Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_1.0.1.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_1.0.1.exe
renamed because original name is a hash value
Original sample name:_1.0.1.exe
Analysis ID:1579604
MD5:e927de0d1a14c591a56b4cea00e4e7a0
SHA1:fdf1ffc45903447f2a6ec0a3c11e1f965674ffa5
SHA256:2dd9a2505feb807103a8caff637f1c046d2d0dba41ac9403a99979e13acb45b4
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_1.0.1.exe (PID: 5612 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" MD5: E927DE0D1A14C591A56B4CEA00E4E7A0)
    • #U5b89#U88c5#U52a9#U624b_1.0.1.tmp (PID: 6156 cmdline: "C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$10482,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 4564 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 5560 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_1.0.1.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENT MD5: E927DE0D1A14C591A56B4CEA00E4E7A0)
        • #U5b89#U88c5#U52a9#U624b_1.0.1.tmp (PID: 4284 cmdline: "C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$2049A,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 5544 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 5556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 1576 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1276 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4180 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6204 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6968 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7056 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1276 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6552 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1564 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6556 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1276 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1628 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1440 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6596 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1848 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2072 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6156 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7120 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3716 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6132 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 320 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3560 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3116 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5328 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5528 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3560 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5968 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3652 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6008 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1276 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1848 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1988 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5528 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2764 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6556 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6592 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3716 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3448 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1988 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5528 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6172 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1276 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4564 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6660 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5544 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5740 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6204 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5968 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1564 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$10482,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, ParentProcessId: 6156, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 4564, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1276, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 4180, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$10482,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, ParentProcessId: 6156, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 4564, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1276, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 4180, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$10482,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, ParentProcessId: 6156, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 4564, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.5% probability
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2088481480.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2088003340.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA6AEC0 FindFirstFileA,FindClose,6_2_6CA6AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_009F6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_009F7496
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2044489223.0000000004110000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2028533279.000000007EDDB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2028170519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000000.2030355478.0000000000801000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000000.2052977201.00000000006DD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2028533279.000000007EDDB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2028170519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000000.2030355478.0000000000801000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000000.2052977201.00000000006DD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.2.drStatic PE information: section name: .=~
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6C8F3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8F3886
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA75120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6CA75120
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6C8F3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8F3C62
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6C8F3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8F3D18
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA75D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CA75D60
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6C8F3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8F3D62
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6C8F39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8F39CF
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6C8F3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8F3A6A
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6C8F1950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C8F1950
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6C8F4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C8F4754
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6C8F47546_2_6C8F4754
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6C904A276_2_6C904A27
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA718806_2_6CA71880
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA76A436_2_6CA76A43
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAD6CE06_2_6CAD6CE0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB44DE06_2_6CB44DE0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB26D106_2_6CB26D10
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAA8EA16_2_6CAA8EA1
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAFAEEF6_2_6CAFAEEF
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB2EEF06_2_6CB2EEF0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAC2EC96_2_6CAC2EC9
