Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_1.0.8.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_1.0.8.exe
renamed because original name is a hash value
Original sample name:_1.0.8.exe
Analysis ID:1579603
MD5:eb985a9c4c8c2ddc4b039f64b520fca9
SHA1:c96d6e0868dd3248261232bd53943abfa074ffce
SHA256:830caf16e52e098717a16ce8b2bda28f9a268746be2c77a6098e83941067b31c
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_1.0.8.exe (PID: 2276 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" MD5: EB985A9C4C8C2DDC4B039F64B520FCA9)
    • #U5b89#U88c5#U52a9#U624b_1.0.8.tmp (PID: 3504 cmdline: "C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$10452,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 2460 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 5268 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_1.0.8.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENT MD5: EB985A9C4C8C2DDC4B039F64B520FCA9)
        • #U5b89#U88c5#U52a9#U624b_1.0.8.tmp (PID: 1900 cmdline: "C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$3046E,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 7056 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 4424 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6204 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3376 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3504 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4148 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5560 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3116 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1852 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5648 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7120 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5876 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5160 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4128 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2200 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6408 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6500 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5876 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6204 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5648 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6772 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5160 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1576 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4524 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3712 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6104 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5496 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6188 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6612 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7032 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5416 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3136 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 764 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6204 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4524 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6412 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6048 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5144 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4980 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4820 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7032 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3376 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1988 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6768 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5516 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 984 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3228 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2796 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6188 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6612 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1396 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5416 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 616 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$10452,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, ParentProcessId: 3504, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2460, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6204, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3376, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$10452,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, ParentProcessId: 3504, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2460, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6204, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3376, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$10452,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, ParentProcessId: 3504, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2460, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.3% probability
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2176449346.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2176558259.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C13AEC0 FindFirstFileA,FindClose,7_2_6C13AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C46868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00C46868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C47496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00C47496
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.0000000004200000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.2049375627.0000000003120000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.2049788796.000000007F59B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000000.2051871915.0000000000631000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000000.2146232995.0000000000C2D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.6.dr, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.2049375627.0000000003120000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.2049788796.000000007F59B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000000.2051871915.0000000000631000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000000.2146232995.0000000000C2D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.6.dr, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.2.drStatic PE information: section name: .=~
Source: update.vac.7.drStatic PE information: section name: .=~
Source: hrsw.vbc.7.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6BFC3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BFC3886
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C145120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,7_2_6C145120
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C145D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C145D60
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6BFC3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BFC3A6A
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6BFC39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BFC39CF
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6BFC3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BFC3D62
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6BFC3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BFC3D18
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6BFC3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BFC3C62
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6BFC1950: CreateFileA,DeviceIoControl,CloseHandle,7_2_6BFC1950
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6BFC4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,7_2_6BFC4754
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6BFD4A277_2_6BFD4A27
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6BFC47547_2_6BFC4754
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1418807_2_6C141880
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C146A437_2_6C146A43
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1A6CE07_2_6C1A6CE0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1F6D107_2_6C1F6D10
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C214DE07_2_6C214DE0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C178EA17_2_6C178EA1
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C192EC97_2_6C192EC9
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1FEEF07_2_6C1FEEF0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1CAEEF7_2_6C1CAEEF
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2068207_2_6C206820
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1EE8107_2_6C1EE810
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2148707_2_6C214870
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1C48967_2_6C1C4896
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C20C8D07_2_6C20C8D0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C20A9307_2_6C20A930
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1F69007_2_6C1F6900
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C21A91A7_2_6C21A91A
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1789727_2_6C178972
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2089507_2_6C208950
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2169997_2_6C216999
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C21AA007_2_6C21AA00
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1D0A527_2_6C1D0A52
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C204AA07_2_6C204AA0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C190B667_2_6C190B66
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1EAB907_2_6C1EAB90
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C180BCA7_2_6C180BCA
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C20EBC07_2_6C20EBC0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2044897_2_6C204489
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1D84AC7_2_6C1D84AC
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1FE4D07_2_6C1FE4D0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2085207_2_6C208520
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1E25217_2_6C1E2521
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1FC5807_2_6C1FC580
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1F25807_2_6C1F2580
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1F45D07_2_6C1F45D0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C20E6007_2_6C20E600
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2146C07_2_6C2146C0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2067A07_2_6C2067A0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C17C7CF7_2_6C17C7CF
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2167C07_2_6C2167C0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1DC7F37_2_6C1DC7F3
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1F00207_2_6C1F0020
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1FE0E07_2_6C1FE0E0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2082007_2_6C208200
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C20C2A07_2_6C20C2A0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1F3D507_2_6C1F3D50
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1C7D437_2_6C1C7D43
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C215D907_2_6C215D90
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1F9E807_2_6C1F9E80
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1D1F117_2_6C1D1F11
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1E589F7_2_6C1E589F
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2078C87_2_6C2078C8
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1F99F07_2_6C1F99F0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1EFA507_2_6C1EFA50
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1F1AA07_2_6C1F1AA0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1EDAD07_2_6C1EDAD0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C19540A7_2_6C19540A
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1FF5C07_2_6C1FF5C0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1BF5EC7_2_6C1BF5EC
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1EB6507_2_6C1EB650
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C20F6407_2_6C20F640
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1F96E07_2_6C1F96E0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2197007_2_6C219700
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2137C07_2_6C2137C0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1FF0507_2_6C1FF050
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1930927_2_6C193092
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1F71F07_2_6C1F71F0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1FD2807_2_6C1FD280
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1FD3807_2_6C1FD380
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C206AF07_2_6C206AF0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C2037507_2_6C203750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C881EC11_2_00C881EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC81C011_2_00CC81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CD824011_2_00CD8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CB425011_2_00CB4250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CDC3C011_2_00CDC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CD04C811_2_00CD04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CB865011_2_00CB8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C9094311_2_00C90943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CBC95011_2_00CBC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CB8C2011_2_00CB8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CD4EA011_2_00CD4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CD0E0011_2_00CD0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CCD08911_2_00CCD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CA10AC11_2_00CA10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CD91C011_2_00CD91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CBD1D011_2_00CBD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC518011_2_00CC5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CD112011_2_00CD1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CDD2C011_2_00CDD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C453CF11_2_00C453CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CA53F311_2_00CA53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CD54D011_2_00CD54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C8D49611_2_00C8D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CDD47011_2_00CDD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CD155011_2_00CD1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C4157211_2_00C41572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CCD6A011_2_00CCD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C9965211_2_00C99652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C497CA11_2_00C497CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C5976611_2_00C59766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CDD9E011_2_00CDD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C41AA111_2_00C41AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC5E8011_2_00CC5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC5F8011_2_00CC5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C5E00A11_2_00C5E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC22E011_2_00CC22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CE230011_2_00CE2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CAE49F11_2_00CAE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC25F011_2_00CC25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CB66D011_2_00CB66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CBA6A011_2_00CBA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CDE99011_2_00CDE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC2A8011_2_00CC2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C9AB1111_2_00C9AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC6CE011_2_00CC6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC70D011_2_00CC70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CBB18011_2_00CBB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CAB12111_2_00CAB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CD720011_2_00CD7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CDF3C011_2_00CDF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C6B3E411_2_00C6B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CCF3A011_2_00CCF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CB741011_2_00CB7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CCF42011_2_00CCF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CDF59911_2_00CDF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CBF50011_2_00CBF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CE351A11_2_00CE351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CD353011_2_00CD3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CE360111_2_00CE3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CD77C011_2_00CD77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CB379011_2_00CB3790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C6F8E011_2_00C6F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CBF91011_2_00CBF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C5BAC911_2_00C5BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C93AEF11_2_00C93AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC7AF011_2_00CC7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C5BC9211_2_00C5BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC7C5011_2_00CC7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CBFDF011_2_00CBFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: String function: 6C179240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: String function: 6C216F10 appears 728 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00CDFB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00C41E40 appears 171 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00C428E3 appears 34 times
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.2049788796.000000007F89A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000000.2047781231.0000000000B59000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.2049375627.000000000323E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.13.drBinary string: \Device\TfSysMon
Source: tProtect.dll.13.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal80.evad.winEXE@133/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C145D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C145D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C49313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00C49313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C53D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00C53D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C49252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_00C49252
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C145240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,7_2_6C145240
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\is-DGH7I.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2316:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4592:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5596:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5816:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5648:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5144:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3176:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3948:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6696:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2284:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3288:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7032:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1628:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5412:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2616:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2656:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5616:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeFile created: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$10452,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$3046E,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$10452,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$3046E,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic file information: File size 5707238 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2176449346.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2176558259.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_00CC57D0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: real checksum: 0x0 should be: 0x5724cd
Source: update.vac.7.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: hrsw.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.13.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.6.drStatic PE information: section name: .didata
Source: 7zr.exe.7.drStatic PE information: section name: .sxdata
Source: update.vac.7.drStatic PE information: section name: .00cfg
Source: update.vac.7.drStatic PE information: section name: .voltbl
Source: update.vac.7.drStatic PE information: section name: .=~
Source: is-U4U00.tmp.7.drStatic PE information: section name: .xdata
Source: hrsw.vbc.7.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.7.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.7.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C1486EB push ecx; ret 7_2_6C1486FE
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6BFF0F00 push ss; retn 0001h7_2_6BFF0F0A
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C216F10 push eax; ret 7_2_6C216F2E
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C17B9F4 push 004AC35Ch; ret 7_2_6C17BA0E
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C217290 push eax; ret 7_2_6C2172BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C445F4 push 00CEC35Ch; ret 11_2_00C4460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CDFB10 push eax; ret 11_2_00CDFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CDFE90 push eax; ret 11_2_00CDFEBE
Source: update.vac.2.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.7.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.7.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeFile created: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0IAVH.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeFile created: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\is-U4U00.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0IAVH.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I4OA7.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I4OA7.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I4OA7.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0IAVH.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6207Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3482Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpWindow / User API: threadDelayed 528Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpWindow / User API: threadDelayed 534Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpWindow / User API: threadDelayed 507Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0IAVH.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-U4U00.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0IAVH.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I4OA7.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I4OA7.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C13AEC0 FindFirstFileA,FindClose,7_2_6C13AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C46868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00C46868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C47496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00C47496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C49C60 GetSystemInfo,11_2_00C49C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000002.2152496623.0000000001374000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6BFC3886 NtSetInformationThread 00000000,00000011,00000000,000000007_2_6BFC3886
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C150181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C150181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CC57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_00CC57D0
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C159D35 mov eax, dword ptr fs:[00000030h]7_2_6C159D35
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C159D66 mov eax, dword ptr fs:[00000030h]7_2_6C159D66
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C14F17D mov eax, dword ptr fs:[00000030h]7_2_6C14F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C148CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6C148CBD
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C150181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C150181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.13.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 7_2_6C217720 cpuid 7_2_6C217720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00C4AB2A GetSystemTimeAsFileTime,11_2_00C4AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00CE0090 GetVersion,11_2_00CE0090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory321
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API
Login Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem35
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579603 Sample: #U5b89#U88c5#U52a9#U624b_1.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 80 90 Found driver which could be used to inject code into processes 2->90 92 PE file contains section with special chars 2->92 94 AI detected suspicious sample 2->94 96 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->96 10 #U5b89#U88c5#U52a9#U624b_1.0.8.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 30 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b_1.0.8.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 26 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b_1.0.8.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 25 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b_1.0.8.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->80 dropped 82 C:\Program Files (x86)\...\trash (copy), PE32+ 55->82 dropped 84 3 other files (none is malicious) 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_1.0.8.exe6%VirustotalBrowse
#U5b89#U88c5#U52a9#U624b_1.0.8.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-U4U00.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0IAVH.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I4OA7.tmp\_isetup\_setup64.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drfalse
      unknown
      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_1.0.8.exefalse
        high
        https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drfalse
          high
          http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drfalse
            unknown
            https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.2049375627.0000000003120000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.2049788796.000000007F59B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000000.2051871915.0000000000631000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000000.2146232995.0000000000C2D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.6.dr, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.drfalse
              high
              https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drfalse
                unknown
                https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drfalse
                  high
                  https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.2049375627.0000000003120000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.2049788796.000000007F59B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000000.2051871915.0000000000631000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000007.00000000.2146232995.0000000000C2D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.6.dr, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.drfalse
                    high
                    http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000002.00000003.2142833210.00000000046A9000.00000004.00001000.00020000.00000000.sdmp, is-U4U00.tmp.7.drfalse
                      unknown
                      No contacted IP infos
                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1579603
                      Start date and time:2024-12-23 05:15:24 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 10m 23s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:108
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Critical Process Termination
                      Sample name:#U5b89#U88c5#U52a9#U624b_1.0.8.exe
                      renamed because original name is a hash value
                      Original Sample Name:_1.0.8.exe
                      Detection:MAL
                      Classification:mal80.evad.winEXE@133/32@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 76%
                      • Number of executed functions: 28
                      • Number of non-executed functions: 80
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                      • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
                      • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.85.23.206, 13.107.246.63
                      • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, dns.msftncsi.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      No simulations
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      bg.microsoft.map.fastly.netSupport.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                      • 199.232.214.172
                      #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      Rechnung736258.pdf.lnkGet hashmaliciousLummaCBrowse
                      • 199.232.214.172
                      Company Information.pdf.lnkGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      Navan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                      • 199.232.210.172
                      HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                      • 199.232.210.172
                      1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                      • 199.232.210.172
                      1734732186278e5c87d1a316617c1125acd5c32aedeebfd021b1e761647265ea7426c527bd565.dat-decoded.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                      • 199.232.214.172
                      Statements.pdfGet hashmaliciousWinSearchAbuseBrowse
                      • 199.232.210.172
                      INVOICE_2279_from_RealEyes Digital LLC (1).pdfGet hashmaliciousUnknownBrowse
                      • 199.232.214.172
                      No context
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                          #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                            #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                              ekTL8jTI4D.msiGet hashmaliciousUnknownBrowse
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):831200
                                Entropy (8bit):6.671005303304742
                                Encrypted:false
                                SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Joe Sandbox View:
                                • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                                • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                                • Filename: ekTL8jTI4D.msi, Detection: malicious, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):249984
                                Entropy (8bit):7.999225319458047
                                Encrypted:true
                                SSDEEP:6144:9kdN1LFIJMjnJSkbZjcFs3hSU16LWlIHO+SgwcyyGYJ4:q1LFIejnJ7bZwY6LWwO+xby+S
                                MD5:A64035088C56F185A72562787F46C65F
                                SHA1:4F74D232C77E47AC1530157078AC3F010A5BE814
                                SHA-256:BA48ABC7A735A5C78CA4F103C9F7BC8DD65F9D08622B1AA0F8F2D32B64E7E93A
                                SHA-512:C532C5BA86285B52015A38303377FE17BBC279224F718EE329BBD39DC424269338CC712809432FBB2B785C97797A3991F1548413953592E7AC1D1BD8594A31F1
                                Malicious:false
                                Preview:.@S....%....,..............[E.J......W(b.7.N...gFd/...m ..H\..q..e.....G....>.*..`DAt...4W.....O......uj..Gm..R.'..P<W......o.u..{`,..5..F........T..d.<........o...'....R.M...a......Jdp....n....*}|x.6.....5..P<.7.v...F...J..8.....[..@E..-..m*.I.T.....J.:........(....nD....Xg.h..........-}`...k...$.~M.....)..o.].{..B..Rg...j.....Z.O....T.t)\.....Re=.U..Q.>...=....Z..6}p.....A..*CF..g..^.x.W..Nx9.`......9*.....e...X..>...7..<?......2...r.b.-..j.R.7.-.....XC..." ...!....U.UFfw...zlH....BLq....c".Z..V..+.&....b..%.z.W.b..v.s.0E..C.:k0..~..&..o....X....<..K".3:....,...oe....L.....4..j..3r.h<#..00.....Jr..../.HZi.u...e.{=.8..(,..}A.$L..........b...c..d..J..i.Q.4.8.....hX.<oL.-832.L|}Yw...Rt.V.}.&..F........'......l....Y.O.. ..c.&....;.@........(V...1........0..4....J.O.........*B......l..)Z...O.V....w.k.|m....9..xz+3.a...j.g<t..d2.f0.j..#y..P[.}.....{....km.vf,.{....;...c........3$.As.....l...:..%..4.3....h..N..*.........R....C^>t..lH.....
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3598848
                                Entropy (8bit):7.004949099807939
                                Encrypted:false
                                SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                MD5:1D1464C73252978A58AC925ECE57F0FB
                                SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                Malicious:false
                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):249984
                                Entropy (8bit):7.999225319458047
                                Encrypted:true
                                SSDEEP:6144:9kdN1LFIJMjnJSkbZjcFs3hSU16LWlIHO+SgwcyyGYJ4:q1LFIejnJ7bZwY6LWwO+xby+S
                                MD5:A64035088C56F185A72562787F46C65F
                                SHA1:4F74D232C77E47AC1530157078AC3F010A5BE814
                                SHA-256:BA48ABC7A735A5C78CA4F103C9F7BC8DD65F9D08622B1AA0F8F2D32B64E7E93A
                                SHA-512:C532C5BA86285B52015A38303377FE17BBC279224F718EE329BBD39DC424269338CC712809432FBB2B785C97797A3991F1548413953592E7AC1D1BD8594A31F1
                                Malicious:false
                                Preview:.@S....%....,..............[E.J......W(b.7.N...gFd/...m ..H\..q..e.....G....>.*..`DAt...4W.....O......uj..Gm..R.'..P<W......o.u..{`,..5..F........T..d.<........o...'....R.M...a......Jdp....n....*}|x.6.....5..P<.7.v...F...J..8.....[..@E..-..m*.I.T.....J.:........(....nD....Xg.h..........-}`...k...$.~M.....)..o.].{..B..Rg...j.....Z.O....T.t)\.....Re=.U..Q.>...=....Z..6}p.....A..*CF..g..^.x.W..Nx9.`......9*.....e...X..>...7..<?......2...r.b.-..j.R.7.-.....XC..." ...!....U.UFfw...zlH....BLq....c".Z..V..+.&....b..%.z.W.b..v.s.0E..C.:k0..~..&..o....X....<..K".3:....,...oe....L.....4..j..3r.h<#..00.....Jr..../.HZi.u...e.{=.8..(,..}A.$L..........b...c..d..J..i.Q.4.8.....hX.<oL.-832.L|}Yw...Rt.V.}.&..F........'......l....Y.O.. ..c.&....;.@........(V...1........0..4....J.O.........*B......l..)Z...O.V....w.k.|m....9..xz+3.a...j.g<t..d2.f0.j..#y..P[.}.....{....km.vf,.{....;...c........3$.As.....l...:..%..4.3....h..N..*.........R....C^>t..lH.....
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                Category:dropped
                                Size (bytes):5649408
                                Entropy (8bit):6.392614480390128
                                Encrypted:false
                                SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):56546
                                Entropy (8bit):7.996777007999937
                                Encrypted:true
                                SSDEEP:1536:3DbuN+GJMhUDzY3H8ciDYfgCK5X9Ide3hUXpCSu1+MfQO22:n2jMhozKH8vxtz3hakSYKV2
                                MD5:21277A248DF0E02C5F19F6CE5D521AA7
                                SHA1:035E6CD46BD766745BE5AB7089ECCDC97DD8943A
                                SHA-256:F1F20D52717F38F69963E54A4C4F260232085481AE798D8AEC6568514E14CD25
                                SHA-512:D487B5FF112ECFA7AB22B63488626AFE0AFFD6334C1A6874AA279A9EF4D5DD9A3EED11126FAC6FFC4A36F1EBC71F0B0C04A9DA0CBCE78BD519D59149D9B9E707
                                Malicious:false
                                Preview:.@S........l ................@[..h.;...j.....A9.V...\dZ.n.-.Z.O.z.j.M.....^K.>".;...m...;.H).@...#"K....I.OD...j...r...e. 3.....!.m.....Bd@7.|^7.5lJ._0....I..%Y0.5~...3..'..B.$.F..[.]z......9... .~.H..t}..I...F.#=.*.D..J...x......O'..=.HU.z..n.. k.-T&..<|.E1OGb2H.C..#LS..*'....6....#x....xM.J.H0..{..i.p..!.......6..N.w.CO.'+..6xK.a%.:.....X.A..\JW..}....u.#......."0t...g+a|..GZ.R........yDf9J....Tf..!)l|......1u@.V.o.|I...l...8a..+D<7.9.....@.e..S].t#..Q...{..g..2...P.......%.....C...w..V..`.m.w.S.a}.bx...V.,.....a..CnS)....v.I. ).a.N...}.]Q.W.T.3..*....G..X....Ki..^..q...;..rs.z:...lw...IN.V|....Q...>M9..9.d.....w._.E.}.CQ...}..9.9.....w.U.Z...j......6qi.e].9O?N.5..N.\7m@..R........m._......`...tr...L...t.Q7...U=..{./.B.....,&.\"@=..Tw..u..r.S.R2.R.R...G..?.u..A.......6kZ..a..o....5.@.a....=.|JaM.1.WQ...I.L./..g..\.#...ZENrz..,...@w$.A..a..5..3?.sr..L.W..~g.....7....s........i0i....,/....9..EUT....&...u.e.m.......82n.. ;...x.p..
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:7-zip archive data, version 0.4
                                Category:dropped
                                Size (bytes):56546
                                Entropy (8bit):7.996777007999922
                                Encrypted:true
                                SSDEEP:768:L6bKOYcy4jS9yw4oUsfgv+8jlHhJfjqYiyS28kOPyEMtLqDdRGkcz3em7QSrB4HU:ObKH74wyw4ozf+5hjqZWx/uXKz3dEHYL
                                MD5:B5AD685CF42B8BB1B42D0B527BE51424
                                SHA1:8A064DCF6460DD874433DB2522D538944A509537
                                SHA-256:B1DCBB750AD95EFCAA8A1C03E0F8C8CEE95776ACDBAF21BBD6B37D19DCA7EFB9
                                SHA-512:46BD15FF8BB3FE2301DE5B10799BF5CF9550D0F3DC83CDEFC57D24A46FD9475271CC548AB705E50B93A07C17ADEDF19EA0E468100058DF894D193A249B7AFB84
                                Malicious:false
                                Preview:7z..'..."0 .........2.......`\.....y.x.;.d..+l.Z..N.,b(1...3.6.....;.t.o.f.sX\..-.....rR.Sf[....Z........l?f.W..x..........^..L|.w.R....3&Xys.............EF..1v...h...F...'k..*@....Y.m.......Yd4..,A.....g..1.. !.A.4.}..$..h..#I+.....Dx.....^....Z..Vl.B...:B.. .......(....O...+.A... .~.z.. ..6H.1u...Z/.(!W.V.%..D..."n.^.#<...D..;..P?.......&..f3....?....c.|.'.Z.as1..93...|G...XJ..A.b.G..2k.8M....m...T..f+.....EU.2........Be..P=j.Mf.....>I\..M.7V.`....@6.*F.9..Gz/..j.A{p..\.D.5y...O.. .v+...`.]n.....6.}......].,.x....g.......iQ...@....R./w.l"..l....o.q.5c9.Tdd?.%Yk.b.. ...?.....*...~g<..w.....Z..'....R..).s.U)...rC...zj'JW....l.2M....y.2.^..p.{v<i...E.s,.Rar...V..."..^.hz.s...tY...>j.y.]...7..d.....;..0.B.N ..1...p...)g..O.U..oF.[..9R... ?Z...L.8..F.#....8M..B..2..\.N .v.Ku.Xe..Vm..o.b..2.a.A.OM.../.......\..tI..&...0eh.uQ.A.jIY......-.bH..`...._@.@&..s..t......du...Av..em.>._Z..3m...O.W..R]ub..o.Ew.,2.....G.....4.).@./Zm.i.X.E..(+....5Q.g.q*
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):56546
                                Entropy (8bit):7.996966859255975
                                Encrypted:true
                                SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                MD5:CEA69F993E1CE0FB945A98BF37A66546
                                SHA1:7114365265F041DA904574D1F5876544506F89BA
                                SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                Malicious:false
                                Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:7-zip archive data, version 0.4
                                Category:dropped
                                Size (bytes):56546
                                Entropy (8bit):7.996966859255979
                                Encrypted:true
                                SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                MD5:4CB8B7E557C80FC7B014133AB834A042
                                SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                Malicious:false
                                Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):31890
                                Entropy (8bit):7.99402458740637
                                Encrypted:true
                                SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                MD5:8622FC7228777F64A47BD6C61478ADD9
                                SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                Malicious:false
                                Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:7-zip archive data, version 0.4
                                Category:dropped
                                Size (bytes):31890
                                Entropy (8bit):7.99402458740637
                                Encrypted:true
                                SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                Malicious:false
                                Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):74960
                                Entropy (8bit):7.99759370165655
                                Encrypted:true
                                SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                MD5:950338D50B95A25F494EE74E97B7B7A9
                                SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                Malicious:false
                                Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:7-zip archive data, version 0.4
                                Category:dropped
                                Size (bytes):74960
                                Entropy (8bit):7.997593701656546
                                Encrypted:true
                                SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                MD5:059BA7C31F3E227356CA5F29E4AA2508
                                SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                Malicious:false
                                Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):29730
                                Entropy (8bit):7.994290657653607
                                Encrypted:true
                                SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                Malicious:false
                                Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:7-zip archive data, version 0.4
                                Category:dropped
                                Size (bytes):29730
                                Entropy (8bit):7.994290657653608
                                Encrypted:true
                                SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                MD5:A9C8A3E00692F79E1BA9693003F85D18
                                SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                Malicious:false
                                Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:7-zip archive data, version 0.4
                                Category:dropped
                                Size (bytes):249984
                                Entropy (8bit):7.999225319458047
                                Encrypted:true
                                SSDEEP:6144:UiZojLOtJtSMEo8gctOJw+51/DrWJEwcTvHPh4c+i2:UiG8+ME1gOO2+51/XWJDKvv2
                                MD5:4100B1A02960442D62C2A71859DE711C
                                SHA1:892354E9BF923DF486A24F3E6AF4F43D66915F98
                                SHA-256:11F926A0E453E3D5FF5D01BB29EF2C9A46CA30AB367D03210E0794D2C7616FF7
                                SHA-512:42632F833ABB0E3C0A647BE83C6C22135D1590B64AC3DE3006B1CF9D689BEDE54668A396067A2CE5AFAA900E3DD874F1899F390C133C22CC5464665766F21AAE
                                Malicious:false
                                Preview:7z..'....Umd .......@.........b.p:p3..N..C....jy......*...=..b..6.X..=Z.G._.^.K...D....j....:...|IA[..%.Pe..bQ.A......nV.p.0z.9.82y...bo..F..9....`..r..w.1.[.wR.-.4.l...).j.mL.../tY.pgHl...GZNZ.!.Gz...>..^..v..C......L.8f.%y@1.}%.Y....b..._......H.G.+.;eL..O.\d.|P.{C.".J...../_.^.M@.h..\.. w....4V..6._..u..".vj'O.e0g......m...P.J.XiS.=...Bl1.a.`....k......<.O..y.m..Wj`......&.ZY..B.. .F....=.2?.......2||Q...ODC4...In.x!.N ..Y.mR...O<...-...|.m.:..........uM.....a....8...;=..............SN_'...43.`..T.}G.......%.f..".].0...I.Y.1..v ....QH..}.\}.t.9...+h`3.\8G...O..f.C....n..d+..;<c =..t..7.I....|..}KiM(..C.l..~...H.....K..............2............+=...tg......G....Lr.)......<...........O-..s.f.$.f>.-.k..y.Fb.S.%h......^q.1.qy.n..../.h..B..+&VS...R.v.U...L..;8]..,...r..t-C..).J4...Rss>.,8{Z...[...,..J....u.$p.......].....h.1 .A...S...?....<Y..B.._..v<)..#.^4......U..|>..FP.....n.+Y.+......R|.`dn...Y.gx.+QQ...n...q...\.Ie.y~n.M7..]f..=.....-....I.NYR`
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):63640
                                Entropy (8bit):6.482810107683822
                                Encrypted:false
                                SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 9%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):4096
                                Entropy (8bit):3.3449406240731085
                                Encrypted:false
                                SSDEEP:48:dXKLzDlnDPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnDP6whldOVQOj6dKbKsz7
                                MD5:1EA10B1FA76DC2F1967E53A3FC2D43C4
                                SHA1:23EADA9D0994D5B9ADE7878493C44551C0B5CF44
                                SHA-256:2748447EBDE83E35B8984D2993A8331DAC7B7924638502024D8531A07E74C63C
                                SHA-512:15BF2663CEF3905AE3B13D0A4ABC2E3BBF1FF213BCA5C568641978D5548A7DBED2EC7FC5A00B330287E90DF675EFB804613D4801F6995C7748840CC0BCBA637F
                                Malicious:false
                                Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                Category:dropped
                                Size (bytes):5649408
                                Entropy (8bit):6.392614480390128
                                Encrypted:false
                                SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1940658735648508
                                Encrypted:false
                                SSDEEP:3:NlllulpgztZ:NllUO
                                MD5:ADB67D140C904AFBF0D2C47FCFC73086
                                SHA1:CAA1973FC7AB5367DC2007487049041C6D0AC54E
                                SHA-256:BA09CC360CD10629A32D8E84392BAD452284123893B0792F6417340A72E3B951
                                SHA-512:85BE6449222EAA096A6F84E051D16DB1147498DA621BDB6C7B5D11CF6C306DB4DE90CEB457EDE22CCA53BC94CF4D1E6D0FAE203D196AF7AF225AF87464E1286E
                                Malicious:false
                                Preview:@...e.................................x..............@..........
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):6144
                                Entropy (8bit):4.720366600008286
                                Encrypted:false
                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                Process:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3598848
                                Entropy (8bit):7.004949099807939
                                Encrypted:false
                                SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                MD5:1D1464C73252978A58AC925ECE57F0FB
                                SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                Malicious:false
                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3366912
                                Entropy (8bit):6.530548291878271
                                Encrypted:false
                                SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                MD5:9902FA6D39184B87AED7D94A037912D8
                                SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                Malicious:true
                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                Process:C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):6144
                                Entropy (8bit):4.720366600008286
                                Encrypted:false
                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                Process:C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3598848
                                Entropy (8bit):7.004949099807939
                                Encrypted:false
                                SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                MD5:1D1464C73252978A58AC925ECE57F0FB
                                SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                Malicious:false
                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3366912
                                Entropy (8bit):6.530548291878271
                                Encrypted:false
                                SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                MD5:9902FA6D39184B87AED7D94A037912D8
                                SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                Malicious:true
                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:ASCII text, with CRLF, CR line terminators
                                Category:dropped
                                Size (bytes):406
                                Entropy (8bit):5.117520345541057
                                Encrypted:false
                                SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                MD5:9200058492BCA8F9D88B4877F842C148
                                SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                Malicious:false
                                Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.921235309481934
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 98.04%
                                • Inno Setup installer (109748/4) 1.08%
                                • InstallShield setup (43055/19) 0.42%
                                • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                File name:#U5b89#U88c5#U52a9#U624b_1.0.8.exe
                                File size:5'707'238 bytes
                                MD5:eb985a9c4c8c2ddc4b039f64b520fca9
                                SHA1:c96d6e0868dd3248261232bd53943abfa074ffce
                                SHA256:830caf16e52e098717a16ce8b2bda28f9a268746be2c77a6098e83941067b31c
                                SHA512:0bf08e1c95a4d0863f67bba18ba43520400972e115f50abe45518fd7246fb0b89c0e8e3302666ae331dde01d765dad44cad01af49b8c60fb77d377599965c5cc
                                SSDEEP:98304:XwREGjGWMsLAe53AKokM1mZDvmruKupjleyr2oEoDqTaMQ1m0idMwZgf:lGjGWMOhRZmiKuzeyyt3PEUs
                                TLSH:88461223F2C7E13EE05E0B3B06B2B15894FB6A506422AE5786ECB4ECCF651501D3E657
                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                Icon Hash:0c0c2d33ceec80aa
                                Entrypoint:0x4a83bc
                                Entrypoint Section:.itext
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:1
                                File Version Major:6
                                File Version Minor:1
                                Subsystem Version Major:6
                                Subsystem Version Minor:1
                                Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                Instruction
                                push ebp
                                mov ebp, esp
                                add esp, FFFFFFA4h
                                push ebx
                                push esi
                                push edi
                                xor eax, eax
                                mov dword ptr [ebp-3Ch], eax
                                mov dword ptr [ebp-40h], eax
                                mov dword ptr [ebp-5Ch], eax
                                mov dword ptr [ebp-30h], eax
                                mov dword ptr [ebp-38h], eax
                                mov dword ptr [ebp-34h], eax
                                mov dword ptr [ebp-2Ch], eax
                                mov dword ptr [ebp-28h], eax
                                mov dword ptr [ebp-14h], eax
                                mov eax, 004A2EBCh
                                call 00007FE748DE9BC5h
                                xor eax, eax
                                push ebp
                                push 004A8AC1h
                                push dword ptr fs:[eax]
                                mov dword ptr fs:[eax], esp
                                xor edx, edx
                                push ebp
                                push 004A8A7Bh
                                push dword ptr fs:[edx]
                                mov dword ptr fs:[edx], esp
                                mov eax, dword ptr [004B0634h]
                                call 00007FE748E7B54Bh
                                call 00007FE748E7B09Eh
                                lea edx, dword ptr [ebp-14h]
                                xor eax, eax
                                call 00007FE748E75D78h
                                mov edx, dword ptr [ebp-14h]
                                mov eax, 004B41F4h
                                call 00007FE748DE3C73h
                                push 00000002h
                                push 00000000h
                                push 00000001h
                                mov ecx, dword ptr [004B41F4h]
                                mov dl, 01h
                                mov eax, dword ptr [0049CD14h]
                                call 00007FE748E770A3h
                                mov dword ptr [004B41F8h], eax
                                xor edx, edx
                                push ebp
                                push 004A8A27h
                                push dword ptr fs:[edx]
                                mov dword ptr fs:[edx], esp
                                call 00007FE748E7B5D3h
                                mov dword ptr [004B4200h], eax
                                mov eax, dword ptr [004B4200h]
                                cmp dword ptr [eax+0Ch], 01h
                                jne 00007FE748E822BAh
                                mov eax, dword ptr [004B4200h]
                                mov edx, 00000028h
                                call 00007FE748E77998h
                                mov edx, dword ptr [004B4200h]
                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                .rsrc0xcb0000x110000x11000162c4332f4d9aac559be41304700a4ecFalse0.18785903033088236data3.721312151081868IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                RT_STRING0xd8e000x3f8data0.3198818897637795
                                RT_STRING0xd91f80x2dcdata0.36475409836065575
                                RT_STRING0xd94d40x430data0.40578358208955223
                                RT_STRING0xd99040x44cdata0.38636363636363635
                                RT_STRING0xd9d500x2d4data0.39226519337016574
                                RT_STRING0xda0240xb8data0.6467391304347826
                                RT_STRING0xda0dc0x9cdata0.6410256410256411
                                RT_STRING0xda1780x374data0.4230769230769231
                                RT_STRING0xda4ec0x398data0.3358695652173913
                                RT_STRING0xda8840x368data0.3795871559633027
                                RT_STRING0xdabec0x2a4data0.4275147928994083
                                RT_RCDATA0xdae900x10data1.5
                                RT_RCDATA0xdaea00x310data0.6173469387755102
                                RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                DLLImport
                                kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                comctl32.dllInitCommonControls
                                user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                NameOrdinalAddress
                                __dbk_fcall_wrapper20x40fc10
                                dbkFCallWrapperAddr10x4b063c
                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States
                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Dec 23, 2024 05:16:31.833736897 CET1.1.1.1192.168.2.50xcb9bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                Dec 23, 2024 05:16:31.833736897 CET1.1.1.1192.168.2.50xcb9bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                Click to jump to process

