160C775AA64EB50
                              Function 00AD80AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AD80AF
                                • Part of subcall function 00A81E0C: malloc.MSVCRT ref: 00A81E1F
                                • Part of subcall function 00A81E0C: _CxxThrowException.MSVCRT(?,00B34B28), ref: 00A81E39
                                • Part of subcall function 00ACBDB5: __EH_prolog.LIBCMT ref: 00ACBDBA
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 3744649731-0
                              • Opcode ID: 8d3ad9e778495e885c987d24925aeceeee2ee9c65c2d93d8c161eed9fb9b66f2
                              • Instruction ID: cc37a358092b318bade21d3e5e8bfcfb1861859c06a90110f71f8f4c0bbe62ff
                              • Opcode Fuzzy Hash: 8d3ad9e778495e885c987d24925aeceeee2ee9c65c2d93d8c161eed9fb9b66f2
                              • Instruction Fuzzy Hash: A2D05E71F15101AFDB08FFB4A5227AF72E4AB44700F0045BEA02BE3B81EF748900C620
                              Function 00A86848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • FindClose.KERNELBASE(00000000,?,00A86880), ref: 00A86853
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: CloseFind
                              • String ID:
                              • API String ID: 1863332320-0
                              • Opcode ID: 21ce0213b7bcd444885326b1da4a1bb26ec0bbf5f8a8d01901a78732bc0c8f7e
                              • Instruction ID: 37981b9760514704fc2520ab2450b646c3ec11aa7c3e56f2d5177ea38c619ff3
                              • Opcode Fuzzy Hash: 21ce0213b7bcd444885326b1da4a1bb26ec0bbf5f8a8d01901a78732bc0c8f7e
                              • Instruction Fuzzy Hash: 1CD0123110422246AA746F7EB8499CA37D86E063343210B9AF0B8D31E2EB608C839B90
                              Function 00A82010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: 0cbcc2bea54e73a7b0bf950fbc54dba1db0c70096560de95d4b1d75db6f4ed10
                              • Instruction ID: 7a9d5af2bec85e02e5482bf7f638ca4417974228dcc5b6aab6eeca7c1e83ca3b
                              • Opcode Fuzzy Hash: 0cbcc2bea54e73a7b0bf950fbc54dba1db0c70096560de95d4b1d75db6f4ed10
                              • Instruction Fuzzy Hash: ACD0C936008251AF96256F05EC0AC8BBFB5FFD9321721082FF480921609B626D26DBA0
                              Function 00A81FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputc
                              • String ID:
                              • API String ID: 1992160199-0
                              • Opcode ID: 1dfae09f2861bf4cd905c466008c37282fc5e75710c28a9e9a06f73bbbc4e8eb
                              • Instruction ID: da35c1aa2e83260989101abde532e89f2ba78ae87af7c24c9227404cb1d1d064
                              • Opcode Fuzzy Hash: 1dfae09f2861bf4cd905c466008c37282fc5e75710c28a9e9a06f73bbbc4e8eb
                              • Instruction Fuzzy Hash: DAB092323082209BE6281A9CBC0AAC46B94DF09732B21005BF544D21909E911C924A95
                              Function 00A87C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                              Download Yara Rule
                              APIs
                              • SetFileTime.KERNELBASE(?,?,?,?,00A87C65,00000000,00000000,?,00A8F238,?,?,?,?), ref: 00A87C49
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: 824f993544b92aff7c22b3874e80a528766f98fa1554d3f39be98f23388b1520
                              • Instruction ID: 6fc77504b147ad3dc0b71e16ddd5dfa2c4ce29ff95728be3cb20e576e660ff99
                              • Opcode Fuzzy Hash: 824f993544b92aff7c22b3874e80a528766f98fa1554d3f39be98f23388b1520
                              • Instruction Fuzzy Hash: 89C04C36158105FF8F120F70CC06C1EBFA2ABA5712F10C918F159C5070CB328034EB02
                              Function 00A87D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                              Download Yara Rule
                              APIs
                              • SetEndOfFile.KERNELBASE(?,00A87D81,?,?,?), ref: 00A87D3E
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: File
                              • String ID:
                              • API String ID: 749574446-0
                              • Opcode ID: 14898564e32e1d0b2f5a8e1d4f15484b233b9cc1499c3e263d4a3a2294af3ca5
                              • Instruction ID: 88dbc9b4fd48b2196ab5a6af6fa1b4737ee22983c6843ce13303dad69e9aed46
                              • Opcode Fuzzy Hash: 14898564e32e1d0b2f5a8e1d4f15484b233b9cc1499c3e263d4a3a2294af3ca5