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAF48966_2_6CAF4896
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB3C8D06_2_6CB3C8D0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB368206_2_6CB36820
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB1E8106_2_6CB1E810
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB448706_2_6CB44870
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB469996_2_6CB46999
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB3A9306_2_6CB3A930
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB4A91A6_2_6CB4A91A
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB269006_2_6CB26900
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAA89726_2_6CAA8972
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB389506_2_6CB38950
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB34AA06_2_6CB34AA0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB4AA006_2_6CB4AA00
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB00A526_2_6CB00A52
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB1AB906_2_6CB1AB90
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAB0BCA6_2_6CAB0BCA
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB3EBC06_2_6CB3EBC0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAC0B666_2_6CAC0B66
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB084AC6_2_6CB084AC
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB344896_2_6CB34489
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB2E4D06_2_6CB2E4D0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB2C5806_2_6CB2C580
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB225806_2_6CB22580
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB245D06_2_6CB245D0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB125216_2_6CB12521
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB385206_2_6CB38520
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB446C06_2_6CB446C0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB3E6006_2_6CB3E600
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB367A06_2_6CB367A0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB0C7F36_2_6CB0C7F3
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAAC7CF6_2_6CAAC7CF
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB467C06_2_6CB467C0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB2E0E06_2_6CB2E0E0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB200206_2_6CB20020
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB3C2A06_2_6CB3C2A0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB382006_2_6CB38200
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB45D906_2_6CB45D90
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB23D506_2_6CB23D50
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAF7D436_2_6CAF7D43
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB29E806_2_6CB29E80
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB01F116_2_6CB01F11
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB1589F6_2_6CB1589F
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB378C86_2_6CB378C8
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB299F06_2_6CB299F0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB21AA06_2_6CB21AA0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB1DAD06_2_6CB1DAD0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB1FA506_2_6CB1FA50
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAC540A6_2_6CAC540A
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAEF5EC6_2_6CAEF5EC
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB2F5C06_2_6CB2F5C0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB296E06_2_6CB296E0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB1B6506_2_6CB1B650
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB3F6406_2_6CB3F640
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB437C06_2_6CB437C0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB497006_2_6CB49700
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAC30926_2_6CAC3092
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB2F0506_2_6CB2F050
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB271F06_2_6CB271F0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB2D2806_2_6CB2D280
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB2D3806_2_6CB2D380
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB36AF06_2_6CB36AF0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB337506_2_6CB33750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A381EC10_2_00A381EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A781C010_2_00A781C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8824010_2_00A88240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6425010_2_00A64250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8C3C010_2_00A8C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A804C810_2_00A804C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6865010_2_00A68650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A4094310_2_00A40943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6C95010_2_00A6C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A68C2010_2_00A68C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A84EA010_2_00A84EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A80E0010_2_00A80E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A510AC10_2_00A510AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A7D08910_2_00A7D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A7518010_2_00A75180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A891C010_2_00A891C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6D1D010_2_00A6D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8112010_2_00A81120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8D2C010_2_00A8D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F53CF10_2_009F53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A553F310_2_00A553F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A3D49610_2_00A3D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A854D010_2_00A854D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8D47010_2_00A8D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F157210_2_009F1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8155010_2_00A81550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A7D6A010_2_00A7D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A4965210_2_00A49652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F97CA10_2_009F97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A0976610_2_00A09766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8D9E010_2_00A8D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F1AA110_2_009F1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A75E8010_2_00A75E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A75F8010_2_00A75F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A0E00A10_2_00A0E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A722E010_2_00A722E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A9230010_2_00A92300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A5E49F10_2_00A5E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A725F010_2_00A725F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6A6A010_2_00A6A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A666D010_2_00A666D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8E99010_2_00A8E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A72A8010_2_00A72A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A4AB1110_2_00A4AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A76CE010_2_00A76CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A770D010_2_00A770D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6B18010_2_00A6B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A5B12110_2_00A5B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8720010_2_00A87200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A7F3A010_2_00A7F