                                Click to jump to process

                                Click to dive into process behavior distribution

                                Click to jump to process

                                Target ID:0
                                Start time:23:16:15
                                Start date:22/12/2024
                                Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe"
                                Imagebase:0xaa0000
                                File size:5'707'238 bytes
                                MD5 hash:EB985A9C4C8C2DDC4B039F64B520FCA9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Reputation:low
                                Has exited:true

                                Target ID:2
                                Start time:23:16:16
                                Start date:22/12/2024
                                Path:C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\Temp\is-OGTQD.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$10452,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe"
                                Imagebase:0x630000
                                File size:3'366'912 bytes
                                MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Reputation:low
                                Has exited:true

                                Target ID:3
                                Start time:23:16:17
                                Start date:22/12/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                Imagebase:0x7ff7be880000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Target ID:4
                                Start time:23:16:17
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Target ID:5
                                Start time:23:16:22
                                Start date:22/12/2024
                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Imagebase:0x7ff6ef0c0000
                                File size:496'640 bytes
                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                Target ID:6
                                Start time:23:16:25
                                Start date:22/12/2024
                                Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENT
                                Imagebase:0xaa0000
                                File size:5'707'238 bytes
                                MD5 hash:EB985A9C4C8C2DDC4B039F64B520FCA9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Reputation:low
                                Has exited:false

                                Target ID:7
                                Start time:23:16:25
                                Start date:22/12/2024
                                Path:C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\Temp\is-G5IV4.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$3046E,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENT
                                Imagebase:0x9b0000
                                File size:3'366'912 bytes
                                MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Reputation:low
                                Has exited:true

                                Target ID:8
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Target ID:9
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Target ID:10
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Target ID:11
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                Wow64 process (32bit):true
                                Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                Imagebase:0xc40000
                                File size:831'200 bytes
                                MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 0%, ReversingLabs
                                Has exited:true