                              • Instruction Fuzzy Hash: BCA002702E511B8F8F211F34DC0A8283EA1BB5370777027A4B103DB4F5DF26442EAA41
                              Function 00A8C4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: memmove
                              • String ID:
                              • API String ID: 2162964266-0
                              • Opcode ID: 74ac05883e93388b2a033e3758516cc465d5ad1cb64632bbea56aeafae3714e0
                              • Instruction ID: d9aa94b76bd41a842d15f0c88ff4009890561972b961f8c90b210e0cc38336dd
                              • Opcode Fuzzy Hash: 74ac05883e93388b2a033e3758516cc465d5ad1cb64632bbea56aeafae3714e0
                              • Instruction Fuzzy Hash: B7814D71E04249AFCF14EFA8C584AAEBBB1FF48324F14947AD511B7241E771AA80CF64
                              Function 00A93E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(00000000,00000000,00A93D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A93E12
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 8b14f8e11720362d5caedd8b429d75962bdb2eb49a344cee4bfea7e8e769c848
                              • Instruction ID: c66a8cc06b3d2c049006c08804fb368104be263a97b3d5df25e565bd5cc8b984
                              • Opcode Fuzzy Hash: 8b14f8e11720362d5caedd8b429d75962bdb2eb49a344cee4bfea7e8e769c848
                              • Instruction Fuzzy Hash: B8D0123261421147DF705F2CF8457D663ED6F10322B154459FC80DB144EB64CCD35A90
                              Function 00B06BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                              • Instruction ID: 503a40a97e0033211f03e86a578cf11f1048c75d1ca794478db88d07eccefe47
                              • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                              • Instruction Fuzzy Hash: 13D0C9E161260A06DF484A30484BA6A3AD46F5036AB6885F8A816CA2D1FB19C6299258
                              Function 00A8764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(00000000,?,00A875AF,00000002,?,00000000,00000000), ref: 00A87657
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 26f637b3760653459340b29b1086dfdd968144df71609ae87724a9b270d47702
                              • Instruction ID: 2da45fb5aa860748ef2dd8499ac126beb0b9bd54e02092d81a5131ab825ab84f
                              • Opcode Fuzzy Hash: 26f637b3760653459340b29b1086dfdd968144df71609ae87724a9b270d47702
                              • Instruction Fuzzy Hash: 11D01231108622468A746F3C7846DCA37D85A123353710769F4B0D32E1E760CC834790
                              Function 00B06B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNELBASE(00000000), ref: 00B06B31
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 419ab77b6f0c0c7e6d5d51be78a4a8c2c5ec585f0878cf38c40cb8b2ded6fdcb
                              • Instruction ID: b871c28a946613129ac442a42d869d88b692bb6e70905ba3b5adb3c1b366ca07
                              • Opcode Fuzzy Hash: 419ab77b6f0c0c7e6d5d51be78a4a8c2c5ec585f0878cf38c40cb8b2ded6fdcb
                              • Instruction Fuzzy Hash: D3C02BE1A4D280DFDF0213108C407603F309F83300F0A00C1E4046B0D3C6041C0DC723
                              Function 00B069D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                              • Instruction ID: 7a2d9af2dfd7d9076d4a94468731ebca4af28f5eebead6bcd80021fdbd31194b
                              • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                              • Instruction Fuzzy Hash: 8CA024C551104101DD1C13303C0147710C013503077C004FC7405C0101F715C5145005
                              Function 00B06AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                              • Instruction ID: 34f44eb14d64c75c3504924c88489312063b555041b01d941681b24710aa3acb
                              • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                              • Instruction Fuzzy Hash: 20A012CCF0000101DD0422343801473149262E06057D4C4F4640440105FA14C0146002
                              Function 00B06BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              APIs
                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00B06BAC
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: FreeVirtual
                              • String ID:
                              • API String ID: 1263568516-0
                              • Opcode ID: 400de7de54e07a80cae3b9855eca1f919e2d1662eeb8932da2f4ab74a2b323dd
                              • Instruction ID: d6e8569cbfc951b7e0d48a8116fd0cc016859e3742980bd93974705688df71fa