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A1B3E410_2_00A1B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8F3C010_2_00A8F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A7F42010_2_00A7F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6741010_2_00A67410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8F59910_2_00A8F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8353010_2_00A83530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6F50010_2_00A6F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A9351A10_2_00A9351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A9360110_2_00A93601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6379010_2_00A63790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A877C010_2_00A877C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A1F8E010_2_00A1F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6F91010_2_00A6F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A43AEF10_2_00A43AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A77AF010_2_00A77AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A0BAC910_2_00A0BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A0BC9210_2_00A0BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A77C5010_2_00A77C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6FDF010_2_00A6FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 009F28E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 009F1E40 appears 171 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00A8FB10 appears 723 times
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: String function: 6CB46F10 appears 728 times
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: String function: 6CAA9240 appears 53 times
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2028533279.000000007F0DA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2028170519.00000000037BE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000000.2026592973.0000000000F19000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal80.evad.winEXE@129/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA75D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CA75D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_009F9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A03D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00A03D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_009F9252
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA75240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6CA75240
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\is-DQU5P.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1816:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6484:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3116:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6008:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4760:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6300:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2556:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3560:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3448:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6592:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6660:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-213SN.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$10482,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$2049A,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$10482,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$2049A,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic file information: File size 5707247 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2088481480.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2088003340.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A757D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00A757D0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: real checksum: 0x0 should be: 0x57a2f0
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: is-KEV8K.tmp.6.drStatic PE information: section name: .xdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA786EB push ecx; ret 6_2_6CA786FE
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6C920F00 push ss; retn 0001h6_2_6C920F0A
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB46F10 push eax; ret 6_2_6CB46F2E
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CAAB9F4 push 004AC35Ch; ret 6_2_6CAABA0E
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB47290 push eax; ret 6_2_6CB472BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F45F4 push 00A9C35Ch; ret 10_2_009F460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8FB10 push eax; ret 10_2_00A8FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8FE90 push eax; ret 10_2_00A8FEBE
Source: update.vac.2.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BLV2B.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\is-KEV8K.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SDTHL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BLV2B.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SDTHL.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BLV2B.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SDTHL.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6505Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3105Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpWindow / User API: threadDelayed 627Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpWindow / User API: threadDelayed 644Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpWindow / User API: threadDelayed 589Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BLV2B.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-KEV8K.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SDTHL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BLV2B.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SDTHL.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3168Thread sleep count: 6505 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6592Thread sleep count: 3105 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5328Thread sleep time: -9223372036854770s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA6AEC0 FindFirstFileA,FindClose,6_2_6CA6AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_009F6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_009F7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F9C60 GetSystemInfo,10_2_009F9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000002.2058730208.00000000012EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6C8F3886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C8F3886
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA80181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CA80181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A757D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00A757D0
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA89D35 mov eax, dword ptr fs:[00000030h]6_2_6CA89D35
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA89D66 mov eax, dword ptr fs:[00000030h]6_2_6CA89D66
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA7F17D mov eax, dword ptr fs:[00000030h]6_2_6CA7F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA78CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6CA78CBD
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CA80181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CA80181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 6_2_6CB47720 cpuid 6_2_6CB47720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009FAB2A GetSystemTimeAsFileTime,10_2_009FAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A90090 GetVersion,10_2_00A90090
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2201852114.0000000000B9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory331
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API
Login Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem35