                                Target ID:12
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:13
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                Wow64 process (32bit):true
                                Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                Imagebase:0xc40000
                                File size:831'200 bytes
                                MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:14
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:15
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:16
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:17
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:18
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:19
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:20
                                Start time:23:16:28
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:21
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:22
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:23
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:24
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:25
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:26
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:27
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:28
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:29
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:30
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:31
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:32
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:33
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:34
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:35
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:36
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:37
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:38
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:39
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:40
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:41
                                Start time:23:16:29
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:43
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:44
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:45
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:46
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:47
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:48
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:49
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:50
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:51
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:52
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:53
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:54
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:55
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:56
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:57
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:58
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:59
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:60
                                Start time:23:16:30
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:61
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:62
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:63
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:64
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:65
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:66
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:67
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:68
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:69
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff632ac0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:70
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:71
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:72
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:73
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:74
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:75
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:76
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:77
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:78
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:79
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:80
                                Start time:23:16:31
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:81
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:82
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:83
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:84
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:85
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:86
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:87
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:88
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:89
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:90
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:91
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:92
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:93
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:94
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:95
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:96
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:97
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:98
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:99
                                Start time:23:16:32
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:100
                                Start time:23:16:33
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:101
                                Start time:23:16:33
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:102
                                Start time:23:16:33
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:103
                                Start time:23:16:33
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:104
                                Start time:23:16:33
                                Start date:22/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff662f70000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:105
                                Start time:23:16:33
                                Start date:22/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Target ID:106
                                Start time:23:16:33
                                Start date:22/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff70ca80000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:1.6%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:15.3%
                                  Total number of Nodes:790
                                  Total number of Limit Nodes:13
                                  execution_graph 100317 6c15cad3 100318 6c15cafd 100317->100318 100319 6c15cae5 __dosmaperr 100317->100319 100318->100319 100320 6c15cb48 __dosmaperr 100318->100320 100321 6c15cb77 100318->100321 100364 6c150120 18 API calls __wsopen_s 100320->100364 100323 6c15cb90 100321->100323 100326 6c15cbe7 __wsopen_s 100321->100326 100327 6c15cbab __dosmaperr 100321->100327 100325 6c15cb95 100323->100325 100323->100327 100352 6c1619e5 100325->100352 100358 6c1547bb HeapFree GetLastError _free 100326->100358 100357 6c150120 18 API calls __wsopen_s 100327->100357 100328 6c15cd3e 100331 6c15cdb4 100328->100331 100334 6c15cd57 GetConsoleMode 100328->100334 100333 6c15cdb8 ReadFile 100331->100333 100332 6c15cc07 100359 6c1547bb HeapFree GetLastError _free 100332->100359 100336 6c15cdd2 100333->100336 100337 6c15ce2c GetLastError 100333->100337 100334->100331 100338 6c15cd68 100334->100338 100336->100337 100340 6c15cda9 100336->100340 100349 6c15cbc2 __dosmaperr __wsopen_s 100337->100349 100338->100333 100341 6c15cd6e ReadConsoleW 100338->100341 100339 6c15cc0e 100339->100349 100360 6c15ac69 20 API calls __wsopen_s 100339->100360 100345 6c15cdf7 100340->100345 100346 6c15ce0e 100340->100346 100340->100349 100341->100340 100343 6c15cd8a GetLastError 100341->100343 100343->100349 100362 6c15cefe 23 API calls 3 library calls 100345->100362 100348 6c15ce25 100346->100348 100346->100349 100363 6c15d1b6 21 API calls __wsopen_s 100348->100363 100361 6c1547bb HeapFree GetLastError _free 100349->100361 100351 6c15ce2a 100351->100349 100353 6c1619f2 100352->100353 100354 6c1619ff 100352->100354 100353->100328 100355 6c161a0b 100354->100355 100365 6c150120 18 API calls __wsopen_s 100354->100365 100355->100328 100357->100349 100358->100332 100359->100339 100360->100325 100361->100319 100362->100349 100363->100351 100364->100319 100365->100353 100366 6bfd4a27 100371 6bfd4a5d _strlen 100366->100371 100367 6bfe639e 100496 6c150130 18 API calls 2 library calls 100367->100496 100368 6bfd5b6f 100373 6c146a43 std::_Facet_Register 4 API calls 100368->100373 100369 6bfd5b58 100482 6c146a43 100369->100482 100371->100367 100371->100368 100371->100369 100374 6bfd5b09 _Yarn 100371->100374 100373->100374 100457 6c13aec0 100374->100457 100377 6bfd5bad std::ios_base::_Ios_base_dtor 100377->100367 100381 6bfd9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100377->100381 100461 6c144ff0 CreateProcessA 100377->100461 100378 6c146a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100378->100381 100379 6c13aec0 FindFirstFileA 100379->100381 100380 6bfda292 Sleep 100456 6bfd9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 100380->100456 100381->100367 100381->100378 100381->100379 100381->100380 100400 6bfde619 100381->100400 100382 6bfd660d 100384 6c146a43 std::_Facet_Register 4 API calls 100382->100384 100383 6bfd6624 100385 6c146a43 std::_Facet_Register 4 API calls 100383->100385 100392 6bfd65bc _Yarn _strlen 100384->100392 100385->100392 100386 6bfd61cb _strlen 100386->100367 100386->100382 100386->100383 100386->100392 100387 6c144ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 100387->100456 100388 6bfe63b2 100497 6bfc15e0 18 API calls std::ios_base::_Ios_base_dtor 100388->100497 100389 6bfd9bbd GetCurrentProcess TerminateProcess 100389->100381 100391 6bfe64f8 100392->100388 100393 6bfd6989 100392->100393 100394 6bfd6970 100392->100394 100397 6bfd6920 _Yarn 100392->100397 100396 6c146a43 std::_Facet_Register 4 API calls 100393->100396 100395 6c146a43 std::_Facet_Register 4 API calls 100394->100395 100395->100397 100396->100397 100465 6c145960 100397->100465 100399 6bfdf243 CreateFileA 100415 6bfdf2a7 100399->100415 100400->100399 100401 6bfd69d6 std::ios_base::_Ios_base_dtor _strlen 100401->100367 100402 6bfd6dbb 100401->100402 100403 6bfd6dd2 100401->100403 100414 6bfd6d69 _Yarn _strlen 100401->100414 100405 6c146a43 std::_Facet_Register 4 API calls 100402->100405 100406 6c146a43 std::_Facet_Register 4 API calls 100403->100406 100404 6bfe02ca 100405->100414 100406->100414 100407 6bfd7427 100409 6c146a43 std::_Facet_Register 4 API calls 100407->100409 100408 6bfd7440 100410 6c146a43 std::_Facet_Register 4 API calls 100408->100410 100411 6bfd73da _Yarn 100409->100411 100410->100411 100412 6c145960 104 API calls 100411->100412 100416 6bfd748d std::ios_base::_Ios_base_dtor _strlen 100412->100416 100413 6bfe02ac GetCurrentProcess TerminateProcess 100413->100404 100414->100388 100414->100407 100414->100408 100414->100411 100415->100404 100415->100413 100416->100367 100417 6bfd79a8 100416->100417 100418 6bfd7991 100416->100418 100425 6bfd7940 _Yarn _strlen 100416->100425 100420 6c146a43 std::_Facet_Register 4 API calls 100417->100420 100419 6c146a43 std::_Facet_Register 4 API calls 100418->100419 100419->100425 100420->100425 100421 6bfd7dc9 100423 6c146a43 std::_Facet_Register 4 API calls 100421->100423 100422 6bfd7de2 100424 6c146a43 std::_Facet_Register 4 API calls 100422->100424 100426 6bfd7d7c _Yarn 100423->100426 100424->100426 100425->100388 100425->100421 100425->100422 100425->100426 100427 6c145960 104 API calls 100426->100427 100428 6bfd7e2f std::ios_base::_Ios_base_dtor _strlen 100427->100428 100428->100367 100429 6bfd85bf 100428->100429 100430 6bfd85a8 100428->100430 100438 6bfd8556 _Yarn _strlen 100428->100438 100433 6c146a43 std::_Facet_Register 4 API calls 100429->100433 100432 6c146a43 std::_Facet_Register 4 API calls 100430->100432 100431 6c146a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100431->100456 100432->100438 100433->100438 100434 6bfd896a 100436 6c146a43 std::_Facet_Register 4 API calls 100434->100436 100435 6bfd8983 100437 6c146a43 std::_Facet_Register 4 API calls 100435->100437 100439 6bfd891d _Yarn 100436->100439 100437->100439 100438->100388 100438->100434 100438->100435 100438->100439 100440 6c145960 104 API calls 100439->100440 100443 6bfd89d0 std::ios_base::_Ios_base_dtor _strlen 100440->100443 100441 6bfd8f1f 100444 6c146a43 std::_Facet_Register 4 API calls 100441->100444 100442 6bfd8f36 100445 6c146a43 std::_Facet_Register 4 API calls 100442->100445 100443->100367 100443->100441 100443->100442 100446 6bfd8ecd _Yarn _strlen 100443->100446 100444->100446 100445->100446 100446->100388 100447 6bfd936d 100446->100447 100448 6bfd9354 100446->100448 100451 6bfd9307 _Yarn 100446->100451 100450 6c146a43 std::_Facet_Register 4 API calls 100447->100450 100449 6c146a43 std::_Facet_Register 4 API calls 100448->100449 100449->100451 100450->100451 100452 6c145960 104 API calls 100451->100452 100455 6bfd93ba std::ios_base::_Ios_base_dtor 100452->100455 100453 6c144ff0 4 API calls 100453->100381 100454 6c145960 104 API calls 100454->100456 100455->100367 100455->100453 100456->100367 100456->100381 100456->100387 100456->100388 100456->100389 100456->100431 100456->100454 100458 6c13aed6 FindFirstFileA 100457->100458 100459 6c13aed4 100457->100459 100460 6c13af10 100458->100460 100459->100458 100460->100377 100462 6c1450ca 100461->100462 100463 6c145080 WaitForSingleObject CloseHandle CloseHandle 100462->100463 100464 6c1450e3 100462->100464 100463->100462 100464->100386 100466 6c1459b7 100465->100466 100498 6c145ff0 100466->100498 100468 6c1459c8 100517 6bfe6ba0 100468->100517 100471 6c145a9f std::ios_base::_Ios_base_dtor 100474 6c00e010 67 API calls 100471->100474 100473 6c1459ec 100475 6c145a54 100473->100475 100481 6c145a67 100473->100481 100536 6c146340 100473->100536 100544 6c022000 100473->100544 100476 6c145ae2 std::ios_base::_Ios_base_dtor 100474->100476 100554 6c145b90 100475->100554 100476->100401 100479 6c145a5c 100575 6bfe7090 100479->100575 100569 6c00e010 100481->100569 100484 6c146a48 100482->100484 100483 6c146a62 100483->100374 100484->100483 100487 6c146a64 std::_Facet_Register 100484->100487 101028 6c14f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100484->101028 100486 6c1478c3 std::_Facet_Register 101032 6c149379 RaiseException 100486->101032 100487->100486 101029 6c149379 RaiseException 100487->101029 100489 6c1480bc IsProcessorFeaturePresent 100495 6c1480e1 100489->100495 100491 6c147883 101030 6c149379 RaiseException 100491->101030 100493 6c1478a3 std::invalid_argument::invalid_argument 101031 6c149379 RaiseException 100493->101031 100495->100374 100497->100391 100499 6c146025 100498->100499 100588 6c012020 100499->100588 100501 6c1460c6 100502 6c146a43 std::_Facet_Register 4 API calls 100501->100502 100503 6c1460fe 100502->100503 100605 6c147327 100503->100605 100505 6c146112 100617 6c011d90 100505->100617 100508 6c1461ec 100508->100468 100510 6c146226 100625 6c0126e0 24 API calls 4 library calls 100510->100625 100512 6c146238 100626 6c149379 RaiseException 100512->100626 100514 6c14624d 100515 6c00e010 67 API calls 100514->100515 100516 6c14625f 100515->100516 100516->100468 100518 6bfe6bd5 100517->100518 100519 6c012020 52 API calls 100518->100519 100520 6bfe6c68 100519->100520 100521 6c146a43 std::_Facet_Register 4 API calls 100520->100521 100522 6bfe6ca0 100521->100522 100523 6c147327 43 API calls 100522->100523 100524 6bfe6cb4 100523->100524 100525 6c011d90 89 API calls 100524->100525 100526 6bfe6d5d 100525->100526 100527 6bfe6d8e 100526->100527 100936 6c012250 30 API calls 100526->100936 100527->100473 100529 6bfe6dc8 100937 6c0126e0 24 API calls 4 library calls 100529->100937 100531 6bfe6dda 100938 6c149379 RaiseException 100531->100938 100533 6bfe6def 100534 6c00e010 67 API calls 100533->100534 100535 6bfe6e0f 100534->100535 100535->100473 100537 6c14638d 100536->100537 100939 6c1465a0 100537->100939 100539 6c14647c 100539->100473 100543 6c1463a5 100543->100539 100957 6c012250 30 API calls 100543->100957 100958 6c0126e0 24 API calls 4 library calls 100543->100958 100959 6c149379 RaiseException 100543->100959 100545 6c02203f 100544->100545 100548 6c022053 100545->100548 100968 6c013560 32 API calls std::_Xinvalid_argument 100545->100968 100551 6c02210e 100548->100551 100970 6c012250 30 API calls 100548->100970 100971 6c0126e0 24 API calls 4 library calls 100548->100971 100972 6c149379 RaiseException 100548->100972 100550 6c022121 100550->100473 100551->100550 100969 6c0137e0 32 API calls std::_Xinvalid_argument 100551->100969 100555 6c145b9e 100554->100555 100558 6c145bd1 100554->100558 100973 6c0101f0 100555->100973 100556 6c145c83 100556->100479 100558->100556 100977 6c012250 30 API calls 100558->100977 100561 6c150b18 67 API calls 100561->100558 100562 6c145cae 100978 6c012340 24 API calls 100562->100978 100564 6c145cbe 100979 6c149379 RaiseException 100564->100979 100566 6c145cc9 100567 6c00e010 67 API calls 100566->100567 100568 6c145d22 std::ios_base::_Ios_base_dtor 100567->100568 100568->100479 100570 6c00e04b 100569->100570 100571 6c00e0a3 100570->100571 100572 6c0101f0 64 API calls 100570->100572 100571->100471 100573 6c00e098 100572->100573 100574 6c150b18 67 API calls 100573->100574 100574->100571 100576 6bfe709e 100575->100576 100580 6bfe70d1 100575->100580 100578 6c0101f0 64 API calls 100576->100578 100577 6bfe7183 100577->100481 100579 6bfe70c4 100578->100579 100581 6c150b18 67 API calls 100579->100581 100580->100577 101025 6c012250 30 API calls 100580->101025 100581->100580 100583 6bfe71ae 101026 6c012340 24 API calls 100583->101026 100585 6bfe71be 101027 6c149379 RaiseException 100585->101027 100587 6bfe71c9 100589 6c146a43 std::_Facet_Register 4 API calls 100588->100589 100590 6c01207e 100589->100590 100591 6c147327 43 API calls 100590->100591 100592 6c012092 100591->100592 100627 6c012f60 42 API calls 4 library calls 100592->100627 100594 6c0120c8 100595 6c01210d 100594->100595 100596 6c012136 100594->100596 100597 6c012120 100595->100597 100628 6c146f8e 9 API calls 2 library calls 100595->100628 100629 6c012250 30 API calls 100596->100629 100597->100501 100600 6c01215b 100630 6c012340 24 API calls 100600->100630 100602 6c012171 100631 6c149379 RaiseException 100602->100631 100604 6c01217c 100604->100501 100606 6c147333 __EH_prolog3 100605->100606 100632 6c146eb5 100606->100632 100611 6c147351 100646 6c1473ba 39 API calls std::locale::_Setgloballocale 100611->100646 100613 6c1473ac 100613->100505 100614 6c147359 100647 6c1471b1 HeapFree GetLastError _Yarn ___std_exception_destroy 100614->100647 100616 6c14736f 100638 6c146ee6 100616->100638 100618 6c011dc7 100617->100618 100619 6c011ddc 100617->100619 100618->100508 100624 6c012250 30 API calls 100618->100624 100652 6c147447 100619->100652 100623 6c011e82 100624->100510 100625->100512 100626->100514 100627->100594 100628->100597 100629->100600 100630->100602 100631->100604 100633 6c146ec4 100632->100633 100634 6c146ecb 100632->100634 100648 6c1503cd 6 API calls std::_Lockit::_Lockit 100633->100648 100636 6c146ec9 100634->100636 100649 6c14858b EnterCriticalSection 100634->100649 100636->100616 100645 6c147230 6 API calls 2 library calls 100636->100645 100639 6c1503db 100638->100639 100641 6c146ef0 100638->100641 100651 6c1503b6 LeaveCriticalSection 100639->100651 100644 6c146f03 100641->100644 100650 6c148599 LeaveCriticalSection 100641->100650 100642 6c1503e2 100642->100613 100644->100613 100645->100611 100646->100614 100647->100616 100648->100636 100649->100636 100650->100644 100651->100642 100653 6c147450 100652->100653 100656 6c011dea 100653->100656 100661 6c14fd4a 100653->100661 100655 6c14749c 100655->100656 100672 6c14fa58 65 API calls 100655->100672 100656->100618 100660 6c14c563 18 API calls __wsopen_s 100656->100660 100658 6c1474b7 100658->100656 100673 6c150b18 100658->100673 100660->100623 100662 6c14fd55 __wsopen_s 100661->100662 100663 6c14fd68 100662->100663 100664 6c14fd88 100662->100664 100698 6c150120 18 API calls __wsopen_s 100663->100698 100671 6c14fd78 100664->100671 100684 6c15ae0c 100664->100684 100671->100655 100672->100658 100674 6c150b24 __wsopen_s 100673->100674 100675 6c150b43 100674->100675 100676 6c150b2e 100674->100676 100680 6c150b3e 100675->100680 100807 6c14c5a9 EnterCriticalSection 100675->100807 100822 6c150120 18 API calls __wsopen_s 100676->100822 100679 6c150b60 100808 6c150b9c 100679->100808 100680->100656 100682 6c150b6b 100823 6c150b92 LeaveCriticalSection 100682->100823 100685 6c15ae18 __wsopen_s 100684->100685 100700 6c15039f EnterCriticalSection 100685->100700 100687 6c15ae26 100701 6c15aeb0 100687->100701 100692 6c15af72 100693 6c15b091 100692->100693 100725 6c15b114 100693->100725 100696 6c14fdcc 100699 6c14fdf5 LeaveCriticalSection 100696->100699 100698->100671 100699->100671 100700->100687 100705 6c15aed3 100701->100705 100702 6c15ae33 100715 6c15ae6c 100702->100715 100703 6c15af2b 100720 6c1571e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100703->100720 100705->100702 100705->100703 100718 6c14c5a9 EnterCriticalSection 100705->100718 100719 6c14c5bd LeaveCriticalSection 100705->100719 100706 6c15af34 100721 6c1547bb HeapFree GetLastError _free 100706->100721 100709 6c15af3d 100709->100702 100722 6c156c1f 6 API calls std::_Lockit::_Lockit 100709->100722 100711 6c15af5c 100723 6c14c5a9 EnterCriticalSection 100711->100723 100714 6c15af6f 100714->100702 100724 6c1503b6 LeaveCriticalSection 100715->100724 100717 6c14fda3 100717->100671 100717->100692 100718->100705 100719->100705 100720->100706 100721->100709 100722->100711 100723->100714 100724->100717 100726 6c15b133 100725->100726 100727 6c15b146 100726->100727 100731 6c15b15b 100726->100731 100741 6c150120 18 API calls __wsopen_s 100727->100741 100729 6c15b0a7 100729->100696 100738 6c163fde 100729->100738 100736 6c15b27b 100731->100736 100742 6c163ea8 37 API calls __wsopen_s 100731->100742 100733 6c15b2cb 100733->100736 100743 6c163ea8 37 API calls __wsopen_s 100733->100743 100735 6c15b2e9 100735->100736 100744 6c163ea8 37 API calls __wsopen_s 100735->100744 100736->100729 100745 6c150120 18 API calls __wsopen_s 100736->100745 100746 6c164396 100738->100746 100741->100729 100742->100733 100743->100735 100744->100736 100745->100729 100747 6c1643a2 __wsopen_s 100746->100747 100748 6c1643d4 100747->100748 100749 6c1643a9 100747->100749 100755 6c163ffe 100748->100755 100764 6c150120 18 API calls __wsopen_s 100749->100764 100754 6c163ff9 100754->100696 100766 6c1506cb 100755->100766 100760 6c164034 100763 6c164066 100760->100763 100806 6c1547bb HeapFree GetLastError _free 100760->100806 100765 6c16442b LeaveCriticalSection __wsopen_s 100763->100765 100764->100754 100765->100754 100767 6c14bceb __fassign 37 API calls 100766->100767 100768 6c1506dd 100767->100768 100769 6c1569d5 __wsopen_s 5 API calls 100768->100769 100770 6c1506ef 100768->100770 100769->100770 100771 6c14bdf6 100770->100771 100772 6c14be4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 100771->100772 100773 6c14be0e 100772->100773 100773->100760 100774 6c16406c 100773->100774 100775 6c1644ec __wsopen_s 18 API calls 100774->100775 100776 6c164089 100775->100776 100777 6c16160c __wsopen_s 14 API calls 100776->100777 100780 6c16409e __dosmaperr 100776->100780 100778 6c1640bc 100777->100778 100779 6c164457 __wsopen_s CreateFileW 100778->100779 100778->100780 100785 6c164115 100779->100785 100780->100760 100781 6c164192 GetFileType 100783 6c1641e4 100781->100783 100784 6c16419d GetLastError 100781->100784 100782 6c164167 GetLastError 100782->100780 100789 6c1617b0 __wsopen_s SetStdHandle 100783->100789 100786 6c14f9f2 __dosmaperr 100784->100786 100785->100781 100785->100782 100787 6c164457 __wsopen_s CreateFileW 100785->100787 100788 6c1641ab CloseHandle 100786->100788 100790 6c16415a 100787->100790 100788->100780 100802 6c1641d4 100788->100802 100791 6c164205 100789->100791 100790->100781 100790->100782 100792 6c164251 100791->100792 100793 6c164666 __wsopen_s 70 API calls 100791->100793 100794 6c164710 __wsopen_s 70 API calls 100792->100794 100796 6c164258 100792->100796 100793->100792 100795 6c164286 100794->100795 100795->100796 100797 6c164294 100795->100797 100798 6c15b925 __wsopen_s 21 API calls 100796->100798 100797->100780 100799 6c164310 CloseHandle 100797->100799 100798->100780 100800 6c164457 __wsopen_s CreateFileW 100799->100800 100801 6c16433b 100800->100801 100801->100802 100803 6c164345 GetLastError 100801->100803 100802->100780 100804 6c164351 __dosmaperr 100803->100804 100805 6c16171f __wsopen_s SetStdHandle 100804->100805 100805->100802 100806->100763 100807->100679 100809 6c150bbe 100808->100809 100810 6c150ba9 100808->100810 100820 6c150bb9 100809->100820 100824 6c150cb9 100809->100824 100846 6c150120 18 API calls __wsopen_s 100810->100846 100817 6c150be1 100839 6c15b898 100817->100839 100819 6c150be7 100819->100820 100847 6c1547bb HeapFree GetLastError _free 100819->100847 100820->100682 100822->100680 100823->100680 100825 6c150cd1 100824->100825 100829 6c150bd3 100824->100829 100826 6c159c60 18 API calls 100825->100826 100825->100829 100827 6c150cef 100826->100827 100848 6c15bb6c 100827->100848 100830 6c15873e 100829->100830 100831 6c158755 100830->100831 100832 6c150bdb 100830->100832 100831->100832 100904 6c1547bb HeapFree GetLastError _free 100831->100904 100834 6c159c60 100832->100834 100835 6c159c81 100834->100835 100836 6c159c6c 100834->100836 100835->100817 100905 6c150120 18 API calls __wsopen_s 100836->100905 100838 6c159c7c 100838->100817 100840 6c15b8be 100839->100840 100841 6c15b8a9 __dosmaperr 100839->100841 100842 6c15b8e5 100840->100842 100843 6c15b907 __dosmaperr 100840->100843 100841->100819 100906 6c15b9c1 100842->100906 100914 6c150120 18 API calls __wsopen_s 100843->100914 100846->100820 100847->100820 100849 6c15bb78 __wsopen_s 100848->100849 100850 6c15bbca 100849->100850 100852 6c15bc33 __dosmaperr 100849->100852 100855 6c15bb80 __dosmaperr 100849->100855 100859 6c161990 EnterCriticalSection 100850->100859 100889 6c150120 18 API calls __wsopen_s 100852->100889 100853 6c15bbd0 100857 6c15bbec __dosmaperr 100853->100857 100860 6c15bc5e 100853->100860 100855->100829 100888 6c15bc2b LeaveCriticalSection __wsopen_s 100857->100888 100859->100853 100861 6c15bc80 100860->100861 100881 6c15bc9c __dosmaperr 100860->100881 100862 6c15bcd4 100861->100862 100863 6c15bc84 __dosmaperr 100861->100863 100864 6c15bce7 100862->100864 100898 6c15ac69 20 API calls __wsopen_s 100862->100898 100897 6c150120 18 API calls __wsopen_s 100863->100897 100890 6c15be40 100864->100890 100869 6c15bcfd 100873 6c15bd26 100869->100873 100874 6c15bd01 100869->100874 100870 6c15bd3c 100871 6c15bd95 WriteFile 100870->100871 100872 6c15bd50 100870->100872 100875 6c15bdb9 GetLastError 100871->100875 100871->100881 100877 6c15bd85 100872->100877 100878 6c15bd5b 100872->100878 100900 6c15beb1 43 API calls 5 library calls 100873->100900 100874->100881 100899 6c15c25b 6 API calls __wsopen_s 100874->100899 100875->100881 100903 6c15c2c3 7 API calls 2 library calls 100877->100903 100882 6c15bd75 100878->100882 100883 6c15bd60 100878->100883 100881->100857 100902 6c15c487 8 API calls 3 library calls 100882->100902 100883->100881 100885 6c15bd65 100883->100885 100884 6c15bd73 100884->100881 100901 6c15c39e 7 API calls 2 library calls 100885->100901 100888->100855 100889->100855 100891 6c1619e5 __wsopen_s 18 API calls 100890->100891 100892 6c15be51 100891->100892 100893 6c15bcf8 100892->100893 100894 6c1549b2 __Getctype 37 API calls 100892->100894 100893->100869 100893->100870 100895 6c15be74 100894->100895 100895->100893 100896 6c15be8e GetConsoleMode 100895->100896 100896->100893 100897->100881 100898->100864 100899->100881 100900->100881 100901->100884 100902->100884 100903->100884 100904->100832 100905->100838 100907 6c15b9cd __wsopen_s 100906->100907 100915 6c161990 EnterCriticalSection 100907->100915 100909 6c15b9db 100911 6c15ba08 100909->100911 100916 6c15b925 100909->100916 100929 6c15ba41 LeaveCriticalSection __wsopen_s 100911->100929 100913 6c15ba2a 100913->100841 100914->100841 100915->100909 100930 6c1615a2 100916->100930 100918 6c15b93b 100935 6c16171f SetStdHandle __dosmaperr __wsopen_s 100918->100935 100920 6c15b935 100920->100918 100921 6c1615a2 __wsopen_s 18 API calls 100920->100921 100928 6c15b96d 100920->100928 100923 6c15b964 100921->100923 100922 6c1615a2 __wsopen_s 18 API calls 100924 6c15b979 CloseHandle 100922->100924 100925 6c1615a2 __wsopen_s 18 API calls 100923->100925 100924->100918 100926 6c15b985 GetLastError 100924->100926 100925->100928 100926->100918 100927 6c15b993 __dosmaperr 100927->100911 100928->100918 100928->100922 100929->100913 100932 6c1615c4 __dosmaperr 100930->100932 100933 6c1615af __dosmaperr 100930->100933 100931 6c1615e9 100931->100920 100932->100931 100934 6c150120 __wsopen_s 18 API calls 100932->100934 100933->100920 100934->100933 100935->100927 100936->100529 100937->100531 100938->100533 100940 6c1465dc 100939->100940 100941 6c146608 100939->100941 100955 6c146601 100940->100955 100962 6c012250 30 API calls 100940->100962 100946 6c146619 100941->100946 100960 6c013560 32 API calls std::_Xinvalid_argument 100941->100960 100944 6c1467e8 100963 6c012340 24 API calls 100944->100963 100946->100955 100961 6c012f60 42 API calls 4 library calls 100946->100961 100947 6c1467f7 100964 6c149379 RaiseException 100947->100964 100951 6c146827 100966 6c012340 24 API calls 100951->100966 100953 6c14683d 100967 6c149379 RaiseException 100953->100967 100955->100543 100956 6c146653 100956->100955 100965 6c012250 30 API calls 100956->100965 100957->100543 100958->100543 100959->100543 100960->100946 100961->100956 100962->100944 100963->100947 100964->100956 100965->100951 100966->100953 100967->100955 100968->100548 100969->100550 100970->100548 100971->100548 100972->100548 100974 6c01022e 100973->100974 100975 6c0104d6 100974->100975 100980 6c1517db 100974->100980 100975->100561 100977->100562 100978->100564 100979->100566 100981 6c151806 100980->100981 100982 6c1517e9 100980->100982 100981->100974 100982->100981 100983 6c1517f6 100982->100983 100984 6c15180a 100982->100984 100996 6c150120 18 API calls __wsopen_s 100983->100996 100988 6c151a02 100984->100988 100989 6c151a0e __wsopen_s 100988->100989 100997 6c14c5a9 EnterCriticalSection 100989->100997 100991 6c151a1c 100998 6c1519bf 100991->100998 100995 6c15183c 100995->100974 100996->100981 100997->100991 101006 6c1585a6 100998->101006 101004 6c1519f9 101005 6c151a51 LeaveCriticalSection 101004->101005 101005->100995 101007 6c159c60 18 API calls 101006->101007 101008 6c1585b7 101007->101008 101009 6c1619e5 __wsopen_s 18 API calls 101008->101009 101011 6c1585bd __wsopen_s 101009->101011 101010 6c1519d3 101013 6c15183e 101010->101013 101011->101010 101023 6c1547bb HeapFree GetLastError _free 101011->101023 101015 6c151850 101013->101015 101017 6c15186e 101013->101017 101014 6c15185e 101024 6c150120 18 API calls __wsopen_s 101014->101024 101015->101014 101015->101017 101020 6c151886 _Yarn 101015->101020 101022 6c158659 62 API calls 101017->101022 101018 6c150cb9 62 API calls 101018->101020 101019 6c159c60 18 API calls 101019->101020 101020->101017 101020->101018 101020->101019 101021 6c15bb6c __wsopen_s 62 API calls 101020->101021 101021->101020 101022->101004 101023->101010 101024->101017 101025->100583 101026->100585 101027->100587 101028->100484 101029->100491 101030->100493 101031->100486 101032->100489 101033 6c14ef3f 101034 6c14ef4b __wsopen_s 101033->101034 101035 6c14ef52 GetLastError ExitThread 101034->101035 101036 6c14ef5f 101034->101036 101045 6c1549b2 GetLastError 101036->101045 101041 6c14ef7b 101078 6c14eeaa 16 API calls 2 library calls 101041->101078 101044 6c14ef9d 101046 6c1549c9 101045->101046 101051 6c1549cf 101045->101051 101079 6c156b23 6 API calls std::_Lockit::_Lockit 101046->101079 101049 6c1549ed 101050 6c1549d5 SetLastError 101049->101050 101052 6c1549f1 101049->101052 101058 6c14ef64 101050->101058 101059 6c154a69 101050->101059 101051->101050 101080 6c156b62 6 API calls std::_Lockit::_Lockit 101051->101080 101081 6c1571e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 101052->101081 101054 6c1549fd 101056 6c154a05 101054->101056 101057 6c154a1c 101054->101057 101082 6c156b62 6 API calls std::_Lockit::_Lockit 101056->101082 101084 6c156b62 6 API calls std::_Lockit::_Lockit 101057->101084 101072 6c159d66 101058->101072 101087 6c150ac9 37 API calls std::locale::_Setgloballocale 101059->101087 101063 6c154a13 101083 6c1547bb HeapFree GetLastError _free 101063->101083 101065 6c154a28 101066 6c154a3d 101065->101066 101067 6c154a2c 101065->101067 101086 6c1547bb HeapFree GetLastError _free 101066->101086 101085 6c156b62 6 API calls std::_Lockit::_Lockit 101067->101085 101070 6c154a19 101070->101050 101073 6c14ef6f 101072->101073 101074 6c159d78 GetPEB 101072->101074 101073->101041 101077 6c156d6f 5 API calls std::_Lockit::_Lockit 101073->101077 101074->101073 101075 6c159d8b 101074->101075 101088 6c156e18 5 API calls std::_Lockit::_Lockit 101075->101088 101077->101041 101078->101044 101079->101051 101080->101049 101081->101054 101082->101063 101083->101070 101084->101065 101085->101063 101086->101070 101088->101073 101089 6bfc3d62 101091 6bfc3bc0 101089->101091 101090 6bfc3e8a GetCurrentThread NtSetInformationThread 101092 6bfc3eea 101090->101092 101091->101090 101093 6bfdf8a3 101095 6bfdf887 101093->101095 101094 6bfe02ac GetCurrentProcess TerminateProcess 101096 6bfe02ca 101094->101096 101095->101094 101097 6bfd3b72 101098 6c146a43 std::_Facet_Register 4 API calls 101097->101098 101099 6bfd37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 101098->101099 101100 6c13aec0 FindFirstFileA 101099->101100 101102 6bfe6ba0 104 API calls 101099->101102 101104 6bfe7090 77 API calls 101099->101104 101105 6c00e010 67 API calls 101099->101105 101106 6bfe639e 101099->101106 101110 6bfe6e60 101099->101110 101100->101099 101102->101099 101104->101099 101105->101099 101120 6c150130 18 API calls 2 library calls 101106->101120 101111 6bfe6e9f 101110->101111 101114 6bfe6eb3 101111->101114 101121 6c013560 32 API calls std::_Xinvalid_argument 101111->101121 101117 6bfe6f5b 101114->101117 101123 6c012250 30 API calls 101114->101123 101124 6c0126e0 24 API calls 4 library calls 101114->101124 101125 6c149379 RaiseException 101114->101125 101116 6bfe6f6e 101116->101099 101117->101116 101122 6c0137e0 32 API calls std::_Xinvalid_argument 101117->101122 101121->101114 101122->101116 101123->101114 101124->101114 101125->101114 101126 6bfc4b53 101127 6c146a43 std::_Facet_Register 4 API calls 101126->101127 101128 6bfc4b5c _Yarn 101127->101128 101129 6c13aec0 FindFirstFileA 101128->101129 101134 6bfc4bae std::ios_base::_Ios_base_dtor 101129->101134 101130 6bfe639e 101307 6c150130 18 API calls 2 library calls 101130->101307 101132 6bfc4cff 101133 6bfc5164 CreateFileA CloseHandle 101138 6bfc51ec 101133->101138 101134->101130 101134->101132 101134->101133 101135 6bfd245a _Yarn _strlen 101134->101135 101135->101130 101137 6c13aec0 FindFirstFileA 101135->101137 101153 6bfd2a83 std::ios_base::_Ios_base_dtor 101137->101153 101284 6c145120 OpenSCManagerA 101138->101284 101140 6bfcfc00 101300 6c145240 CreateToolhelp32Snapshot 101140->101300 101142 6c146a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101178 6bfc5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 101142->101178 101145 6c13aec0 FindFirstFileA 101145->101178 101146 6bfd37d0 Sleep 101190 6bfd37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 101146->101190 101147 6bfe63b2 101308 6bfc15e0 18 API calls std::ios_base::_Ios_base_dtor 101147->101308 101148 6c145240 4 API calls 101166 6bfd053a 101148->101166 101150 6c145240 4 API calls 101172 6bfd12e2 101150->101172 101151 6bfcffe3 101151->101148 101158 6bfd0abc 101151->101158 101152 6bfe64f8 101153->101130 101288 6c130390 101153->101288 101154 6bfe6ba0 104 API calls 101154->101178 101155 6bfe6e60 32 API calls 101155->101178 101157 6c145240 4 API calls 101157->101158 101158->101135 101158->101150 101159 6bfe7090 77 API calls 101159->101178 101160 6c145240 4 API calls 101179 6bfd1dd9 101160->101179 101161 6bfd211c 101161->101135 101162 6bfd241a 101161->101162 101165 6c130390 11 API calls 101162->101165 101163 6c13aec0 FindFirstFileA 101163->101190 101164 6c00e010 67 API calls 101164->101178 101168 6bfd244d 101165->101168 101166->101157 101166->101158 101167 6bfc6722 101297 6c141880 25 API calls 4 library calls 101167->101297 101306 6c145d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101168->101306 101170 6bfd2452 Sleep 101170->101135 101171 6bfc6162 101172->101160 101172->101161 101182 6bfd16ac 101172->101182 101173 6bfc740b 101174 6c144ff0 4 API calls 101173->101174 101183 6bfc775a _strlen 101174->101183 101175 6c145240 4 API calls 101175->101161 101176 6bfe6ba0 104 API calls 101176->101190 101177 6bfe6e60 32 API calls 101177->101190 101178->101130 101178->101140 101178->101142 101178->101145 101178->101154 101178->101155 101178->101159 101178->101164 101178->101167 101178->101171 101179->101161 101179->101175 101180 6bfe7090 77 API calls 101180->101190 101181 6c00e010 67 API calls 101181->101190 101183->101130 101184 6bfc7ba9 101183->101184 101185 6bfc7b92 101183->101185 101188 6bfc7b43 _Yarn 101183->101188 101187 6c146a43 std::_Facet_Register 4 API calls 101184->101187 101186 6c146a43 std::_Facet_Register 4 API calls 101185->101186 101186->101188 101187->101188 101189 6c13aec0 FindFirstFileA 101188->101189 101199 6bfc7be7 std::ios_base::_Ios_base_dtor 101189->101199 101190->101130 101190->101163 101190->101176 101190->101177 101190->101180 101190->101181 101191 6c144ff0 4 API calls 101202 6bfc8a07 101191->101202 101192 6bfc9d7f 101196 6c146a43 std::_Facet_Register 4 API calls 101192->101196 101193 6bfc9d68 101195 6c146a43 std::_Facet_Register 4 API calls 101193->101195 101194 6bfc962c _strlen 101194->101130 101194->101192 101194->101193 101197 6bfc9d18 _Yarn 101194->101197 101195->101197 101196->101197 101198 6c13aec0 FindFirstFileA 101197->101198 101205 6bfc9dbd std::ios_base::_Ios_base_dtor 101198->101205 101199->101130 101199->101191 101199->101194 101200 6bfc8387 101199->101200 101201 6c144ff0 4 API calls 101210 6bfc9120 101201->101210 101202->101201 101203 6c144ff0 4 API calls 101220 6bfca215 _strlen 101203->101220 101204 6c144ff0 4 API calls 101206 6bfc9624 101204->101206 101205->101130 101205->101203 101211 6bfce8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 101205->101211 101298 6c145d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101206->101298 101207 6c146a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101207->101211 101209 6c13aec0 FindFirstFileA 101209->101211 101210->101204 101211->101130 101211->101207 101211->101209 101212 6bfcf7b1 101211->101212 101213 6bfced02 Sleep 101211->101213 101299 6c145d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101212->101299 101232 6bfce8c1 101213->101232 101215 6bfce8dd GetCurrentProcess TerminateProcess 101215->101211 101216 6bfca9bb 101219 6c146a43 std::_Facet_Register 4 API calls 101216->101219 101217 6bfca9a4 101218 6c146a43 std::_Facet_Register 4 API calls 101217->101218 101227 6bfca953 _Yarn _strlen 101218->101227 101219->101227 101220->101130 101220->101216 101220->101217 101220->101227 101221 6c144ff0 4 API calls 101221->101232 101222 6bfcfbb8 101223 6bfcfbe8 ExitWindowsEx Sleep 101222->101223 101223->101140 101224 6bfcf7c0 101224->101222 101225 6bfcb009 101229 6c146a43 std::_Facet_Register 4 API calls 101225->101229 101226 6bfcaff0 101228 6c146a43 std::_Facet_Register 4 API calls 101226->101228 101227->101147 101227->101225 101227->101226 101230 6bfcafa0 _Yarn 101227->101230 101228->101230 101229->101230 101231 6c145960 104 API calls 101230->101231 101233 6bfcb059 std::ios_base::_Ios_base_dtor _strlen 101231->101233 101232->101211 101232->101215 101232->101221 101233->101130 101234 6bfcb42c 101233->101234 101235 6bfcb443 101233->101235 101238 6bfcb3da _Yarn _strlen 101233->101238 101236 6c146a43 std::_Facet_Register 4 API calls 101234->101236 101237 6c146a43 std::_Facet_Register 4 API calls 101235->101237 101236->101238 101237->101238 101238->101147 101239 6bfcb79e 101238->101239 101240 6bfcb7b7 101238->101240 101243 6bfcb751 _Yarn 101238->101243 101242 6c146a43 std::_Facet_Register 4 API calls 101239->101242 101241 6c146a43 std::_Facet_Register 4 API calls 101240->101241 101241->101243 101242->101243 101244 6c145960 104 API calls 101243->101244 101245 6bfcb804 std::ios_base::_Ios_base_dtor _strlen 101244->101245 101245->101130 101246 6bfcbc0f 101245->101246 101247 6bfcbc26 101245->101247 101250 6bfcbbbd _Yarn _strlen 101245->101250 101248 6c146a43 std::_Facet_Register 4 API calls 101246->101248 101249 6c146a43 std::_Facet_Register 4 API calls 101247->101249 101248->101250 101249->101250 101250->101147 101251 6bfcc08e 101250->101251 101252 6bfcc075 101250->101252 101255 6bfcc028 _Yarn 101250->101255 101254 6c146a43 std::_Facet_Register 4 API calls 101251->101254 101253 6c146a43 std::_Facet_Register 4 API calls 101252->101253 101253->101255 101254->101255 101256 6c145960 104 API calls 101255->101256 101261 6bfcc0db std::ios_base::_Ios_base_dtor _strlen 101256->101261 101257 6bfcc7bc 101260 6c146a43 std::_Facet_Register 4 API calls 101257->101260 101258 6bfcc7a5 101259 6c146a43 std::_Facet_Register 4 API calls 101258->101259 101268 6bfcc753 _Yarn _strlen 101259->101268 101260->101268 101261->101130 101261->101257 101261->101258 101261->101268 101262 6bfcd3ed 101264 6c146a43 std::_Facet_Register 4 API calls 101262->101264 101263 6bfcd406 101265 6c146a43 std::_Facet_Register 4 API calls 101263->101265 101266 6bfcd39a _Yarn 101264->101266 101265->101266 101267 6c145960 104 API calls 101266->101267 101269 6bfcd458 std::ios_base::_Ios_base_dtor _strlen 101267->101269 101268->101147 101268->101262 101268->101263 101268->101266 101274 6bfccb2f 101268->101274 101269->101130 101270 6bfcd8bb 101269->101270 101271 6bfcd8a4 101269->101271 101275 6bfcd852 _Yarn _strlen 101269->101275 101273 6c146a43 std::_Facet_Register 4 API calls 101270->101273 101272 6c146a43 std::_Facet_Register 4 API calls 101271->101272 101272->101275 101273->101275 101275->101147 101276 6bfcdccf 101275->101276 101277 6bfcdcb6 101275->101277 101280 6bfcdc69 _Yarn 101275->101280 101279 6c146a43 std::_Facet_Register 4 API calls 101276->101279 101278 6c146a43 std::_Facet_Register 4 API calls 101277->101278 101278->101280 101279->101280 101281 6c145960 104 API calls 101280->101281 101283 6bfcdd1c std::ios_base::_Ios_base_dtor 101281->101283 101282 6c144ff0 4 API calls 101282->101211 101283->101130 101283->101282 101285 6c145156 101284->101285 101286 6c1451e8 OpenServiceA 101285->101286 101287 6c14522f 101285->101287 101286->101285 101287->101178 101294 6c1303a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 101288->101294 101289 6c133f5f CloseHandle 101289->101294 101290 6c13310e CloseHandle 101290->101294 101291 6bfd37cb 101296 6c145d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101291->101296 101292 6c11c1e0 WriteFile WriteFile WriteFile ReadFile 101292->101294 101293 6c13251b CloseHandle 101293->101294 101294->101289 101294->101290 101294->101291 101294->101292 101294->101293 101309 6c11b730 101294->101309 101296->101146 101297->101173 101298->101194 101299->101224 101301 6c1452a0 std::locale::_Setgloballocale 101300->101301 101302 6c145277 CloseHandle 101301->101302 101303 6c145320 Process32NextW 101301->101303 101304 6c1453b1 101301->101304 101305 6c145345 Process32FirstW 101301->101305 101302->101301 101303->101301 101304->101151 101305->101301 101306->101170 101308->101152 101310 6c11b743 _Yarn __wsopen_s std::locale::_Setgloballocale 101309->101310 101311 6c11c180 101310->101311 101312 6c11bced CreateFileA 101310->101312 101314 6c11aa30 101310->101314 101311->101294 101312->101310 101315 6c11aa43 __wsopen_s std::locale::_Setgloballocale 101314->101315 101316 6c11b43d WriteFile 101315->101316 101317 6c11b3e9 WriteFile 101315->101317 101318 6c11b718 101315->101318 101319 6c11ab95 ReadFile 101315->101319 101316->101315 101317->101315 101318->101310 101319->101315
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: _strlen
                                  • String ID: HR^
                                  • API String ID: 4218353326-1341859651
                                  • Opcode ID: 77b714857235f029e55793a2bf7ae3ac51f048f1ae054ed4c248b4319065f290
                                  • Instruction ID: 1db0d2c3d823553d8ade0a3f93ec97e52530dca10015ddf342f6f6ac82e94cc8
                                  • Opcode Fuzzy Hash: 77b714857235f029e55793a2bf7ae3ac51f048f1ae054ed4c248b4319065f290
                                  • Instruction Fuzzy Hash: 2374F772644B028FC728CF28C8D0697B7F3EF953147198A6DC0968B765E778B58ACB41
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: }jk$;T55$L@^
                                  • API String ID: 0-4218709813
                                  • Opcode ID: 73a35688d7573a091f58fa3849f5d200205ab1ab67baa244429bb5a5134ff733
                                  • Instruction ID: 957c48b92ae11d1d74eed78e6591e2e62ec0720e664045d865c3f2f6027871fe
                                  • Opcode Fuzzy Hash: 73a35688d7573a091f58fa3849f5d200205ab1ab67baa244429bb5a5134ff733
                                  • Instruction Fuzzy Hash: 4334F872644B018FC728CF28C8D0796B7E3EF95314B1D8A6DC09A4B765EB78B54ACB50