                              • Opcode Fuzzy Hash: 400de7de54e07a80cae3b9855eca1f919e2d1662eeb8932da2f4ab74a2b323dd
                              • Instruction Fuzzy Hash: 3FA00278690700B7ED7067306D4FF5E3B247780F45F30854472416A0D05EE474459A9C
                              Function 00B069F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                              • Instruction ID: 6b77f6ac962934eed96b54a9a58f324e4c629be67472747066d08b2670601981
                              • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                              • Instruction Fuzzy Hash:
                              Function 00B06B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                              • Instruction ID: c31f996b3211b86f5da5c286a9ec3f04e329848f9da30c02721f1276b4460432
                              • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                              • Instruction Fuzzy Hash:
                              Function 00A81E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 119d4166a49182f71e2f5d677316824bef15f2a79fb2403b54fdd60e97b459d8
                              • Instruction ID: 4b340b3f3e8c7ad9ae9dcedba1feb4b38ad6ffff9d1e0abc9e9d331be0969c6e
                              • Opcode Fuzzy Hash: 119d4166a49182f71e2f5d677316824bef15f2a79fb2403b54fdd60e97b459d8
                              • Instruction Fuzzy Hash: 10A00271405201DBDA151B10ED0A48D7F61EF85627B314459F057614718F314C71BA01

                              Non-executed Functions

                              Function 00B20090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: Version
                              • String ID:
                              • API String ID: 1889659487-0
                              • Opcode ID: 445dd0fb92fb6b9f867b7916d085e51935b8bde23a8a629cae911aad846f5391
                              • Instruction ID: 3532ff4fa3f2ccfcd3171ca0e330e3f81a377906b2a1f1d605d5590efdbcb4ec
                              • Opcode Fuzzy Hash: 445dd0fb92fb6b9f867b7916d085e51935b8bde23a8a629cae911aad846f5391
                              • Instruction Fuzzy Hash: E3D0127293181547E700B62CD80625A77E1F760300FC809D4D869C2157F979CA568396
                              Function 00A8C085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,00B348A0,00000010), ref: 00A8C09E
                              • memcmp.MSVCRT(?,00B30258,00000010), ref: 00A8C0BB
                              • memcmp.MSVCRT(?,00B30348,00000010), ref: 00A8C0CE
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 39135a243ba4428feb4f238f1418c076ed5d06282590dee27543419a84da80c1
                              • Instruction ID: 0f9d5142af2471c2ae586241bcffd7dddd81514c8ce8ab94719b3b996c2332db
                              • Opcode Fuzzy Hash: 39135a243ba4428feb4f238f1418c076ed5d06282590dee27543419a84da80c1
                              • Instruction Fuzzy Hash: AD915C71650615ABD760AB21DC45FABB3F8EF65760F108168FD4AEB241F730AE44CBA0
                              Function 00AE447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                              • API String ID: 3519838083-1909666238
                              • Opcode ID: dab816277b899823691a081f942eed7851a2b95cedddb58b629931a95e487022
                              • Instruction ID: 917e13aaf7691c41b99987165821a27d600f9c22e7c41b401d22eef110f97e8c
                              • Opcode Fuzzy Hash: dab816277b899823691a081f942eed7851a2b95cedddb58b629931a95e487022
                              • Instruction Fuzzy Hash: 48C1E331D042C59FDB18EF66C951EFE7BB9EF09300F5980A9E0496B262D7309E45DB40
                              Function 00A864F3 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A864F8
                              • GetCurrentThreadId.KERNEL32 ref: 00A86508
                              • GetTickCount.KERNEL32 ref: 00A86513
                              • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 00A8651E
                              • GetTickCount.KERNEL32 ref: 00A86578
                              • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 00A865C5
                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00A865EC
                                • Part of subcall function 00A85D7A: __EH_prolog.LIBCMT ref: 00A85D7F
                                • Part of subcall function 00A85D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00A85DA1
                                • Part of subcall function 00A81E40: free.MSVCRT ref: 00A81E44