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 7677 6c145240-6c145275 CreateToolhelp32Snapshot 7678 6c1452a0-6c1452a9 7677->7678 7679 6c1452e0-6c1452e5 7678->7679 7680 6c1452ab-6c1452b0 7678->7680 7683 6c145377-6c1453a1 call 6c152c05 7679->7683 7684 6c1452eb-6c1452f0 7679->7684 7681 6c145315-6c14531a 7680->7681 7682 6c1452b2-6c1452b7 7680->7682 7690 6c1453a6-6c1453ab 7681->7690 7691 6c145320-6c145332 Process32NextW 7681->7691 7686 6c145334-6c14535d call 6c14b920 Process32FirstW 7682->7686 7687 6c1452b9-6c1452be 7682->7687 7683->7678 7688 6c145277-6c145292 CloseHandle 7684->7688 7689 6c1452f2-6c1452f7 7684->7689 7697 6c145362-6c145372 7686->7697 7687->7678 7693 6c1452c0-6c1452d1 7687->7693 7688->7678 7689->7678 7695 6c1452f9-6c145313 7689->7695 7690->7678 7694 6c1453b1-6c1453bf 7690->7694 7691->7697 7693->7678 7695->7678 7697->7678
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C14524E
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: CreateSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 3332741929-0
                                  • Opcode ID: b087dc76849cb24bc08641caf1d40b9f39b61bbd72eca96d5220cbc60f79745c
                                  • Instruction ID: 0e9c5a47541b80a39ed4697e7dc25a4bf59fee9a5db695b58684d3a789e3f5ab
                                  • Opcode Fuzzy Hash: b087dc76849cb24bc08641caf1d40b9f39b61bbd72eca96d5220cbc60f79745c
                                  • Instruction Fuzzy Hash: BB316C75608300EFD7109F28C888B0ABBF5AF96758F91892EF498C73A0D371D8488B53

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 7821 6bfc3886-6bfc388e 7822 6bfc3894-6bfc3896 7821->7822 7823 6bfc3970-6bfc397d 7821->7823 7822->7823 7826 6bfc389c-6bfc38b9 7822->7826 7824 6bfc397f-6bfc3989 7823->7824 7825 6bfc39f1-6bfc39f8 7823->7825 7824->7826 7827 6bfc398f-6bfc3994 7824->7827 7828 6bfc39fe-6bfc3a03 7825->7828 7829 6bfc3ab5-6bfc3aba 7825->7829 7830 6bfc38c0-6bfc38c1 7826->7830 7833 6bfc399a-6bfc399f 7827->7833 7834 6bfc3b16-6bfc3b18 7827->7834 7835 6bfc3a09-6bfc3a2f 7828->7835 7836 6bfc38d2-6bfc38d4 7828->7836 7829->7826 7832 6bfc3ac0-6bfc3ac7 7829->7832 7831 6bfc395e 7830->7831 7839 6bfc3960-6bfc3964 7831->7839 7832->7830 7838 6bfc3acd-6bfc3ad6 7832->7838 7840 6bfc383b-6bfc3855 call 6c111470 call 6c111480 7833->7840 7841 6bfc39a5-6bfc39bf 7833->7841 7834->7830 7842 6bfc38f8-6bfc3955 7835->7842 7843 6bfc3a35-6bfc3a3a 7835->7843 7837 6bfc3957-6bfc395c 7836->7837 7837->7831 7838->7834 7844 6bfc3ad8-6bfc3aeb 7838->7844 7846 6bfc396a 7839->7846 7847 6bfc3860-6bfc3885 7839->7847 7840->7847 7848 6bfc3a5a-6bfc3a5d 7841->7848 7842->7837 7849 6bfc3b1d-6bfc3b22 7843->7849 7850 6bfc3a40-6bfc3a57 7843->7850 7844->7842 7851 6bfc3af1-6bfc3af8 7844->7851 7856 6bfc3ba1-6bfc3bb6 7846->7856 7847->7821 7857 6bfc3aa9-6bfc3ab0 7848->7857 7858 6bfc3a87-6bfc3aa7 7848->7858 7853 6bfc3b49-6bfc3b50 7849->7853 7854 6bfc3b24-6bfc3b44 7849->7854 7850->7848 7859 6bfc3afa-6bfc3aff 7851->7859 7860 6bfc3b62-6bfc3b85 7851->7860 7853->7830 7862 6bfc3b56-6bfc3b5d 7853->7862 7854->7858 7864 6bfc3bc0-6bfc3bda call 6c111470 call 6c111480 7856->7864 7857->7839 7858->7857 7859->7837 7860->7842 7867 6bfc3b8b 7860->7867 7862->7839 7872 6bfc3be0-6bfc3bfe 7864->7872 7867->7856 7875 6bfc3e7b 7872->7875 7876 6bfc3c04-6bfc3c11 7872->7876 7877 6bfc3e81-6bfc3ee0 call 6bfc3750 GetCurrentThread NtSetInformationThread 7875->7877 7878 6bfc3c17-6bfc3c20 7876->7878 7879 6bfc3ce0-6bfc3cea 7876->7879 7892 6bfc3eea-6bfc3f04 call 6c111470 call 6c111480 7877->7892 7883 6bfc3dc5 7878->7883 7884 6bfc3c26-6bfc3c2d 7878->7884 7881 6bfc3cec-6bfc3d0c 7879->7881 7882 6bfc3d3a-6bfc3d3c 7879->7882 7886 6bfc3d90-6bfc3d95 7881->7886 7887 6bfc3d3e-6bfc3d45 7882->7887 7888 6bfc3d70-6bfc3d8d 7882->7888 7891 6bfc3dc6 7883->7891 7889 6bfc3dc3 7884->7889 7890 6bfc3c33-6bfc3c3a 7884->7890 7894 6bfc3dba-6bfc3dc1 7886->7894 7895 6bfc3d97-6bfc3db8 7886->7895 7893 6bfc3d50-6bfc3d57 7887->7893 7888->7886 7889->7883 7896 6bfc3e26-6bfc3e2b 7890->7896 7897 6bfc3c40-6bfc3c5b 7890->7897 7898 6bfc3dc8-6bfc3dcc 7891->7898 7915 6bfc3f75-6bfc3fa1 7892->7915 7893->7891 7894->7889 7900 6bfc3dd7-6bfc3ddc 7894->7900 7895->7883 7903 6bfc3c7b-6bfc3cd0 7896->7903 7904 6bfc3e31 7896->7904 7901 6bfc3e1b-6bfc3e24 7897->7901 7898->7872 7902 6bfc3dd2 7898->7902 7906 6bfc3dde-6bfc3e17 7900->7906 7907 6bfc3e36-6bfc3e3d 7900->7907 7901->7898 7908 6bfc3e76-6bfc3e79 7902->7908 7903->7893 7904->7864 7906->7901 7909 6bfc3e5c-6bfc3e5f 7907->7909 7910 6bfc3e3f-6bfc3e5a 7907->7910 7908->7877 7909->7903 7913 6bfc3e65-6bfc3e69 7909->7913 7910->7901 7913->7898 7913->7908 7919 6bfc4020-6bfc4026 7915->7919 7920 6bfc3fa3-6bfc3fa8 7915->7920 7921 6bfc402c-6bfc403c 7919->7921 7922 6bfc3f06-6bfc3f35 7919->7922 7923 6bfc407c-6bfc4081 7920->7923 7924 6bfc3fae-6bfc3fcf 7920->7924 7928 6bfc403e-6bfc4058 7921->7928 7929 6bfc40b3-6bfc40b8 7921->7929 7927 6bfc3f38-6bfc3f61 7922->7927 7925 6bfc40aa-6bfc40ae 7923->7925 7926 6bfc4083-6bfc408a 7923->7926 7924->7925 7934 6bfc3f6b-6bfc3f6f 7925->7934 7926->7927 7930 6bfc4090 7926->7930 7932 6bfc3f64-6bfc3f67 7927->7932 7933 6bfc405a-6bfc4063 7928->7933 7929->7924 7931 6bfc40be-6bfc40c9 7929->7931 7930->7892 7931->7925 7935 6bfc40cb-6bfc40d4 7931->7935 7936 6bfc3f69 7932->7936 7937 6bfc4069-6bfc406c 7933->7937 7938 6bfc40f5-6bfc413f 7933->7938 7934->7915 7941 6bfc40d6-6bfc40f0 7935->7941 7942 6bfc40a7 7935->7942 7936->7934 7939 6bfc4144-6bfc414b 7937->7939 7940 6bfc4072-6bfc4077 7937->7940 7938->7936 7939->7934 7940->7932 7941->7933 7942->7925
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a1ff156c05cfb056871bcb9c3e8dd93752feb1a77f8dcd6c5fa920d8f4ec90e
                                  • Instruction ID: f2a50640eb33d7d275eb9a0b021274d52fd43ff2e51c047f92c98499c1035dfc
                                  • Opcode Fuzzy Hash: 2a1ff156c05cfb056871bcb9c3e8dd93752feb1a77f8dcd6c5fa920d8f4ec90e
                                  • Instruction Fuzzy Hash: DE32C5336447028FC334CF18C890697B7E3EF913547698A6CC0EA5B6A5D779B48ACB51

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 7969 6bfc3a6a-6bfc3a85 7970 6bfc3a87-6bfc3aa7 7969->7970 7971 6bfc3aa9-6bfc3ab0 7970->7971 7972 6bfc3960-6bfc3964 7971->7972 7973 6bfc396a 7972->7973 7974 6bfc3860-6bfc388e 7972->7974 7976 6bfc3ba1-6bfc3bb6 7973->7976 7984 6bfc3894-6bfc3896 7974->7984 7985 6bfc3970-6bfc397d 7974->7985 7978 6bfc3bc0-6bfc3bda call 6c111470 call 6c111480 7976->7978 7990 6bfc3be0-6bfc3bfe 7978->7990 7984->7985 7989 6bfc389c-6bfc38b9 7984->7989 7987 6bfc397f-6bfc3989 7985->7987 7988 6bfc39f1-6bfc39f8 7985->7988 7987->7989 7991 6bfc398f-6bfc3994 7987->7991 7992 6bfc39fe-6bfc3a03 7988->7992 7993 6bfc3ab5-6bfc3aba 7988->7993 7994 6bfc38c0-6bfc38c1 7989->7994 8011 6bfc3e7b 7990->8011 8012 6bfc3c04-6bfc3c11 7990->8012 7998 6bfc399a-6bfc399f 7991->7998 7999 6bfc3b16-6bfc3b18 7991->7999 8000 6bfc3a09-6bfc3a2f 7992->8000 8001 6bfc38d2-6bfc38d4 7992->8001 7993->7989 7996 6bfc3ac0-6bfc3ac7 7993->7996 7995 6bfc395e 7994->7995 7995->7972 7996->7994 8003 6bfc3acd-6bfc3ad6 7996->8003 8005 6bfc383b-6bfc3855 call 6c111470 call 6c111480 7998->8005 8006 6bfc39a5-6bfc39bf 7998->8006 7999->7994 8007 6bfc38f8-6bfc3955 8000->8007 8008 6bfc3a35-6bfc3a3a 8000->8008 8002 6bfc3957-6bfc395c 8001->8002 8002->7995 8003->7999 8009 6bfc3ad8-6bfc3aeb 8003->8009 8005->7974 8013 6bfc3a5a-6bfc3a5d 8006->8013 8007->8002 8014 6bfc3b1d-6bfc3b22 8008->8014 8015 6bfc3a40-6bfc3a57 8008->8015 8009->8007 8016 6bfc3af1-6bfc3af8 8009->8016 8018 6bfc3e81-6bfc3ee0 call 6bfc3750 GetCurrentThread NtSetInformationThread 8011->8018 8019 6bfc3c17-6bfc3c20 8012->8019 8020 6bfc3ce0-6bfc3cea 8012->8020 8013->7970 8013->7971 8021 6bfc3b49-6bfc3b50 8014->8021 8022 6bfc3b24-6bfc3b44 8014->8022 8015->8013 8026 6bfc3afa-6bfc3aff 8016->8026 8027 6bfc3b62-6bfc3b85 8016->8027 8041 6bfc3eea-6bfc3f04 call 6c111470 call 6c111480 8018->8041 8029 6bfc3dc5 8019->8029 8030 6bfc3c26-6bfc3c2d 8019->8030 8024 6bfc3cec-6bfc3d0c 8020->8024 8025 6bfc3d3a-6bfc3d3c 8020->8025 8021->7994 8031 6bfc3b56-6bfc3b5d 8021->8031 8022->7970 8033 6bfc3d90-6bfc3d95 8024->8033 8034 6bfc3d3e-6bfc3d45 8025->8034 8035 6bfc3d70-6bfc3d8d 8025->8035 8026->8002 8027->8007 8040 6bfc3b8b 8027->8040 8039 6bfc3dc6 8029->8039 8037 6bfc3dc3 8030->8037 8038 6bfc3c33-6bfc3c3a 8030->8038 8031->7972 8043 6bfc3dba-6bfc3dc1 8033->8043 8044 6bfc3d97-6bfc3db8 8033->8044 8042 6bfc3d50-6bfc3d57 8034->8042 8035->8033 8037->8029 8045 6bfc3e26-6bfc3e2b 8038->8045 8046 6bfc3c40-6bfc3c5b 8038->8046 8047 6bfc3dc8-6bfc3dcc 8039->8047 8040->7976 8064 6bfc3f75-6bfc3fa1 8041->8064 8042->8039 8043->8037 8049 6bfc3dd7-6bfc3ddc 8043->8049 8044->8029 8052 6bfc3c7b-6bfc3cd0 8045->8052 8053 6bfc3e31 8045->8053 8050 6bfc3e1b-6bfc3e24 8046->8050 8047->7990 8051 6bfc3dd2 8047->8051 8055 6bfc3dde-6bfc3e17 8049->8055 8056 6bfc3e36-6bfc3e3d 8049->8056 8050->8047 8057 6bfc3e76-6bfc3e79 8051->8057 8052->8042 8053->7978 8055->8050 8058 6bfc3e5c-6bfc3e5f 8056->8058 8059 6bfc3e3f-6bfc3e5a 8056->8059 8057->8018 8058->8052 8062 6bfc3e65-6bfc3e69 8058->8062 8059->8050 8062->8047 8062->8057 8068 6bfc4020-6bfc4026 8064->8068 8069 6bfc3fa3-6bfc3fa8 8064->8069 8070 6bfc402c-6bfc403c 8068->8070 8071 6bfc3f06-6bfc3f35 8068->8071 8072 6bfc407c-6bfc4081 8069->8072 8073 6bfc3fae-6bfc3fcf 8069->8073 8077 6bfc403e-6bfc4058 8070->8077 8078 6bfc40b3-6bfc40b8 8070->8078 8076 6bfc3f38-6bfc3f61 8071->8076 8074 6bfc40aa-6bfc40ae 8072->8074 8075 6bfc4083-6bfc408a 8072->8075 8073->8074 8083 6bfc3f6b-6bfc3f6f 8074->8083 8075->8076 8079 6bfc4090 8075->8079 8081 6bfc3f64-6bfc3f67 8076->8081 8082 6bfc405a-6bfc4063 8077->8082 8078->8073 8080 6bfc40be-6bfc40c9 8078->8080 8079->8041 8080->8074 8084 6bfc40cb-6bfc40d4 8080->8084 8085 6bfc3f69 8081->8085 8086 6bfc4069-6bfc406c 8082->8086 8087 6bfc40f5-6bfc413f 8082->8087 8083->8064 8090 6bfc40d6-6bfc40f0 8084->8090 8091 6bfc40a7 8084->8091 8085->8083 8088 6bfc4144-6bfc414b 8086->8088 8089 6bfc4072-6bfc4077 8086->8089 8087->8085 8088->8083 8089->8081 8090->8082 8091->8074
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: 465c0423a8d873a6bc64cf8c630609abebc48f271a9fea6687ee2bbf9e9b16be
                                  • Instruction ID: 426d1c085ca6ac647e246b0fc2c4771b79c4fa41d3fdee37675260132dbc4533
                                  • Opcode Fuzzy Hash: 465c0423a8d873a6bc64cf8c630609abebc48f271a9fea6687ee2bbf9e9b16be
                                  • Instruction Fuzzy Hash: 6051CF73548B028FC3308F28C4807C7B7A3AF95354F658A5DC0E61B6A5DB79B48A8B52
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: 9366ebd907d723f9fd0131c90bc0b783aa41cd5dc03a3ba70bf1cf7d89293c37
                                  • Instruction ID: 092ad76bcd49d0c1175a98e34414035ce59c16daf49c79db027b781bd5b0187f
                                  • Opcode Fuzzy Hash: 9366ebd907d723f9fd0131c90bc0b783aa41cd5dc03a3ba70bf1cf7d89293c37
                                  • Instruction Fuzzy Hash: 5B51B173504B028BC330CF28C4807D7B7A3BF95354F658A5DC0E65B6A5DB79B48A8B92
                                  APIs
                                  • GetCurrentThread.KERNEL32 ref: 6BFC3E9D
                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BFC3EAA
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: Thread$CurrentInformation
                                  • String ID:
                                  • API String ID: 1650627709-0
                                  • Opcode ID: cff0ac22635eaa581fea5395c067189b36b32b2dc4ab85a7d6009a838ef6f2f2
                                  • Instruction ID: f33e7079b93cdb0290a01da752b4b30ed8177a8901cf8cf3b05110f93109eabf
                                  • Opcode Fuzzy Hash: cff0ac22635eaa581fea5395c067189b36b32b2dc4ab85a7d6009a838ef6f2f2
                                  • Instruction Fuzzy Hash: 1631DE32549B028BC7208F28C8847C7B7B2AF96354F258A1DC0E65B6A1DB797489CB52
                                  APIs
                                  • GetCurrentThread.KERNEL32 ref: 6BFC3E9D
                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BFC3EAA
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: Thread$CurrentInformation
                                  • String ID:
                                  • API String ID: 1650627709-0
                                  • Opcode ID: 23932bbf4e2640ed29e120e0c6b48733f8f41e6fd338d8cb376856e9d5c57166
                                  • Instruction ID: 4153615f829ae5f265311ff4370b3d326c1c00324412069d1d19cf19c961bd76
                                  • Opcode Fuzzy Hash: 23932bbf4e2640ed29e120e0c6b48733f8f41e6fd338d8cb376856e9d5c57166
                                  • Instruction Fuzzy Hash: DB31D033148B028BC734CF28C494797B7B2AF96344F254E5DC0E65B2A5DB797489CB52
                                  APIs
                                  • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C145130
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ManagerOpen
                                  • String ID:
                                  • API String ID: 1889721586-0
                                  • Opcode ID: bcfa276c3d2fca028bcf2d29ad39f58a7a43c16dc4ce354c7257f70511036504
                                  • Instruction ID: ef3cf6d9be717db8662b4784fc7f1c70b98a1e1e639d4ae4ceedd1dfee8b3a77
                                  • Opcode Fuzzy Hash: bcfa276c3d2fca028bcf2d29ad39f58a7a43c16dc4ce354c7257f70511036504
                                  • Instruction Fuzzy Hash: F3312AB4608341EFC7119F28C544B0ABBF0EB8AB58F54895EF888C6360C371C945DB63
                                  APIs
                                  • GetCurrentThread.KERNEL32 ref: 6BFC3E9D
                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BFC3EAA
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: Thread$CurrentInformation
                                  • String ID:
                                  • API String ID: 1650627709-0
                                  • Opcode ID: 146064278bd099e00767dab617f5133b0b32bbbd106691ea5c1264e1a4c70e4c
                                  • Instruction ID: 0d8b01770cfcf9fa9ee9bfe0642a2e575da2ca04d855c2cd0c1ed440e2f1630a
                                  • Opcode Fuzzy Hash: 146064278bd099e00767dab617f5133b0b32bbbd106691ea5c1264e1a4c70e4c
                                  • Instruction Fuzzy Hash: D721D172558B028BD7348F28C8947D7B7B2AF52744F244E1DC0E64B6A0DB79A488CB53
                                  APIs
                                  • FindFirstFileA.KERNEL32(?,?), ref: 6C13AEDC
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: FileFindFirst
                                  • String ID:
                                  • API String ID: 1974802433-0
                                  • Opcode ID: 089c088cf068c277916c1ccb5157a00bd387192eb5319a5997a14175f034212a
                                  • Instruction ID: 6faf424f6de0a89d10563f24d7f2ca596f3d9686242c8a5d48724482f5c1ee5d
                                  • Opcode Fuzzy Hash: 089c088cf068c277916c1ccb5157a00bd387192eb5319a5997a14175f034212a
                                  • Instruction Fuzzy Hash: 4E113AB45083609FDB109F68D94450E7BE8BF96318F159E99F4A8CB691D334CC448B62
                                  APIs
                                  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C11ABA7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                  • API String ID: 2738559852-1563143607
                                  • Opcode ID: dcf54125f2d3f3c819fe8a11e885c69462403ea4664192c87ebe75c823bc7112
                                  • Instruction ID: 02eeaec0b8695909d21fc96b223ee40d918c77be0bd46338764bd2be8179c4f6
                                  • Opcode Fuzzy Hash: dcf54125f2d3f3c819fe8a11e885c69462403ea4664192c87ebe75c823bc7112
                                  • Instruction Fuzzy Hash: F6625BB060D3818FC724CF18C490A5ABBE2ABDA314F148D6EE599C7B51D738E949CB47

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 6824 6c15cad3-6c15cae3 6825 6c15cae5-6c15caf8 call 6c14f9df call 6c14f9cc 6824->6825 6826 6c15cafd-6c15caff 6824->6826 6843 6c15ce7c 6825->6843 6828 6c15cb05-6c15cb0b 6826->6828 6829 6c15ce64-6c15ce71 call 6c14f9df call 6c14f9cc 6826->6829 6828->6829 6832 6c15cb11-6c15cb37 6828->6832 6848 6c15ce77 call 6c150120 6829->6848 6832->6829 6835 6c15cb3d-6c15cb46 6832->6835 6838 6c15cb60-6c15cb62 6835->6838 6839 6c15cb48-6c15cb5b call 6c14f9df call 6c14f9cc 6835->6839 6841 6c15ce60-6c15ce62 6838->6841 6842 6c15cb68-6c15cb6b 6838->6842 6839->6848 6846 6c15ce7f-6c15ce82 6841->6846 6842->6841 6847 6c15cb71-6c15cb75 6842->6847 6843->6846 6847->6839 6850 6c15cb77-6c15cb8e 6847->6850 6848->6843 6853 6c15cb90-6c15cb93 6850->6853 6854 6c15cbdf-6c15cbe5 6850->6854 6857 6c15cb95-6c15cb9e 6853->6857 6858 6c15cba3-6c15cba9 6853->6858 6855 6c15cbe7-6c15cbf1 6854->6855 6856 6c15cbab-6c15cbc2 call 6c14f9df call 6c14f9cc call 6c150120 6854->6856 6859 6c15cbf3-6c15cbf5 6855->6859 6860 6c15cbf8-6c15cc16 call 6c1547f5 call 6c1547bb * 2 6855->6860 6888 6c15cd97 6856->6888 6861 6c15cc63-6c15cc73 6857->6861 6858->6856 6862 6c15cbc7-6c15cbda 6858->6862 6859->6860 6898 6c15cc33-6c15cc5c call 6c15ac69 6860->6898 6899 6c15cc18-6c15cc2e call 6c14f9cc call 6c14f9df 6860->6899 6864 6c15cc79-6c15cc85 6861->6864 6865 6c15cd38-6c15cd41 call 6c1619e5 6861->6865 6862->6861 6864->6865 6869 6c15cc8b-6c15cc8d 6864->6869 6877 6c15cdb4 6865->6877 6878 6c15cd43-6c15cd55 6865->6878 6869->6865 6873 6c15cc93-6c15ccb7 6869->6873 6873->6865 6879 6c15ccb9-6c15cccf 6873->6879 6881 6c15cdb8-6c15cdd0 ReadFile 6877->6881 6878->6877 6883 6c15cd57-6c15cd66 GetConsoleMode 6878->6883 6879->6865 6884 6c15ccd1-6c15ccd3 6879->6884 6886 6c15cdd2-6c15cdd8 6881->6886 6887 6c15ce2c-6c15ce37 GetLastError 6881->6887 6883->6877 6889 6c15cd68-6c15cd6c 6883->6889 6884->6865 6890 6c15ccd5-6c15ccfb 6884->6890 6886->6887 6894 6c15cdda 6886->6894 6892 6c15ce50-6c15ce53 6887->6892 6893 6c15ce39-6c15ce4b call 6c14f9cc call 6c14f9df 6887->6893 6896 6c15cd9a-6c15cda4 call 6c1547bb 6888->6896 6889->6881 6895 6c15cd6e-6c15cd88 ReadConsoleW 6889->6895 6890->6865 6897 6c15ccfd-6c15cd13 6890->6897 6905 6c15cd90-6c15cd96 call 6c14f9f2 6892->6905 6906 6c15ce59-6c15ce5b 6892->6906 6893->6888 6901 6c15cddd-6c15cdef 6894->6901 6903 6c15cda9-6c15cdb2 6895->6903 6904 6c15cd8a GetLastError 6895->6904 6896->6846 6897->6865 6908 6c15cd15-6c15cd17 6897->6908 6898->6861 6899->6888 6901->6896 6911 6c15cdf1-6c15cdf5 6901->6911 6903->6901 6904->6905 6905->6888 6906->6896 6908->6865 6915 6c15cd19-6c15cd33 6908->6915 6919 6c15cdf7-6c15ce07 call 6c15cefe 6911->6919 6920 6c15ce0e-6c15ce19 6911->6920 6915->6865 6930 6c15ce0a-6c15ce0c 6919->6930 6925 6c15ce25-6c15ce2a call 6c15d1b6 6920->6925 6926 6c15ce1b call 6c15ce83 6920->6926 6931 6c15ce20-6c15ce23 6925->6931 6926->6931 6930->6896 6931->6930
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8Q
                                  • API String ID: 0-4022487301
                                  • Opcode ID: ed12260f6a73ed945745d61445a112e97a7e6a64c665ff3247d93f1959ba64db
                                  • Instruction ID: 187624c6d7dc9de83f4c121705596baea8e0ce24c86f26c07d796d118b3043b3
                                  • Opcode Fuzzy Hash: ed12260f6a73ed945745d61445a112e97a7e6a64c665ff3247d93f1959ba64db
                                  • Instruction Fuzzy Hash: 90C1D4B0E04249AFDB01EF98C890BADBFB1EF4E318F904159E960AB781C7749955CB60