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                              • String ID: .tmp$d
                              • API String ID: 1989517917-2797371523
                              • Opcode ID: 7df87863a5121a88342e94844ce97dfb598a7a384035a3ec25e5e06d1131caaa
                              • Instruction ID: aceae0daab43f01ceefed9737ab27180c419d80756abcaac6e0771afa24a301b
                              • Opcode Fuzzy Hash: 7df87863a5121a88342e94844ce97dfb598a7a384035a3ec25e5e06d1131caaa
                              • Instruction Fuzzy Hash: 64410232A101649FEF19BFA0E9567EDBBB1FF15315F144129E802B72A1CB388951CB51
                              Function 00AB85C6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                              • API String ID: 1795875747-657955069
                              • Opcode ID: 24fdb58f97276363adee099cea99589a918e72934e8220a59323494dbdfc798a
                              • Instruction ID: 49d4b52b091ac699b26a6085e815c5e2b1cc42bfd7fb6d59de35ce73311ae1a1
                              • Opcode Fuzzy Hash: 24fdb58f97276363adee099cea99589a918e72934e8220a59323494dbdfc798a
                              • Instruction Fuzzy Hash: 1DF0A732A051297BCA2127957D81D3EFFADDF85761B240077FA0843252EF651C61DFA1
                              Function 00AB6244 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputs
                              • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                              • API String ID: 1798449854-1259944392
                              • Opcode ID: 881fc3332a6619e4a5b35225312dcfffd70c20ab6aeaef94aa530f8ca51b8bb5
                              • Instruction ID: 422b8d3cfa729cbefb1e06ca81c5cdbcd71015c4a1aaff12427c535e1ab4e821
                              • Opcode Fuzzy Hash: 881fc3332a6619e4a5b35225312dcfffd70c20ab6aeaef94aa530f8ca51b8bb5
                              • Instruction Fuzzy Hash: 82217F32E005159FCB15EB94D642AFEB7F9EF58310F00007AE506976A2DB74AD52CB80
                              Function 00A8A08C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A8A091
                                • Part of subcall function 00A89BAA: RegCloseKey.ADVAPI32(?,?,00A89BA0), ref: 00A89BB6
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: CloseH_prolog
                              • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                              • API String ID: 1579395594-270022386
                              • Opcode ID: b47c8e7a7221db68c24775ddc23a31d1844b742f8a9c979c467f2b1c8185ef80
                              • Instruction ID: 3f77db8ebaf53236630951029913f01304219a02e4f032265bc49b52d85d71d9
                              • Opcode Fuzzy Hash: b47c8e7a7221db68c24775ddc23a31d1844b742f8a9c979c467f2b1c8185ef80
                              • Instruction Fuzzy Hash: 7151B171A002059FDF11FF98D996AEEB7B5BF28300F40456EE516A7251DB30AD05CB92
                              Function 00AE03D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00AE03F5
                              • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 00AE0490
                              • memset.MSVCRT ref: 00AE0618
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: memset$memcpy
                              • String ID: $@
                              • API String ID: 368790112-1077428164
                              • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                              • Instruction ID: f8b770f0f59211bb493e50fada8f5862b291aba00b09855f2f4b85121e87337b
                              • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                              • Instruction Fuzzy Hash: 4991CE30900789AFEF20DF26C981FDAB7B1AF50304F048569E59A56192D7F0BAD9CF90
                              Function 00A8613C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A86141
                                • Part of subcall function 00A86C72: __EH_prolog.LIBCMT ref: 00A86C77
                              • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 00A86197
                              • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00A8626E
                              • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 00A862A9
                                • Part of subcall function 00A86096: __EH_prolog.LIBCMT ref: 00A8609B
                                • Part of subcall function 00A86096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00A860DF
                              • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00A86285
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$H_prolog$DeleteFile
                              • String ID:
                              • API String ID: 3586524497-0
                              • Opcode ID: 03136f12dc224deb980eb0995fe0c203bb5d66721f17f819c7dc55e257912bce
                              • Instruction ID: 7ef0c156ce888d33bb7adc48c18e8a5563b61068fcfbaf4d55024390972e2da0
                              • Opcode Fuzzy Hash: 03136f12dc224deb980eb0995fe0c203bb5d66721f17f819c7dc55e257912bce
                              • Instruction Fuzzy Hash: DF51BB31C04228AEEF15FBE4DA86BEDBBB8BF15340F104199E84177192DF345A0ACB51
                              Function 00A944C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,00B348A0,00000010), ref: 00A944DB
                              • memcmp.MSVCRT(?,00B30128,00000010), ref: 00A944EE
                              • memcmp.MSVCRT(?,00B30228,00000010), ref: 00A9450B
                              • memcmp.MSVCRT(?,00B30248,00000010), ref: 00A94528
                              • memcmp.MSVCRT(?,00B301C8,00000010), ref: 00A94545
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 7fd61edfc40abb363f63058ded6f242e56da9337a975d4031369e40d5424da2d
                              • Instruction ID: e6f1d2e9760c46b7446ac239ec67dee0b1f288dcb8e16696bcb578ca043361b0
                              • Opcode Fuzzy Hash: 7fd61edfc40abb363f63058ded6f242e56da9337a975d4031369e40d5424da2d
                              • Instruction Fuzzy Hash: 2321BE72740209ABEB049E609C82FBE73ECDB587A0F118168FD06DA251FA64DD4196D0
                              Function 00ACC414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: !$LZMA2:$LZMA:
                              • API String ID: 3519838083-3332058968
                              • Opcode ID: 2ea23d338cbcfdc98a9f9d3c10c7288c4321cd79cf11678a5031385fa5700fe7
                              • Instruction ID: ce8344fb3c2bc28f0ef34d5fec279ad80c3984ccc14e8efefa3b3a312ef9dc51
                              • Opcode Fuzzy Hash: 2ea23d338cbcfdc98a9f9d3c10c7288c4321cd79cf11678a5031385fa5700fe7
                              • Instruction Fuzzy Hash: C761EE3094014AEEDF29DB64C649FFD7BB1AF15360F2A50ADE40E671A2DB70AE80C740
                              Function 00A8A384 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A8A389
                                • Part of subcall function 00A8A4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,00A8A3C1,00000001), ref: 00A8A4CD
                                • Part of subcall function 00A8A4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00A8A4DD
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: AddressH_prologHandleModuleProc
                              • String ID: : $ SP:$Windows
                              • API String ID: 786088110-3655538264
                              • Opcode ID: 9e9bef2967bcf48a3311caa8dc3eaf3fdd68d389bacb2943ba3fd4c506d8a6ff
                              • Instruction ID: 9f4c63ac2407a12813db081361fff01a9a898440b84db441bed2a439ec373bc4
                              • Opcode Fuzzy Hash: 9e9bef2967bcf48a3311caa8dc3eaf3fdd68d389bacb2943ba3fd4c506d8a6ff
                              • Instruction Fuzzy Hash: 3531DC31D001199BDF15FBA5CA56AFEBBB5FF24300F4040AAE506721A1EF715E85CBA1
                              Function 00A906F6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A906FB
                              • EnterCriticalSection.KERNEL32(?), ref: 00A9070B
                              • LeaveCriticalSection.KERNEL32(?,?), ref: 00A90786
                                • Part of subcall function 00A9089E: _CxxThrowException.MSVCRT(?,00B34A58), ref: 00A908C4
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterExceptionH_prologLeaveThrow
                              • String ID: v
                              • API String ID: 4150843469-3261393531
                              • Opcode ID: b5260e7a62329cead90b91705d97d99b906f84eb0538854791d7f1aa010703ad
                              • Instruction ID: 72237b125bf4ce000d7f8f205fb02e303be1aa8286461b5296298a7c37276b86
                              • Opcode Fuzzy Hash: b5260e7a62329cead90b91705d97d99b906f84eb0538854791d7f1aa010703ad
                              • Instruction Fuzzy Hash: 492159B1A10605DFCB24DF68D584BAABBF0FF08354F10896EE45ACBA42D731A915CF40
                              Function 00AB6025 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00AB602A