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 6933 6c16406c-6c16409c call 6c1644ec 6936 6c1640b7-6c1640c3 call 6c16160c 6933->6936 6937 6c16409e-6c1640a9 call 6c14f9df 6933->6937 6943 6c1640c5-6c1640da call 6c14f9df call 6c14f9cc 6936->6943 6944 6c1640dc-6c164125 call 6c164457 6936->6944 6942 6c1640ab-6c1640b2 call 6c14f9cc 6937->6942 6951 6c164391-6c164395 6942->6951 6943->6942 6953 6c164127-6c164130 6944->6953 6954 6c164192-6c16419b GetFileType 6944->6954 6955 6c164167-6c16418d GetLastError call 6c14f9f2 6953->6955 6956 6c164132-6c164136 6953->6956 6957 6c1641e4-6c1641e7 6954->6957 6958 6c16419d-6c1641ce GetLastError call 6c14f9f2 CloseHandle 6954->6958 6955->6942 6956->6955 6960 6c164138-6c164165 call 6c164457 6956->6960 6963 6c1641f0-6c1641f6 6957->6963 6964 6c1641e9-6c1641ee 6957->6964 6958->6942 6972 6c1641d4-6c1641df call 6c14f9cc 6958->6972 6960->6954 6960->6955 6965 6c1641fa-6c164248 call 6c1617b0 6963->6965 6966 6c1641f8 6963->6966 6964->6965 6975 6c164267-6c16428f call 6c164710 6965->6975 6976 6c16424a-6c164256 call 6c164666 6965->6976 6966->6965 6972->6942 6983 6c164294-6c1642d5 6975->6983 6984 6c164291-6c164292 6975->6984 6976->6975 6982 6c164258 6976->6982 6985 6c16425a-6c164262 call 6c15b925 6982->6985 6986 6c1642f6-6c164304 6983->6986 6987 6c1642d7-6c1642db 6983->6987 6984->6985 6985->6951 6989 6c16438f 6986->6989 6990 6c16430a-6c16430e 6986->6990 6987->6986 6988 6c1642dd-6c1642f1 6987->6988 6988->6986 6989->6951 6990->6989 6992 6c164310-6c164343 CloseHandle call 6c164457 6990->6992 6996 6c164377-6c16438b 6992->6996 6997 6c164345-6c164371 GetLastError call 6c14f9f2 call 6c16171f 6992->6997 6996->6989 6997->6996
                                  APIs
                                    • Part of subcall function 6C164457: CreateFileW.KERNEL32(00000000,00000000,?,6C164115,?,?,00000000,?,6C164115,00000000,0000000C), ref: 6C164474
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C164180
                                  • __dosmaperr.LIBCMT ref: 6C164187
                                  • GetFileType.KERNEL32(00000000), ref: 6C164193
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C16419D
                                  • __dosmaperr.LIBCMT ref: 6C1641A6
                                  • CloseHandle.KERNEL32(00000000), ref: 6C1641C6
                                  • CloseHandle.KERNEL32(6C15B0D0), ref: 6C164313
                                  • GetLastError.KERNEL32 ref: 6C164345
                                  • __dosmaperr.LIBCMT ref: 6C16434C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                  • String ID: 8Q
                                  • API String ID: 4237864984-4022487301
                                  • Opcode ID: ee94a9dff0fdcf61881be7f54d319ea33c16cb3544fa51d72623c3b905beda22
                                  • Instruction ID: 7711b00b9ce9250ce5dd69ca2c5870060dd46990d054c64cbcb1b9164c2fdf6f
                                  • Opcode Fuzzy Hash: ee94a9dff0fdcf61881be7f54d319ea33c16cb3544fa51d72623c3b905beda22
                                  • Instruction Fuzzy Hash: 06A13632A041549FCF09DF69C8617AE7BB1AB07328F28425DE851AFBC1C7359826CB51

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 7002 6c11c1e0-6c11c239 call 6c146b70 7005 6c11c260-6c11c269 7002->7005 7006 6c11c2b0-6c11c2b5 7005->7006 7007 6c11c26b-6c11c270 7005->7007 7010 6c11c330-6c11c335 7006->7010 7011 6c11c2b7-6c11c2bc 7006->7011 7008 6c11c2f0-6c11c2f5 7007->7008 7009 6c11c272-6c11c277 7007->7009 7012 6c11c431-6c11c448 WriteFile 7008->7012 7013 6c11c2fb-6c11c300 7008->7013 7016 6c11c372-6c11c3df WriteFile 7009->7016 7017 6c11c27d-6c11c282 7009->7017 7014 6c11c489-6c11c4b9 call 6c14b3a0 7010->7014 7015 6c11c33b-6c11c340 7010->7015 7018 6c11c2c2-6c11c2c7 7011->7018 7019 6c11c407-6c11c41b 7011->7019 7020 6c11c452-6c11c47f call 6c14b920 ReadFile 7012->7020 7013->7020 7021 6c11c306-6c11c30b 7013->7021 7014->7005 7023 6c11c346-6c11c36d 7015->7023 7024 6c11c4be-6c11c4c3 7015->7024 7025 6c11c3e9-6c11c3fd WriteFile 7016->7025 7017->7025 7026 6c11c288-6c11c28d 7017->7026 7028 6c11c23b-6c11c250 7018->7028 7029 6c11c2cd-6c11c2d2 7018->7029 7027 6c11c41f-6c11c42c 7019->7027 7020->7014 7021->7005 7032 6c11c311-6c11c32b 7021->7032 7033 6c11c253-6c11c258 7023->7033 7024->7005 7035 6c11c4c9-6c11c4d7 7024->7035 7025->7019 7026->7005 7036 6c11c28f-6c11c2aa 7026->7036 7027->7005 7028->7033 7029->7005 7030 6c11c2d4-6c11c2e7 7029->7030 7030->7033 7032->7027 7033->7005 7036->7033
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :uW$;uW$;uW$> 4!$> 4!
                                  • API String ID: 0-4100612575
                                  • Opcode ID: 99774c8a86f39a4a4ed9f51b4d298462a4853be905daede3b3da28bfd203d653
                                  • Instruction ID: e3cc413f92437b90aebc082a3220d45596f0c51a4da07a93bdac811644cefd27
                                  • Opcode Fuzzy Hash: 99774c8a86f39a4a4ed9f51b4d298462a4853be905daede3b3da28bfd203d653
                                  • Instruction Fuzzy Hash: B7715BB020C345AFD710DF55C890B9ABBF4BF8A708F10893EF498D6A51D779D8489B92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: K?Jo$K?Jo$`Rlx$7eO
                                  • API String ID: 0-174837320
                                  • Opcode ID: ce10682e56a9a2d83787dc99702310757f63638df9bd51cb0abf195045fd1a52
                                  • Instruction ID: 0025c9305ba29d242e9a3e982ab59df27ee6852c23bd0a172f31d8838f67c03e
                                  • Opcode Fuzzy Hash: ce10682e56a9a2d83787dc99702310757f63638df9bd51cb0abf195045fd1a52
                                  • Instruction Fuzzy Hash: F04256B860D3428FC755CF68C090A1ABBE1AFD9318F288D2EE59587B61D738D845CB53
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ;T55
                                  • API String ID: 0-2572755013
                                  • Opcode ID: d940c18adb459d66e36d0195f56a53c5731b75f6054b5cc3e04c42aabd1d8a28
                                  • Instruction ID: 387a23c66d521709b6ac3c8cd3f224bd56194125761e8e9b9897874948ca31ab
                                  • Opcode Fuzzy Hash: d940c18adb459d66e36d0195f56a53c5731b75f6054b5cc3e04c42aabd1d8a28
                                  • Instruction Fuzzy Hash: 2703E8336447018FC728CF28C8D0A96B7E3AFD532475DCA6DC0A64B6A5DB78B54ACB50

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 7579 6c144ff0-6c145077 CreateProcessA 7580 6c1450ca-6c1450d3 7579->7580 7581 6c1450d5-6c1450da 7580->7581 7582 6c1450f0-6c14510b 7580->7582 7583 6c145080-6c1450c2 WaitForSingleObject CloseHandle * 2 7581->7583 7584 6c1450dc-6c1450e1 7581->7584 7582->7580 7583->7580 7584->7580 7585 6c1450e3-6c145118 7584->7585
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID: D
                                  • API String ID: 963392458-2746444292
                                  • Opcode ID: 71eeea246c7c09cdc17dd93c088aac165c8bc640e27b9b76f9941a56a4c645b4
                                  • Instruction ID: f87b334cffa690f58c5e688d7c8d1dcd6c844bf92bda9dec035e52208614e497
                                  • Opcode Fuzzy Hash: 71eeea246c7c09cdc17dd93c088aac165c8bc640e27b9b76f9941a56a4c645b4
                                  • Instruction Fuzzy Hash: C131E2708093808FD740DF28D19872ABBF0AB9A318F409A1DF89997250E7B5D588CF43

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 7587 6c15bc5e-6c15bc7a 7588 6c15bc80-6c15bc82 7587->7588 7589 6c15be39 7587->7589 7590 6c15bca4-6c15bcc5 7588->7590 7591 6c15bc84-6c15bc97 call 6c14f9df call 6c14f9cc call 6c150120 7588->7591 7592 6c15be3b-6c15be3f 7589->7592 7593 6c15bcc7-6c15bcca 7590->7593 7594 6c15bccc-6c15bcd2 7590->7594 7607 6c15bc9c-6c15bc9f 7591->7607 7593->7594 7596 6c15bcd4-6c15bcd9 7593->7596 7594->7591 7594->7596 7599 6c15bcdb-6c15bce7 call 6c15ac69 7596->7599 7600 6c15bcea-6c15bcfb call 6c15be40 7596->7600 7599->7600 7608 6c15bcfd-6c15bcff 7600->7608 7609 6c15bd3c-6c15bd4e 7600->7609 7607->7592 7612 6c15bd26-6c15bd32 call 6c15beb1 7608->7612 7613 6c15bd01-6c15bd09 7608->7613 7610 6c15bd95-6c15bdb7 WriteFile 7609->7610 7611 6c15bd50-6c15bd59 7609->7611 7616 6c15bdc2 7610->7616 7617 6c15bdb9-6c15bdbf GetLastError 7610->7617 7619 6c15bd85-6c15bd93 call 6c15c2c3 7611->7619 7620 6c15bd5b-6c15bd5e 7611->7620 7623 6c15bd37-6c15bd3a 7612->7623 7614 6c15bd0f-6c15bd1c call 6c15c25b 7613->7614 7615 6c15bdcb-6c15bdce 7613->7615 7630 6c15bd1f-6c15bd21 7614->7630 7625 6c15bdd1-6c15bdd6 7615->7625 7624 6c15bdc5-6c15bdca 7616->7624 7617->7616 7619->7623 7626 6c15bd75-6c15bd83 call 6c15c487 7620->7626 7627 6c15bd60-6c15bd63 7620->7627 7623->7630 7624->7615 7631 6c15be34-6c15be37 7625->7631 7632 6c15bdd8-6c15bddd 7625->7632 7626->7623 7627->7625 7633 6c15bd65-6c15bd73 call 6c15c39e 7627->7633 7630->7624 7631->7592 7636 6c15bddf-6c15bde4 7632->7636 7637 6c15be09-6c15be15 7632->7637 7633->7623 7641 6c15bde6-6c15bdf8 call 6c14f9cc call 6c14f9df 7636->7641 7642 6c15bdfd-6c15be04 call 6c14f9f2 7636->7642 7639 6c15be17-6c15be1a 7637->7639 7640 6c15be1c-6c15be2f call 6c14f9cc call 6c14f9df 7637->7640 7639->7589 7639->7640 7640->7607 7641->7607 7642->7607
                                  APIs
                                    • Part of subcall function 6C15BEB1: GetConsoleCP.KERNEL32(?,6C15B0D0,?), ref: 6C15BEF9
                                  • WriteFile.KERNEL32(?,?,6C1646EC,00000000,00000000,?,00000000,00000000,6C165AB6,00000000,00000000,?,00000000,6C15B0D0,6C1646EC,00000000), ref: 6C15BDAF
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C1646EC,6C15B0D0,00000000,?,?,?,?,00000000,?), ref: 6C15BDB9
                                  • __dosmaperr.LIBCMT ref: 6C15BDFE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                  • String ID: 8Q
                                  • API String ID: 251514795-4022487301
                                  • Opcode ID: 8a8968a80955be27d42ff8bb34377a247a0e383958c470ef2a43b76d59d61b17
                                  • Instruction ID: c88570156e8463ea9bb837cba9d45d8996b86bc71dd77c9a0757fe05a33d0eb3
                                  • Opcode Fuzzy Hash: 8a8968a80955be27d42ff8bb34377a247a0e383958c470ef2a43b76d59d61b17
                                  • Instruction Fuzzy Hash: AD51F7F1A0120EAFDB01DFA8C840BEEBB79EF0635CF940451E530ABA81D7749955C7A1

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 7654 6c145b90-6c145b9c 7655 6c145bdd 7654->7655 7656 6c145b9e-6c145ba9 7654->7656 7657 6c145bdf-6c145c57 7655->7657 7658 6c145bbf-6c145bcc call 6c0101f0 call 6c150b18 7656->7658 7659 6c145bab-6c145bbd 7656->7659 7660 6c145c83-6c145c89 7657->7660 7661 6c145c59-6c145c81 7657->7661 7668 6c145bd1-6c145bdb 7658->7668 7659->7658 7661->7660 7663 6c145c8a-6c145d49 call 6c012250 call 6c012340 call 6c149379 call 6c00e010 call 6c147088 7661->7663 7668->7657
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C145D31
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 323602529-1866435925
                                  • Opcode ID: 418ed33bb8847d90d55242276a8c0e3c098ca2a7ab2a5d01d34d8baf757ae6da
                                  • Instruction ID: 79a782dd835b6d92e0aea8a4b0c99a97d61a9d1f818779f8b27c10656bb4a9c6
                                  • Opcode Fuzzy Hash: 418ed33bb8847d90d55242276a8c0e3c098ca2a7ab2a5d01d34d8baf757ae6da
                                  • Instruction Fuzzy Hash: 6D5131B5A00B408FD725CF29C495B97BBF1BB48318F108A2DD8864BB90D775B90ACF90

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 7699 6c15b925-6c15b939 call 6c1615a2 7702 6c15b93f-6c15b947 7699->7702 7703 6c15b93b-6c15b93d 7699->7703 7704 6c15b952-6c15b955 7702->7704 7705 6c15b949-6c15b950 7702->7705 7706 6c15b98d-6c15b9ad call 6c16171f 7703->7706 7708 6c15b957-6c15b95b 7704->7708 7709 6c15b973-6c15b983 call 6c1615a2 CloseHandle 7704->7709 7705->7704 7710 6c15b95d-6c15b971 call 6c1615a2 * 2 7705->7710 7716 6c15b9af-6c15b9b9 call 6c14f9f2 7706->7716 7717 6c15b9bb 7706->7717 7708->7709 7708->7710 7709->7703 7720 6c15b985-6c15b98b GetLastError 7709->7720 7710->7703 7710->7709 7718 6c15b9bd-6c15b9c0 7716->7718 7717->7718 7720->7706
                                  APIs
                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,6C16425F), ref: 6C15B97B
                                  • GetLastError.KERNEL32(?,00000000,?,6C16425F), ref: 6C15B985
                                  • __dosmaperr.LIBCMT ref: 6C15B9B0
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: CloseErrorHandleLast__dosmaperr
                                  • String ID:
                                  • API String ID: 2583163307-0
                                  • Opcode ID: 11ec3c0f93f95ed815bf5ffa53e858c8566be0369de5069a64d969edebf5d161
                                  • Instruction ID: d6a6bf6ce1404690b219ea2b5832d82514f4460648ca736f3a8870713554ee6a
                                  • Opcode Fuzzy Hash: 11ec3c0f93f95ed815bf5ffa53e858c8566be0369de5069a64d969edebf5d161
                                  • Instruction Fuzzy Hash: E1012BF3A492205AC201163B984579D77654FD373CFB94359FC358BEC0DB60C8658290

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 7944 6c150b9c-6c150ba7 7945 6c150bbe-6c150bcb 7944->7945 7946 6c150ba9-6c150bbc call 6c14f9cc call 6c150120 7944->7946 7948 6c150c06-6c150c0f call 6c15ae75 7945->7948 7949 6c150bcd-6c150be2 call 6c150cb9 call 6c15873e call 6c159c60 call 6c15b898 7945->7949 7957 6c150c10-6c150c12 7946->7957 7948->7957 7963 6c150be7-6c150bec 7949->7963 7964 6c150bf3-6c150bf7 7963->7964 7965 6c150bee-6c150bf1 7963->7965 7964->7948 7966 6c150bf9-6c150c05 call 6c1547bb 7964->7966 7965->7948 7966->7948
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8Q
                                  • API String ID: 0-4022487301
                                  • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                  • Instruction ID: 79df521a1f9c5c3d0130d5d2cd0596d12b926c03d80e49445d492baab6704b89
                                  • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                  • Instruction Fuzzy Hash: 1CF0F4F29016546BD6215ABACC00BDB36989F4337CF900755E87197ED0DB74D42AC6E2
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C145AB4
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C145AF4
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID:
                                  • API String ID: 323602529-0
                                  • Opcode ID: d3ad802a7b730c7c72999f234a73290867204cfbdac4f8c0089c1d6d088b5168
                                  • Instruction ID: 634f1479c4f1ab668ea3bfddba9ecb54c83f79ac8176d951e7c7b54b8f01a134
                                  • Opcode Fuzzy Hash: d3ad802a7b730c7c72999f234a73290867204cfbdac4f8c0089c1d6d088b5168
                                  • Instruction Fuzzy Hash: 41515671201B04DBE735CF25C894BE6BBF4BB04718F448A1CE4AA4BBA1DB30B549CB80
                                  APIs
                                  • GetLastError.KERNEL32(6C176DD8,0000000C), ref: 6C14EF52
                                  • ExitThread.KERNEL32 ref: 6C14EF59
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ErrorExitLastThread
                                  • String ID:
                                  • API String ID: 1611280651-0
                                  • Opcode ID: b907dcb6a0febdb3221aef66e777dcad271b566a01311104800a657a9021b473
                                  • Instruction ID: 34509f1ce7c205053ec2962c4c676735c89d2c0ed8808e0c0bc02d72bb8e9071
                                  • Opcode Fuzzy Hash: b907dcb6a0febdb3221aef66e777dcad271b566a01311104800a657a9021b473
                                  • Instruction Fuzzy Hash: 36F0C2B1A00204AFDB05EBB0C809BAE7B74FF41318F148689E4159BB51CF315A15DFE1
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: __wsopen_s
                                  • String ID:
                                  • API String ID: 3347428461-0
                                  • Opcode ID: 117a349ea5f4b96351dcd26b49c5b3e8026acb7d200d6316196fc491c8f5a76a
                                  • Instruction ID: a4aece07bb1c58d372d194b8aac126dbd10dc70c1834cc7d0b04dc1d23ec4d14
                                  • Opcode Fuzzy Hash: 117a349ea5f4b96351dcd26b49c5b3e8026acb7d200d6316196fc491c8f5a76a
                                  • Instruction Fuzzy Hash: 4B116A71A0420EAFCB05CF59E945A9B7BF8EF49308F104099F814AB301D631E921CBA4
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                  • Instruction ID: e009591bcb9ca8144d694bf5f211147d40e7606ea2a629131bb66dabc8bc7a82
                                  • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                  • Instruction Fuzzy Hash: 15012872C01169AFCF02DFA98D00AEE7FB5AB08214F144165AE64A26A0E7318A35DB91
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,00000000,?,6C164115,?,?,00000000,?,6C164115,00000000,0000000C), ref: 6C164474
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: b14fd9fc53b51f8cc7a4ccf80336093be3bc800942b24bfdfa9affd9db667a01
                                  • Instruction ID: 3320f50805b92ad4e80e69ab4a281c850f64d0b1f3cc2e414108f4dd67d0b7c2
                                  • Opcode Fuzzy Hash: b14fd9fc53b51f8cc7a4ccf80336093be3bc800942b24bfdfa9affd9db667a01
                                  • Instruction Fuzzy Hash: 45D06C3210014DBBDF128E84DC06EDA3BAAFB8C714F014000BA1856020C732E861AB90
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                  • Instruction ID: 512ffeb33c60955ed34ccc58d3666c30fd4eddd93d1ecf3b3e765838837edacb
                                  • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                  • Instruction Fuzzy Hash:
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: _strlen
                                  • String ID: g)''
                                  • API String ID: 4218353326-3487984327
                                  • Opcode ID: f2cc12dc37e83a716396a0d0b53c25507170eea79bb4ecf45094b099d5076d9f
                                  • Instruction ID: e3848b69b09598341d92239430c4067c66a927e3194557886d65524e9d8e1474
                                  • Opcode Fuzzy Hash: f2cc12dc37e83a716396a0d0b53c25507170eea79bb4ecf45094b099d5076d9f
                                  • Instruction Fuzzy Hash: 6A63F371645B018FC728CF28C8D0A95B7F3AFD5318B69CA6DC0D68BA55E778B44ACB40
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 6C145D6A
                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C145D76
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C145D84
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C145DAB
                                  • NtInitiatePowerAction.NTDLL ref: 6C145DBF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 3256374457-3733053543
                                  • Opcode ID: 26e5b1d8495cf6416747ed1c43756adc747ef9e8095fe26a56adeb2723842f27
                                  • Instruction ID: 8b7cf94075eb8b7fcce7e1d800570d4f7d833027f1bbe81cf0c6dab6320f8b31
                                  • Opcode Fuzzy Hash: 26e5b1d8495cf6416747ed1c43756adc747ef9e8095fe26a56adeb2723842f27
                                  • Instruction Fuzzy Hash: 17F0B470644300BBEA007F24DD0EB5A7BB4FF55709F018508FD45AA0C1E7B06984CB92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: \j`7$\j`7$j
                                  • API String ID: 0-3644614255
                                  • Opcode ID: 26619303032cdbb557e060dc7750730d22b8d500bea3d343c18c9e9ebad83992
                                  • Instruction ID: 345a5464fcd50f5b6f9a282d97412b3bc1e2fa83be7932a28c9404aed5c23021
                                  • Opcode Fuzzy Hash: 26619303032cdbb557e060dc7750730d22b8d500bea3d343c18c9e9ebad83992
                                  • Instruction Fuzzy Hash: 89422376A083828FCB14CF68C48065BBBE1AFCA354F14496EE499CB760D339D995CB53
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6C1D84B1
                                    • Part of subcall function 6C1D993B: __EH_prolog.LIBCMT ref: 6C1D9940
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: 1$`)K$h)K
                                  • API String ID: 3519838083-3935664338
                                  • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                  • Instruction ID: 02930c0660ef01a82b17f03a73fee93b90ef8bd91d111ff707cfef653f5a7016
                                  • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                  • Instruction Fuzzy Hash: FEF29D70D00248DFDB11CFA8C8A4BDDBBB5AF59308F254099E449AB791DB35AE85CF60
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6C1CAEF4
                                    • Part of subcall function 6C1CE622: __EH_prolog.LIBCMT ref: 6C1CE627
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: $h%K
                                  • API String ID: 3519838083-1737110039
                                  • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                  • Instruction ID: 9f90c73f27264db2215016725a7124798328bc7d5342e4cf51eaa3e69dff1100
                                  • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                  • Instruction Fuzzy Hash: 1B538B30E01258DFDB15DFA4C994BEDBBB4AF25308F1440D9E449A7691CB389E89CF62
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6C1A6CE5
                                    • Part of subcall function 6C17CC2A: __EH_prolog.LIBCMT ref: 6C17CC2F
                                    • Part of subcall function 6C17E6A6: __EH_prolog.LIBCMT ref: 6C17E6AB
                                    • Part of subcall function 6C1A6A0E: __EH_prolog.LIBCMT ref: 6C1A6A13
                                    • Part of subcall function 6C1A6837: __EH_prolog.LIBCMT ref: 6C1A683C
                                    • Part of subcall function 6C1AA143: __EH_prolog.LIBCMT ref: 6C1AA148
                                    • Part of subcall function 6C1AA143: ctype.LIBCPMT ref: 6C1AA16C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog$ctype
                                  • String ID:
                                  • API String ID: 1039218491-3916222277
                                  • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                  • Instruction ID: 4bf04a05aafd5561a796d162238bb5fb5f09647f7ee1d3fbf2b4bd9bd5fa6049
                                  • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                  • Instruction Fuzzy Hash: DA039A34805288DFDF25DFA4C950BDCBBB1AF25318F24809AD44967A91DB349B8ECF61
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 3J$`/J$`1J$p0J
                                  • API String ID: 0-2826663437
                                  • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                  • Instruction ID: 9271b90c87ff80a9add075ffb33744e7e2fdd67e90769fd17ffb85c4dd3d17c7
                                  • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                  • Instruction Fuzzy Hash: C1412A71F109641AF3488E3A8C845667FC3C7CA346B4AC23DDA65C7AD9DABDC40782A4
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: W
                                  • API String ID: 3519838083-655174618
                                  • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                  • Instruction ID: 9b334f3dc61b232b4fcc08efff8331d20b3ed3f2eca0603f520a9af4fe4433d4
                                  • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                  • Instruction Fuzzy Hash: 27B29A70A05299DFDB00CFA8C888B9EBBB5BF19318F254099E845EB752C775ED41CB60
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C150279
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C150283
                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C150290
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: 802c7bc11a1e18683e54310ddffe3c04217b67bdef41f4ee37a6568c0bb9fb9a
                                  • Instruction ID: 7c4f235dd8c91c78dbdb6769ca6a1b1a7675929a3f30f086656b50042132aea7
                                  • Opcode Fuzzy Hash: 802c7bc11a1e18683e54310ddffe3c04217b67bdef41f4ee37a6568c0bb9fb9a
                                  • Instruction Fuzzy Hash: 5F31A4B590122CEBCB21DF68D9887CDBBB4BF18314F5081DAE41DA7250EB709B858F54
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,?,6C14F235,6C149C49,00000003,00000000,6C149C49,00000000), ref: 6C14F19F
                                  • TerminateProcess.KERNEL32(00000000,?,6C14F235,6C149C49,00000003,00000000,6C149C49,00000000), ref: 6C14F1A6
                                  • ExitProcess.KERNEL32 ref: 6C14F1B8
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: 3f0a73072c23b016a7fa234622ebbfc36448272b9625c03645f383b4955de288
                                  • Instruction ID: 0281806afab55e625927ff9f7135ab3652dc48a7860e60bca13563fb070b4dda
                                  • Opcode Fuzzy Hash: 3f0a73072c23b016a7fa234622ebbfc36448272b9625c03645f383b4955de288
                                  • Instruction Fuzzy Hash: 7CE04672100148EFCF022F54C908A893B78FB86656F118414F828C6620CB35D982DAA0
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6C1C489B
                                    • Part of subcall function 6C1C5FC9: __EH_prolog.LIBCMT ref: 6C1C5FCE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: @ K
                                  • API String ID: 3519838083-4216449128
                                  • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                  • Instruction ID: 462a1ea080ea333ce3549fd80acc1391d1a426108ecf54ea80ee25198729ba88
                                  • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                  • Instruction Fuzzy Hash: 3DD1AF31F082148BEB14CFA4C4907EDB7B6FFB4318F14816AF515ABA94CB789845CB5A
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: x=J
                                  • API String ID: 3519838083-1497497802
                                  • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                  • Instruction ID: 54cfe2ebddf0f5a0061e8bc84e324f8eff0dcd994e41c20e9643dc0339b2d3b2
                                  • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                  • Instruction Fuzzy Hash: 5091E431D111099BDF24DFA4D8A4AEDB7B6FF16318F20806AD45177A50DB329A4DCBB0
                                  APIs
                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C1478B0
                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C1480D3
                                    • Part of subcall function 6C149379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C1480BC,00000000,?,?,?,6C1480BC,?,6C17554C), ref: 6C1493D9
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                  • String ID:
                                  • API String ID: 915016180-0
                                  • Opcode ID: 5381b1cfa1ce9b3658cfeede5d9349227796d38712233bd5ad8a67d58495cfec
                                  • Instruction ID: 7b59c2ca576cc83a5cd1bd5d8f7c9bb9b180f86a18eba6c6c838352e76d5cff3
                                  • Opcode Fuzzy Hash: 5381b1cfa1ce9b3658cfeede5d9349227796d38712233bd5ad8a67d58495cfec
                                  • Instruction Fuzzy Hash: 74B19B75A042099FDB05DF65C8856DDBBB5FB49328F24C22AD825E7780D374D948CFA0
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                  • Instruction ID: 5fc28723969526c9e0e74d3bd782f30a619bd491a57741cbed957fe5aff8362c
                                  • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                  • Instruction Fuzzy Hash: 0BB2BC30A04B5ACFDB21CF69C4A4B9EBBF1BF18308F144199D49AE7A91D770A985CF50
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @4J$DsL
                                  • API String ID: 0-2004129199
                                  • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                  • Instruction ID: 0e1232435ce93b0859a7cab59b33ca5c18c95f52c8dafcdf6149c0da4d5a08b3
                                  • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                  • Instruction Fuzzy Hash: 1C2191376A49560BD74CCA28DC33EB926C1E744305B89527EEE4BCB7D1DF5C8800C648
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @
                                  • API String ID: 0-2766056989
                                  • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                  • Instruction ID: ece7ae749144ccc79965402af4c015f712c8a01dccd7d072e3ca8fafd3a155de
                                  • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                  • Instruction Fuzzy Hash: 9B12F6B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EF898A7311D770E9568B86
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: __aullrem
                                  • String ID:
                                  • API String ID: 3758378126-0
                                  • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                  • Instruction ID: 39494372edb8408cf0db7735ef61a046f134900d4073c20a3590317c877ea60a
                                  • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                  • Instruction Fuzzy Hash: A551DA71A093859BD710CF5AC4C06EDFBF6EF7A214F14C05DE8C897242D27A599ACB60
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @
                                  • API String ID: 0-2766056989
                                  • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                  • Instruction ID: da02e1e336e468379a95b235a93e4ebe4473eaf1a6268b1e628486b6a1b45067
                                  • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                  • Instruction Fuzzy Hash: 1FD13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (SL
                                  • API String ID: 0-669240678
                                  • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                  • Instruction ID: b7d2ea9f636ce27e031ecdef1fd92fe35337f65851a953466f32db0265304a2b
                                  • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                  • Instruction Fuzzy Hash: 78519473E208214AD78CCE24DC2177572D2E784310F8BC1B99D8BAB6E6CD78989187D4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: xU$l
                                  • API String ID: 0-1347712993
                                  • Opcode ID: ea413d23d4087bdcfd072c262dbf18df5f64661c78f70350ad2eba5b9b341305
                                  • Instruction ID: 43f7fae3bcfbaf5bf57b5eba39b33a0267666d298272085e6211f344aa0d1bf5
                                  • Opcode Fuzzy Hash: ea413d23d4087bdcfd072c262dbf18df5f64661c78f70350ad2eba5b9b341305
                                  • Instruction Fuzzy Hash: 65F0E5B2A11328DBCB12DB4CC405B8973BDEB45B65F5140A6E454DB640C3B0DD10C7C0
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                  • Instruction ID: c604bede0d723ca7e15356e55c8212e33abc1b9c7abbeecd0b1942a4901f6e6f
                                  • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                  • Instruction Fuzzy Hash: 23726BB1A046178FD748CF28C490268FBE1FF89314B5A46ADD95ADB742DB70E895CBC0
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                  • Instruction ID: 429553c063c673d2dcd0ca5fa45276db4f979f1ccd00a8bdce92e874459c12c6
                                  • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                  • Instruction Fuzzy Hash: BC62D0B5A08349CFC724CF19C480A1ABBE5BFC8745F648A2EF89987715D770E845CB92
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                  • Instruction ID: a10ebdc77feeabc112bec0521e1e1f1d8ca19e9a52f8bbf9c7e084bd5ce40b59
                                  • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                  • Instruction Fuzzy Hash: 90426071704B0A8FD324DF69C89079BB7E2FB84314F044A2EE896C7B55E774A549CB41
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                  • Instruction ID: 3f0b7f6185ac04308a1166774face52b3f7d053822dcd331852ba1e8aa794492
                                  • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                  • Instruction Fuzzy Hash: DE020673B087594BD715CE1DC880219B7E7BBD0380F6A4A2FFC9587B94DAB09946C781
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                  • Instruction ID: e1e0f59d290c4d26b70901611a3b798cee377c6c4c74accfd322d7e6eeea6754
                                  • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                  • Instruction Fuzzy Hash: E702E672B083158BC319CE28C490359BBE6FBD4355F198B2FEC96D7A94D7709884CB92
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                  • Instruction ID: 7d7750d05076d11bbd67515e9f333f6df43f67eb1f5a7309f484c3760027ab81
                                  • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                  • Instruction Fuzzy Hash: DD12C270604B558FC324CF2EC490626FBF2BF85305F188A6ED5D687AA1D735E588CB91
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                  • Instruction ID: ac3c1e0d002020617a4a20825a70cb09a3a105f89bcd9dd37a6dd78a1347b27a
                                  • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                  • Instruction Fuzzy Hash: 13E1C072704B098BE724CF28D4603ABB7E2EBC5314F544A2DC5A6C7B81DB75E50ACB91
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                  • Instruction ID: a7ed7141d7d6cff63a84b7440b617aa9fa370ad7786104fdb2b996829855ca52
                                  • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                  • Instruction Fuzzy Hash: B1F1E1702087558FC329CF2DC490626FBE2BF89305F184A6EE5D6CBA91D339E594CB91
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                  • Instruction ID: 7f14b9569db53605630b76e29744a764990307cc0c974c88d8968d221ab821e9
                                  • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                  • Instruction Fuzzy Hash: 4CF1E3B06087658FC329DF2DC490266FBF1BF85705F148A2ED8D687A81D339E155CB62
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                  • Instruction ID: e0c2a936f6a41c504f9343ebc89f04c14e26b86791db8810e774cd73bf34b5a0
                                  • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                  • Instruction Fuzzy Hash: 2CC1B571604B0A8BE328CF29C4A06AAB7E2FBD4314F558A2DC1A7C7B45D674F456CB81
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                  • Instruction ID: 491416f1998ab07b0bde3005643cf2225f190db04498f75095d98c2ac01afea5
                                  • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                  • Instruction Fuzzy Hash: B7E1E7B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                  • Instruction ID: 336d6f9decdafef7b3aa212b31e08c9921a14700425587862b4c9884af419722
                                  • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                  • Instruction Fuzzy Hash: 5BC1C3352047858BC718CF39D0A4696BBE2EFEA314F148A6DC8DE4BB55DA30A40ECB55
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                  • Instruction ID: a129542d3fd39ba6eb7827c5ed8237356a5b26f1430a31cf1548adad39cbc319
                                  • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                  • Instruction Fuzzy Hash: E9B16E75A052448FC341CF29C884248BBE2FF9522CB79969EC5A48F646E337E947CBD1
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                  • Instruction ID: 2269603fbc7f9fdb6f0271ea4240844ce66ee5ef48c13e25fe27f485b406db23
                                  • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                  • Instruction Fuzzy Hash: ADD1E7B1848B9B5FD394EF4DEC81A357762AB88301F4A8239DB6007753D634BB12D794
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                  • Instruction ID: 17ce87ec669d5f05f21b2e447320ac3b161856088f1543a9b5e22a20bd2c70fd
                                  • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                  • Instruction Fuzzy Hash: 49B1A031305B058BD324EF39C890BDBB7E1AF99708F04452DD9AA87781EF35A609CB95
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                  • Instruction ID: 38fbe5fab78950bfeef6c90b3fcbe2379a75cddb3747cf604bc317e58e7498f6
                                  • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                  • Instruction Fuzzy Hash: 586153B23082158FD308CF99E690A56B3E5EBA9321B1686BFD115CF361E771DC42CB18
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                  • Instruction ID: 74e9a6c393419991aedcf9cef0884609d178c6b487566a5c264aac37e073af65
                                  • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                  • Instruction Fuzzy Hash: 689190B6D1871A8BD314CF18C88025AB7E0FB88318F09067EED99A7341D739EA55CBC5
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                  • Instruction ID: 1da2789550f22bc049c7a3b250c1b9156e412255efb22b6578c50ed49d5879c8
                                  • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                  • Instruction Fuzzy Hash: 9151AD72F006099BDB08CE98DDA16EDBBF2EB98308F248169D115E7781D7749A41CB80
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                  • Instruction ID: 5bf93f0b8cd24a64ba1e92b6f61c892d5008b87fabf8dd70c5d6591c0c05bfb3
                                  • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                  • Instruction Fuzzy Hash: 273114277A440103C70CCE3BCC5679F91535BE462A70ECF796C05DEF55D52CD8124144
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                  • Instruction ID: cfc5278b60d67805eba71a10f2606e30f8c94845abea55d0917016feb03f9284
                                  • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                  • Instruction Fuzzy Hash: 6E310A73504A060AF2018529C94435672E3DFD2368F6A87A5D97687EECCAB1DA07C181
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                  • Instruction ID: a8d1122ec5cbfc8375fd55664ac4fb3b5eda40ceea141e2fd9ecd8833eb8f793
                                  • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                  • Instruction Fuzzy Hash: 4241A2B1A0470A8BD704CF19C89056AB3E4FF88318F454A6DFD5A97351E331EA55CB81
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                  • Instruction ID: 9a1afb976ad894346c831c109941308e8650c1ebcba04055ba91c818aa5bca68
                                  • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                  • Instruction Fuzzy Hash: 57217BB1A087EB07F3208E2DCCC037477D29BC2309F094279DA648FA47D1798493D6A0
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                  • Instruction ID: b81135eabbe0401b37c7686f972b05c5fd771c8f8ab07e4e8f9ea03b9b845ba0
                                  • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                  • Instruction Fuzzy Hash: 23210D7251942A87C301DF5DE48467773E1FFC431DF674A26EE9287981C525D488D690
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                  • Instruction ID: b7c48ddcb1e61c76542dd6a05447c3cd42122b0b0336925f64f5f9f26e89858e
                                  • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                  • Instruction Fuzzy Hash: FE2129326061188FC701EF6AD98469B73E6FFC4365F67C63DED8147640C531E50A8690
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                  • Instruction ID: 40b8522dcba086fb4677a20f86c8a20058ad6caf6c4423a6613dd29231c8f228
                                  • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                  • Instruction Fuzzy Hash: 2501D17291462E57DB189F08CC41132B390FB84312F49823ADD479B385E734F870C6C0
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                  • Instruction ID: d56103d39e34e80043d73e0da2711606d46a1afd757365db08d88b7bdfdaebee
                                  • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                  • Instruction Fuzzy Hash: 7FE08CB2A12238EBCB25EB88C900E8AB3FCEB44A05F510496B521D3610D270DE00C7D0
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                  • API String ID: 3519838083-609671
                                  • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                  • Instruction ID: 791d12be2284294580e240ec0d2bd65249b028ae548a14ddada538d9ac68d6f1
                                  • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                  • Instruction Fuzzy Hash: 73D10835A0420ADFCF11CFE4D990BEEB7B5FF59308F244059E055A3A50DB749A5ACBA0
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: __aulldiv$H_prolog
                                  • String ID: >WJ$x$x
                                  • API String ID: 2300968129-3162267903
                                  • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                  • Instruction ID: f774d7238af6113e7a7f59317ddc81a5fe5a414ec5367bc0a3cd67e3ea72eda9
                                  • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                  • Instruction Fuzzy Hash: 7812687190020DEFDF50DFA4C880AEDBBB5FF58318F208569E915ABA50DB359949CFA0