                              • EnterCriticalSection.KERNEL32(00B42938), ref: 00AB6044
                              • LeaveCriticalSection.KERNEL32(00B42938), ref: 00AB6060
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterH_prologLeave
                              • String ID: v
                              • API String ID: 367238759-3261393531
                              • Opcode ID: 4b01ea73f1e9665b9f8adff782e138846fbc14825879a9d291cd445e3dcab7bc
                              • Instruction ID: 2b8a0e795905aa3e88df9fb523fe31d4af665049afac2a757fa35ec191e691f6
                              • Opcode Fuzzy Hash: 4b01ea73f1e9665b9f8adff782e138846fbc14825879a9d291cd445e3dcab7bc
                              • Instruction Fuzzy Hash: 0EF03A36A04114EFC701DF98D909AEEBBF8FF49351F1480AAF409A7211CBB59A00CBA5
                              Function 00A8A4C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(ntdll.dll,?,00A8A3C1,00000001), ref: 00A8A4CD
                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00A8A4DD
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: RtlGetVersion$ntdll.dll
                              • API String ID: 1646373207-1489217083
                              • Opcode ID: b41ce4f658fbfcec09df31dd5d0fcb2bd662be4a6e7e9c5e082a6e85bff78e3e
                              • Instruction ID: 6f33867661e307493e1b498f5d8abe0892bfce5c599d790ab0be4375f29d058f
                              • Opcode Fuzzy Hash: b41ce4f658fbfcec09df31dd5d0fcb2bd662be4a6e7e9c5e082a6e85bff78e3e
                              • Instruction Fuzzy Hash: 8DD0C7713542201ABA7077B47C0FBEE1A8C9F50B617054557F804D1055EAD4DD9342E5
                              Function 00AA0306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 00AA0359
                              • GetLastError.KERNEL32(?,?,00000000,?), ref: 00AA0382
                              • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 00AA03DA
                              • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 00AA03F0
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ErrorFileLastSecurity
                              • String ID:
                              • API String ID: 555121230-0
                              • Opcode ID: 853cea5707bff38d9a6745334db6c8279fd6fb87e3b6ba5a40d0f6a385e538ba
                              • Instruction ID: 001fa3fb6775c6c3c4dfedb800bcfe7ebc4f799bf8d10e5e99d71c07e9c22627
                              • Opcode Fuzzy Hash: 853cea5707bff38d9a6745334db6c8279fd6fb87e3b6ba5a40d0f6a385e538ba
                              • Instruction Fuzzy Hash: 87312974900609EFDF10DFA4C880FAEBBB5FF45344F108959E4669B291D770AE45DBA0
                              Function 00A882FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A88300
                              • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 00A8834F
                              • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 00A8837C
                              • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 00A8839B
                                • Part of subcall function 00A81E40: free.MSVCRT ref: 00A81E44
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                              • String ID:
                              • API String ID: 1689166341-0
                              • Opcode ID: 30604667663a8e45e2ac63f6d1b349da693e3b853c49542b128aa58dc4c4ce8c
                              • Instruction ID: e41210828b720a275b8288f43c2c9e43c425c4f47d3eee1ea6ba221ebbff296b
                              • Opcode Fuzzy Hash: 30604667663a8e45e2ac63f6d1b349da693e3b853c49542b128aa58dc4c4ce8c
                              • Instruction Fuzzy Hash: 6A218072A00204AFDF21AF94DD86AEE7BF9EF99750F20406DF945A7291CB354E44CB60
                              Function 00AC60D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: BlockPackSize$BlockUnpackSize
                              • API String ID: 3519838083-5494122
                              • Opcode ID: f67cc1b85b3d63d08396bf5a380125a71aa10f5023f259eefa4ce1b865c4146d
                              • Instruction ID: 08034f3ea548b54b92fd4be54608d593cb534b1b6ecd57138f11f263ba439678
                              • Opcode Fuzzy Hash: f67cc1b85b3d63d08396bf5a380125a71aa10f5023f259eefa4ce1b865c4146d
                              • Instruction Fuzzy Hash: 9B51D371C04285AEEF39DFA488A1FFD7BB1AF26300F2A446ED096671A2D7215D8CD701
                              Function 00A8A4F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00A8A4F8