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 6C149B07
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 6C149B0F
                                  • _ValidateLocalCookies.LIBCMT ref: 6C149B98
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6C149BC3
                                  • _ValidateLocalCookies.LIBCMT ref: 6C149C18
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 3a1dc429d2cca0d00a8567e5ac9c35ee6f2f398c5329a24e4f4a395e552874d9
                                  • Instruction ID: 1442649f7878e228d8b10184cba72f1a49e51dc2ef0100e7a3780be5a3d5c6dc
                                  • Opcode Fuzzy Hash: 3a1dc429d2cca0d00a8567e5ac9c35ee6f2f398c5329a24e4f4a395e552874d9
                                  • Instruction Fuzzy Hash: DA41BF74A10218ABCF00DF68C8A4B9E7BB9BF4532CF24C155EC289BB91D735DA15CB90
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 0-537541572
                                  • Opcode ID: f21e109fe500ea885e85ed876242d566315aa97730c84b1b65d17d5894d8df91
                                  • Instruction ID: 0f8b04a16ae38a308f140c6469684a9b7ba343140536292c65ac6195dbd2a376
                                  • Opcode Fuzzy Hash: f21e109fe500ea885e85ed876242d566315aa97730c84b1b65d17d5894d8df91
                                  • Instruction Fuzzy Hash: 6521E1B2F16225A7D7118729CC54B4A37649F16768F5607D2E835E7B80D731DD1086F0
                                  APIs
                                  • GetConsoleCP.KERNEL32(?,6C15B0D0,?), ref: 6C15BEF9
                                  • __fassign.LIBCMT ref: 6C15C0D8
                                  • __fassign.LIBCMT ref: 6C15C0F5
                                  • WriteFile.KERNEL32(?,6C165AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C15C13D
                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C15C17D
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C15C229
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: FileWrite__fassign$ConsoleErrorLast
                                  • String ID:
                                  • API String ID: 4031098158-0
                                  • Opcode ID: 4203f811806fa8a1d898441a508fddcfda45b3059323eddbfba0d262d058bb89
                                  • Instruction ID: e6f5390824e1c5eefcd765b2a6c6a273fea6cd92ce3c199c3e3419fe0bde4379
                                  • Opcode Fuzzy Hash: 4203f811806fa8a1d898441a508fddcfda45b3059323eddbfba0d262d058bb89
                                  • Instruction Fuzzy Hash: 2DD1BBB1E012589FCF01DFE8C890AEDBBB5BF09318F64416AE865BB241D731A916CF50
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6C012F95
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6C012FAF
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6C012FD0
                                  • __Getctype.LIBCPMT ref: 6C013084
                                  • std::_Facet_Register.LIBCPMT ref: 6C01309C
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6C0130B7
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                  • String ID:
                                  • API String ID: 1102183713-0
                                  • Opcode ID: 4a3ff6610ead98529a5fb12b4782a0094de68e08436eeeba84432af328c4dd02
                                  • Instruction ID: 7b89c8c46ae4ffe30e843f4ebb55f120ac1dfd21def62d1e75576d40c0878284
                                  • Opcode Fuzzy Hash: 4a3ff6610ead98529a5fb12b4782a0094de68e08436eeeba84432af328c4dd02
                                  • Instruction Fuzzy Hash: F94155B2E046588FCB14DF84C858B9EBBF0FB49718F158229D859ABB90D735A905CF90
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: __aulldiv$__aullrem
                                  • String ID:
                                  • API String ID: 2022606265-0
                                  • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                  • Instruction ID: 9c27ed21daa5f797600cae23a528ce31bce1f1f2f484cf381d7f1be559841281
                                  • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                  • Instruction Fuzzy Hash: 7321647150A31DBFEF208E94CC40DDF7AA9EF817A9F308225BA2561990D6718D50DAA1
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6C18A6F1
                                    • Part of subcall function 6C199173: __EH_prolog.LIBCMT ref: 6C199178
                                  • __EH_prolog.LIBCMT ref: 6C18A8F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: IJ$WIJ$J
                                  • API String ID: 3519838083-740443243
                                  • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                  • Instruction ID: e34e86d570c35c0c6eb56ea7957e531a342d4d3c0f3e183e37aabe0f25d4ce19
                                  • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                  • Instruction Fuzzy Hash: 6271AF30909255DFDB14DFA4C480BEDB7F1BF15308F1080A9D8556BB91CB79AA09CFA0
                                  APIs
                                  • _free.LIBCMT ref: 6C165ADD
                                  • _free.LIBCMT ref: 6C165B06
                                  • SetEndOfFile.KERNEL32(00000000,6C1646EC,00000000,6C15B0D0,?,?,?,?,?,?,?,6C1646EC,6C15B0D0,00000000), ref: 6C165B38
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C1646EC,6C15B0D0,00000000,?,?,?,?,00000000,?), ref: 6C165B54
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFileLast
                                  • String ID: 8Q
                                  • API String ID: 1547350101-4022487301
                                  • Opcode ID: 3a907bd4a4c62cf7d2ca94b573a0f5f69e0efacc969d2374f4d66285bf588afd
                                  • Instruction ID: 10ff482e6b6d3d21c4b71a6023fc72b9b6305e85b9c7dc727a57a9c6b9ee0799
                                  • Opcode Fuzzy Hash: 3a907bd4a4c62cf7d2ca94b573a0f5f69e0efacc969d2374f4d66285bf588afd
                                  • Instruction Fuzzy Hash: 3A41C772A00645ABDB019FBACC81BDE3B76EF55328F254511F824E7F91EB34C8658760
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6C19E41D
                                    • Part of subcall function 6C19EE40: __EH_prolog.LIBCMT ref: 6C19EE45
                                    • Part of subcall function 6C19E8EB: __EH_prolog.LIBCMT ref: 6C19E8F0
                                    • Part of subcall function 6C19E593: __EH_prolog.LIBCMT ref: 6C19E598
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: &qB$0aJ$A0$XqB
                                  • API String ID: 3519838083-1326096578
                                  • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                  • Instruction ID: e3a08cc2f9b01c0f295f32175de568a773019df07be2c701974510b4cae161d4
                                  • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                  • Instruction Fuzzy Hash: 7E218671D05248EACB18DBE4D994AEDBBB5AF25318F20402EE41277781DB785F0CCB61
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C14F1B4,00000000,?,6C14F235,6C149C49,00000003,00000000), ref: 6C14F13F
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C14F152
                                  • FreeLibrary.KERNEL32(00000000,?,?,6C14F1B4,00000000,?,6C14F235,6C149C49,00000003,00000000), ref: 6C14F175
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 47770b7c3fb0abd833b27cab32914451f0fc642799779959fbde1d94144a66f5
                                  • Instruction ID: 94cf23fce7e5139519fefdaf921e7fe8386f16bbce5675c5ace49ede3c1e1a54
                                  • Opcode Fuzzy Hash: 47770b7c3fb0abd833b27cab32914451f0fc642799779959fbde1d94144a66f5
                                  • Instruction Fuzzy Hash: 53F01231601619FBEF12AB51C90DF9E7AB9EB0675AF114054E815E2550CB708E00EAA0
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 6C14732E
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6C147339
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6C1473A7
                                    • Part of subcall function 6C147230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C147248
                                  • std::locale::_Setgloballocale.LIBCPMT ref: 6C147354
                                  • _Yarn.LIBCPMT ref: 6C14736A
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                  • String ID:
                                  • API String ID: 1088826258-0
                                  • Opcode ID: b679b3782866d1f276ecccbd510044882e9bb49dfd8df0a4288098fcaf57ec95
                                  • Instruction ID: 6d02546f8ddaf55fe75a359099e2d6dccfbf11d3132d490326597bc28b1f5e81
                                  • Opcode Fuzzy Hash: b679b3782866d1f276ecccbd510044882e9bb49dfd8df0a4288098fcaf57ec95
                                  • Instruction Fuzzy Hash: 76017C75A005109BDB05EF20C854ABD7BB2FF96658B15C04ADC01A7BC0CF34AA46CFD1
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: $!$@
                                  • API String ID: 3519838083-2517134481
                                  • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                  • Instruction ID: e5d1b528dfabfd149c212c6f512584b9766b6cb08df3e38d5fe2371f9092a769
                                  • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                  • Instruction Fuzzy Hash: 5A128F70A05249DFCB04CFA4C4D0AEDBBB1BF25308F14806AF955ABB51CB78E955CB92
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog__aulldiv
                                  • String ID: $SJ
                                  • API String ID: 4125985754-3948962906
                                  • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                  • Instruction ID: fb9b8f2252400dc58277a45f5a6ad05648cf36fc99d0cc94d4058eab14ff62d7
                                  • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                  • Instruction Fuzzy Hash: 4EB13CB1E012099FCB14CF99C8949EEBBF1FF58314B60852EE51AA7B50D734AA45CF90
                                  APIs
                                    • Part of subcall function 6C147327: __EH_prolog3.LIBCMT ref: 6C14732E
                                    • Part of subcall function 6C147327: std::_Lockit::_Lockit.LIBCPMT ref: 6C147339
                                    • Part of subcall function 6C147327: std::locale::_Setgloballocale.LIBCPMT ref: 6C147354
                                    • Part of subcall function 6C147327: _Yarn.LIBCPMT ref: 6C14736A
                                    • Part of subcall function 6C147327: std::_Lockit::~_Lockit.LIBCPMT ref: 6C1473A7
                                    • Part of subcall function 6C012F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C012F95
                                    • Part of subcall function 6C012F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C012FAF
                                    • Part of subcall function 6C012F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C012FD0
                                    • Part of subcall function 6C012F60: __Getctype.LIBCPMT ref: 6C013084
                                    • Part of subcall function 6C012F60: std::_Facet_Register.LIBCPMT ref: 6C01309C
                                    • Part of subcall function 6C012F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C0130B7
                                  • std::ios_base::_Addstd.LIBCPMT ref: 6C01211B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 3332196525-1866435925
                                  • Opcode ID: 722abb655d7eda9a2bdb467833bb9926c58a00756d3f0e1c17b3abc96cf1b469
                                  • Instruction ID: e9b8b7a1df023701793bb156625dc85d29df3b515b10d17bc4463289e1af3da6
                                  • Opcode Fuzzy Hash: 722abb655d7eda9a2bdb467833bb9926c58a00756d3f0e1c17b3abc96cf1b469
                                  • Instruction Fuzzy Hash: B041A3B0A003099FDB00CFA4C8457AEFBF5FF49318F148268E915ABB91D775A985CB90
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6C1A4ECC
                                    • Part of subcall function 6C18F58A: __EH_prolog.LIBCMT ref: 6C18F58F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: :hJ$dJ$xJ
                                  • API String ID: 3519838083-2437443688
                                  • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                  • Instruction ID: 5ec7c1926fa00d242fa331fee014533621696cabc11275e50b46377504ec40a2
                                  • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                  • Instruction Fuzzy Hash: F921D8B0805B40CFC760CF6AC14428ABBF4FF2A708B00C95EC0AA97B11D7B8A608CF55
                                  APIs
                                  • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C15B0D0,6C011DEA,00008000,6C15B0D0,?,?,?,6C15AC7F,6C15B0D0,?,00000000,6C011DEA), ref: 6C15ADC9
                                  • GetLastError.KERNEL32(?,?,?,6C15AC7F,6C15B0D0,?,00000000,6C011DEA,?,6C16469E,6C15B0D0,000000FF,000000FF,00000002,00008000,6C15B0D0), ref: 6C15ADD3
                                  • __dosmaperr.LIBCMT ref: 6C15ADDA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastPointer__dosmaperr
                                  • String ID: 8Q
                                  • API String ID: 2336955059-4022487301
                                  • Opcode ID: 7748aee41b44e54ee4ed1a9a25d6dc265a29b6342118dbbb2fdf5c61b336dc67
                                  • Instruction ID: 41921a60b1dace9b3db7f2c2069a060ce3d87e1f4931262da9141a15b1a48676
                                  • Opcode Fuzzy Hash: 7748aee41b44e54ee4ed1a9a25d6dc265a29b6342118dbbb2fdf5c61b336dc67
                                  • Instruction Fuzzy Hash: 2801F773750529AFCF059F6ACC059EE3B39EB86325B754208F8219B680EB71D9118FB0
                                  APIs
                                  • AcquireSRWLockExclusive.KERNEL32(6C24466C,?,652EF5AA,6C01230E,6C24430C), ref: 6C146B07
                                  • ReleaseSRWLockExclusive.KERNEL32(6C24466C), ref: 6C146B3A
                                  • WakeAllConditionVariable.KERNEL32(6C244668), ref: 6C146B45
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                  • String ID: lF$l
                                  • API String ID: 1466638765-2437917184
                                  • Opcode ID: 6fc6f86959b10f807f37257ab006ce62a7e39ce64b832700878088f7004cc6be
                                  • Instruction ID: 31822ba7d7e3a362ff6cbf4c15769a8eb1d4ced74d9dfa8aa3a7633e5a42acb8
                                  • Opcode Fuzzy Hash: 6fc6f86959b10f807f37257ab006ce62a7e39ce64b832700878088f7004cc6be
                                  • Instruction Fuzzy Hash: AFF01574601914DBCB0AEF58E84CD947BB8FB4A355B01806AFD0687740CA70A801CFA4
                                  APIs
                                  • GetLastError.KERNEL32(00000008,?,00000000,6C158453), ref: 6C1549B7
                                  • _free.LIBCMT ref: 6C154A14
                                  • _free.LIBCMT ref: 6C154A4A
                                  • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C154A55
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ErrorLast_free
                                  • String ID:
                                  • API String ID: 2283115069-0
                                  • Opcode ID: 11c02eb8489a70689a701c39628a90aa73e3625da1d9611238924d740843d277
                                  • Instruction ID: 5fa3c9aa2d26a9ed48f2a9e975e6eb5113350eb4e06e93da1165c51f5e1397b2
                                  • Opcode Fuzzy Hash: 11c02eb8489a70689a701c39628a90aa73e3625da1d9611238924d740843d277
                                  • Instruction Fuzzy Hash: A8110AF67051056FDA1159B98C88F9A2179ABC637CBA64624F93593BC0EF308C3485A8
                                  APIs
                                  • WriteConsoleW.KERNEL32(00000000,?,6C1646EC,00000000,00000000,?,6C164B51,00000000,00000001,00000000,6C15B0D0,?,6C15C286,?,?,6C15B0D0), ref: 6C165ED1
                                  • GetLastError.KERNEL32(?,6C164B51,00000000,00000001,00000000,6C15B0D0,?,6C15C286,?,?,6C15B0D0,?,6C15B0D0,?,6C15BD1C,6C165AB6), ref: 6C165EDD
                                    • Part of subcall function 6C165F2E: CloseHandle.KERNEL32(FFFFFFFE,6C165EED,?,6C164B51,00000000,00000001,00000000,6C15B0D0,?,6C15C286,?,?,6C15B0D0,?,6C15B0D0), ref: 6C165F3E
                                  • ___initconout.LIBCMT ref: 6C165EED
                                    • Part of subcall function 6C165F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C165EAB,6C164B3E,6C15B0D0,?,6C15C286,?,?,6C15B0D0,?), ref: 6C165F22
                                  • WriteConsoleW.KERNEL32(00000000,?,6C1646EC,00000000,?,6C164B51,00000000,00000001,00000000,6C15B0D0,?,6C15C286,?,?,6C15B0D0,?), ref: 6C165F02
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                  • String ID:
                                  • API String ID: 2744216297-0
                                  • Opcode ID: 9e520c5efacee9c918e418a9cd4add163394479cf8d9ccf573795107d7c3bfb2
                                  • Instruction ID: 012874588bc967865e7cd90b3b8f3e72212d04b47795c3c11224fccb75e0f45e
                                  • Opcode Fuzzy Hash: 9e520c5efacee9c918e418a9cd4add163394479cf8d9ccf573795107d7c3bfb2
                                  • Instruction Fuzzy Hash: 09F0AC36601125BBCF131FE6DC08A897F76FF097A5F184590FA5996661DB328820EB90
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog3_
                                  • String ID: 8Q
                                  • API String ID: 2427045233-4022487301
                                  • Opcode ID: 568c3397c539588bf431a90a5185bfcca54d5b8402d7d2eee3dd4860c8ab0987
                                  • Instruction ID: fdbcbbcb04999381f81ab8feba2ba614896e28937577c331c57d14007ba9c0c6
                                  • Opcode Fuzzy Hash: 568c3397c539588bf431a90a5185bfcca54d5b8402d7d2eee3dd4860c8ab0987
                                  • Instruction Fuzzy Hash: 0771D8F0D012569FDB158F96C884BEE7B75AF15318FD48215E830A7A40DF758867CB60
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6C198C5D
                                    • Part of subcall function 6C19761A: __EH_prolog.LIBCMT ref: 6C19761F
                                    • Part of subcall function 6C197A2E: __EH_prolog.LIBCMT ref: 6C197A33
                                    • Part of subcall function 6C198EA5: __EH_prolog.LIBCMT ref: 6C198EAA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: WZJ
                                  • API String ID: 3519838083-1089469559
                                  • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                  • Instruction ID: c68f1df5750e204f11cd6fbd07b08f19905cfcda9434a2691e175e0e598b0f85
                                  • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                  • Instruction Fuzzy Hash: B0815935D00158DFDB25DFA8D890BDDB7B4AF19318F1040AAE516B77A0DB30AE09CB61
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 6C012A76
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: Jbx$Jbx
                                  • API String ID: 4194217158-1161259238
                                  • Opcode ID: 2f9f2e7a2a17b00311bfae10b55dcbc52eeee47f50ac68b4d028c704ce6b1b1e
                                  • Instruction ID: 35c92596bccfa7744d8aa1139e98c96aaa1f2ef3acfc37fa53bd2af946a93aa0
                                  • Opcode Fuzzy Hash: 2f9f2e7a2a17b00311bfae10b55dcbc52eeee47f50ac68b4d028c704ce6b1b1e
                                  • Instruction Fuzzy Hash: 895126B19042048FCB10CF99C88479EFBF5EF8A318F54856DE8499BB41D331E995CB92
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: CK$CK
                                  • API String ID: 3519838083-2096518401
                                  • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                  • Instruction ID: 099aa70fc2e7c6a55c1a62b0f51a4a28c171bac2f322568feab963c4dd5a99eb
                                  • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                  • Instruction Fuzzy Hash: AB516175B00319DFDB00CFA4C8C4BBEB3B5FBA4358F158529E901E7A41DB79A9058B61
                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C1646D6), ref: 6C15D01B
                                  • __dosmaperr.LIBCMT ref: 6C15D022
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr
                                  • String ID: 8Q
                                  • API String ID: 1659562826-4022487301
                                  • Opcode ID: a22fd1c6f90253b443c99ccac9ead50f17ed2785346a5aeb65350e9570371e89
                                  • Instruction ID: e801c25a64c29e9ca9f00f84474fb18125c5be2acfb98499e5204bc76e8c28f2
                                  • Opcode Fuzzy Hash: a22fd1c6f90253b443c99ccac9ead50f17ed2785346a5aeb65350e9570371e89
                                  • Instruction Fuzzy Hash: A541AEB1614194AFD711AF6CC890BA97FE5EF4A308F94829AFCA08B641D3729C35C790
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: 0|J$`)L
                                  • API String ID: 3519838083-117937767
                                  • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                  • Instruction ID: 690f66dbd27c2b463ad2d93eb81a372fb8b7c198e904f096c79664b4f6004d6d
                                  • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                  • Instruction Fuzzy Hash: 04418271605745EFDB21CFA0C4A07EABBE2FF55208F00842EE45667B50CB316919CF91
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: _free
                                  • String ID: dU$l$hU$l
                                  • API String ID: 269201875-2882313644
                                  • Opcode ID: 62b5ca28af2674bdcfa0062d5117f7e75cac27027b0ec75fe148d5fab2e5ffa7
                                  • Instruction ID: 63630ff7ec03483a209f3825cc33d435c5b07ce87d04cd158352fc0b96c973c9
                                  • Opcode Fuzzy Hash: 62b5ca28af2674bdcfa0062d5117f7e75cac27027b0ec75fe148d5fab2e5ffa7
                                  • Instruction Fuzzy Hash: E011D3F12443019FF3108F2AD481B86B7E4EB1535CFA0842EE4ADC7B80EB71E9968790
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: @$LuJ
                                  • API String ID: 3519838083-205571748
                                  • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                  • Instruction ID: e6269d88940fd93a3f5d730a398dcb915d5efa497be4f3278ac8002a8878f568
                                  • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                  • Instruction Fuzzy Hash: 1C01C0B2E05349DADB10DFA988806AEF7B4FF69344F40842EE529F3A40C3385904CF59
                                  APIs
                                  • _free.LIBCMT ref: 6C15DD49
                                  • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C15A63A,?,00000004,?,4B42FCB6,?,?,6C14F78C,4B42FCB6,?), ref: 6C15DD85
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: AllocHeap_free
                                  • String ID: 8Q
                                  • API String ID: 1080816511-4022487301
                                  • Opcode ID: 2e1ca94f59ecd53c3b28f6b25bea21ff4856d0925bd3da53cb23ae0a937aea66
                                  • Instruction ID: 0c1c9e20c80d7d65f81a3f8a568a38fbd1f21cf756224aa1e899f143d8342b4c
                                  • Opcode Fuzzy Hash: 2e1ca94f59ecd53c3b28f6b25bea21ff4856d0925bd3da53cb23ae0a937aea66
                                  • Instruction Fuzzy Hash: EAF0F6B2601215BADB213E269D44B9B3B688FD3A78F924115ED349BED0DF34C420C7E0
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: p/K$J
                                  • API String ID: 3519838083-2069324279
                                  • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                  • Instruction ID: 621bcaed491ef39c8c0e842221c5b608e547bdddf0edaa67dfa55eb8025f6449
                                  • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                  • Instruction Fuzzy Hash: D401BCB1A117119FD724CF58C5143AABBF4EF54729F10C81EA092A3B40C7F8A5088BA4
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6C1BAFCC
                                    • Part of subcall function 6C1BA4D1: __EH_prolog.LIBCMT ref: 6C1BA4D6
                                    • Part of subcall function 6C1B914B: __EH_prolog.LIBCMT ref: 6C1B9150
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: J$0J
                                  • API String ID: 3519838083-2882003284
                                  • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                  • Instruction ID: 169edc659d8c53d66d7dc5e48b6e0ade4882dbde81ab705caf35afa5a2a58999
                                  • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                  • Instruction Fuzzy Hash: 1B01F0B1804B508EC325CF6AC4A428AFBE0BB15308F90C95EC0AA57B50D7B8A508CF68
                                  APIs
                                  • AcquireSRWLockExclusive.KERNEL32(6C24466C,?,?,652EF5AA,6C0122D8,6C24430C), ref: 6C146AB9
                                  • ReleaseSRWLockExclusive.KERNEL32(6C24466C), ref: 6C146AF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2302266798.000000006BFC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFC0000, based on PE: true
                                  • Associated: 00000007.00000002.2302236658.000000006BFC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303545212.000000006C168000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2305072400.000000006C332000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID: ExclusiveLock$AcquireRelease
                                  • String ID: lF$l
                                  • API String ID: 17069307-2437917184
                                  • Opcode ID: 6c6a931e4151633cdffde8026931a94d11afaf9b1b6a73da80d4018ae3654205
                                  • Instruction ID: 75894ca54cdb4924b8e692bae707ca0eb96c0f6d72dd9b2c136439e8a61a2cdb
                                  • Opcode Fuzzy Hash: 6c6a931e4151633cdffde8026931a94d11afaf9b1b6a73da80d4018ae3654205
                                  • Instruction Fuzzy Hash: ACF0A734240918DBC711AF54D804A55B7B4FB4773DF25C22DE85583BD0C7341842CE62
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: D)K$H)K$P)K$T)K
                                  • API String ID: 0-2262112463
                                  • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                  • Instruction ID: bb4cc4c31644657eab06e8dd4df87b7e7ca92d5f791cbd24fb1450b01537acd7
                                  • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                  • Instruction Fuzzy Hash: 9D51F23190420AABCF11DF98D850BDEB7B1EF1531CF11446AE81167BA0DB79AD4CCBA2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2303624048.000000006C178000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C178000, based on PE: true
                                  • Associated: 00000007.00000002.2304226872.000000006C243000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000007.00000002.2304262333.000000006C249000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_6bfc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (?K$8?K$H?K$CK
                                  • API String ID: 0-3450752836
                                  • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                  • Instruction ID: 8a164ab9e8cf56c67f8f6ec049defbe8cbea38a48270f86963f9b4fc38c0447b
                                  • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                  • Instruction Fuzzy Hash: EBF017B06017009ED320CF06D54869BBBF4EB4175AF50C91FE5AA9BA40D3B8A5088FA8