                                • Part of subcall function 00A8A384: __EH_prolog.LIBCMT ref: 00A8A389
                                • Part of subcall function 00A89E14: GetSystemInfo.KERNEL32(?), ref: 00A89E36
                                • Part of subcall function 00A89E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00A89E50
                                • Part of subcall function 00A89E14: GetProcAddress.KERNEL32(00000000), ref: 00A89E57
                              • strcmp.MSVCRT ref: 00A8A564
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                              • String ID: -
                              • API String ID: 2798778560-3695764949
                              • Opcode ID: d6963597b5e9d0daf45e99d8bcd530d529802912a6c4ec50ab262ee3d7a0d5a7
                              • Instruction ID: 89da28c7ce62680c31bb805b104795bd5d1cfa1f81b0d899e8838ea6d2ac6339
                              • Opcode Fuzzy Hash: d6963597b5e9d0daf45e99d8bcd530d529802912a6c4ec50ab262ee3d7a0d5a7
                              • Instruction Fuzzy Hash: 95312931D01219DBDF19FBE0DA52AFDBBB5EF64710F10406AF40172191DB355A85CB62
                              Function 00AB6184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0$x
                              • API String ID: 3519838083-1948001322
                              • Opcode ID: 22d8c866edd3ffa83f6149b5c789884f84655fcbc1aaa56e8dfdb73995d65897
                              • Instruction ID: ad2042a8993197a2312a8ce871c3866e9f81a3c1fe48ee1494d82071e4354b3d
                              • Opcode Fuzzy Hash: 22d8c866edd3ffa83f6149b5c789884f84655fcbc1aaa56e8dfdb73995d65897
                              • Instruction Fuzzy Hash: A7213B36D0112ADBCF04EB98DA95AFDB7B9FF48304F24016AE80177242DB755E05CBA1
                              Function 00AB8685 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Cannot open the file as archive, xrefs: 00AB86D0
                              • Cannot open encrypted archive. Wrong password?, xrefs: 00AB8698
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
                              • API String ID: 1795875747-1623556331
                              • Opcode ID: 9e0ee5218a415ede9addc95b8c8fb882eb53557799a54d12372c099db82d6255
                              • Instruction ID: 82c9afd0019dc04c5b19bfaf161b4f1eb4305b443bcaf8b9acd9001d220cb646
                              • Opcode Fuzzy Hash: 9e0ee5218a415ede9addc95b8c8fb882eb53557799a54d12372c099db82d6255
                              • Instruction Fuzzy Hash: BD0162313042005BC615E798D5A5ABEB3EFAFC8314F54441AF60687A96DF78A812DB51
                              Function 00AB82DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: =
                              • API String ID: 1795875747-2525689732
                              • Opcode ID: 208558fb03f8d13bf3526361fa9113864190877f5fb1ea143dd25f6240fc25e1
                              • Instruction ID: 81a583f0d1e916b4562effb045a9187a34191d9668de192e23e77858d0902a87
                              • Opcode Fuzzy Hash: 208558fb03f8d13bf3526361fa9113864190877f5fb1ea143dd25f6240fc25e1
                              • Instruction Fuzzy Hash: E1E09A31E001259B8B00AAADAC428EE7B7DEB847147000822E420DB251EA709922CBD0
                              Function 00AE41C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,00B348A0,00000010), ref: 00AE41D6
                              • memcmp.MSVCRT(?,00B30168,00000010), ref: 00AE41F1
                              • memcmp.MSVCRT(?,00B301E8,00000010), ref: 00AE4205
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1797357968.0000000000A81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 0000000A.00000002.1797342426.0000000000A80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797416978.0000000000B2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797437651.0000000000B42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1797456758.0000000000B4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_a80000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 71aa57b224bb64cae782d0fca19c90ffe8546d1cdac444a21ba2ac975aef5fae
                              • Instruction ID: aba605938c061ffc16bdea5be7e6ad612c75f3f86e5e3ab852c46f15f992d965
                              • Opcode Fuzzy Hash: 71aa57b224bb64cae782d0fca19c90ffe8546d1cdac444a21ba2ac975aef5fae
                              • Instruction Fuzzy Hash: 2B01C43134020667DB105B15CC42FFD73E89F68750F144568FF45EB281F6B5A99096D0