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579604 Sample: #U5b89#U88c5#U52a9#U624b_1.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 80 90 Found driver which could be used to inject code into processes 2->90 92 PE file contains section with special chars 2->92 94 AI detected suspicious sample 2->94 96 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->96 10 #U5b89#U88c5#U52a9#U624b_1.0.1.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b_1.0.1.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 27 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b_1.0.1.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 26 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b_1.0.1.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->80 dropped 82 C:\Program Files (x86)\...\trash (copy), PE32+ 55->82 dropped 84 3 other files (none is malicious) 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_1.0.1.exe6%VirustotalBrowse
#U5b89#U88c5#U52a9#U624b_1.0.1.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-KEV8K.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BLV2B.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SDTHL.tmp\_isetup\_setup64.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drfalse
    unknown
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_1.0.1.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drfalse
          unknown
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2028533279.000000007EDDB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2028170519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000000.2030355478.0000000000801000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000000.2052977201.00000000006DD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drfalse
              unknown
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2028533279.000000007EDDB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2028170519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000000.2030355478.0000000000801000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000000.2052977201.00000000006DD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000006.00000002.2204493444.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-KEV8K.tmp.6.drfalse
                    unknown
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579604
                    Start date and time:2024-12-23 05:05:08 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 41s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:110
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b_1.0.1.exe
                    renamed because original name is a hash value
                    Original Sample Name:_1.0.1.exe
                    Detection:MAL
                    Classification:mal80.evad.winEXE@129/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 28
                    • Number of non-executed functions: 76
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
                    • Excluded IPs from analysis (whitelisted): 172.202.163.200, 23.32.238.219, 23.32.238.226, 20.3.187.198, 13.107.246.63
                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, dns.msftncsi.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    TimeTypeDescription
                    23:05:59API Interceptor1x Sleep call for process: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp modified
                    23:06:01API Interceptor24x Sleep call for process: powershell.exe modified
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                      #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                        ekTL8jTI4D.msiGet hashmaliciousUnknownBrowse
                          C:\Program Files (x86)\Windows NT\is-KEV8K.tmp#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                            #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):831200
                              Entropy (8bit):6.671005303304742
                              Encrypted:false
                              SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                              MD5:84DC4B92D860E8AEA55D12B1E87EA108
                              SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                              SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                              SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                              • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                              • Filename: ekTL8jTI4D.msi, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):249968
                              Entropy (8bit):7.999211756066816
                              Encrypted:true
                              SSDEEP:6144:N0wZbYJgxjYCjmIbsdVQV5FhxZO9y4DJSJJxXdChL54nxXg:JygWCKnVQVzh69hQ7MhF4nxXg
                              MD5:45CB5DC5018CDEB5A473F0B00E0C8BAE
                              SHA1:0A645DA501A7E2D22711F5C9548EDA6D6AC3D3AD
                              SHA-256:BDA1698AD6C7072F9BAF5B180171B0765269C6BC46A619BF17242F542BAC0177
                              SHA-512:3DE7E64CA36E43066B5C698FC18569F6B279E886B3FB762BFE3929B676BA23C1981B1810A11F7837095F13956E831195EC75C806118FFEEACFF700039226AD9A
                              Malicious:false
                              Preview:.@S....HO(..,................d..Im%..K..Qp....eQ.f,..h*.Y...&........".M..'.j....{.F....7.{..........W"K.....(A....E{.[..i.....D.(.".~...........S.......C.kT...;.5..7.u..]E6..>...eE..s..PU.R'..G...H./....s.E..$DJ...1.8>..G.|...x....:...1....!.C0BH.....*.]y.Ko;....<..n....K.U)1.JQ.u!:.i).B;......gz.....\..........P@..).K+..i...Y........?..\j.G...4.F..D.#.B..e{.'..T.n.L..h.vL.C>......A..1.1....J`!..y... ...m49/...d...!.=.....G......&.....a..0......nX..)<O..#....}.(.T..g.....9..J..V..l.........{@VV>... \...|....'....u.".H.".f....F..a...0.Db....4.u...$L.]5/.o...i*JmM.dk...df......,.SM.....a...5V^9$@...uo.p.m\..xMwD.A.@.........f.X.y g......S.F....-WrJC.U.$..9).b......D.wJ...vUg.....C,.T....y..._.}?!;@..N..j......p.........W....6.w....m......$3.v...4.&b._...EL.O1.."I>w..*.h.d.3.~...u../y.Q.O..60...W...i).6o.....;..{.._....m...-...\...s.f......@.2..........$..7n.q.9f.b...-P.@F.01..C5.6_.-2..y..].\)[Tq.^H./.p....v......3.}t.......=......".(~
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3598848
                              Entropy (8bit):7.004949099807939
                              Encrypted:false
                              SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                              MD5:1D1464C73252978A58AC925ECE57F0FB
                              SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                              SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                              SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                              Malicious:false
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):249968
                              Entropy (8bit):7.999211756066816
                              Encrypted:true
                              SSDEEP:6144:N0wZbYJgxjYCjmIbsdVQV5FhxZO9y4DJSJJxXdChL54nxXg:JygWCKnVQVzh69hQ7MhF4nxXg
                              MD5:45CB5DC5018CDEB5A473F0B00E0C8BAE
                              SHA1:0A645DA501A7E2D22711F5C9548EDA6D6AC3D3AD
                              SHA-256:BDA1698AD6C7072F9BAF5B180171B0765269C6BC46A619BF17242F542BAC0177
                              SHA-512:3DE7E64CA36E43066B5C698FC18569F6B279E886B3FB762BFE3929B676BA23C1981B1810A11F7837095F13956E831195EC75C806118FFEEACFF700039226AD9A
                              Malicious:false
                              Preview:.@S....HO(..,................d..Im%..K..Qp....eQ.f,..h*.Y...&........".M..'.j....{.F....7.{..........W"K.....(A....E{.[..i.....D.(.".~...........S.......C.kT...;.5..7.u..]E6..>...eE..s..PU.R'..G...H./....s.E..$DJ...1.8>..G.|...x....:...1....!.C0BH.....*.]y.Ko;....<..n....K.U)1.JQ.u!:.i).B;......gz.....\..........P@..).K+..i...Y........?..\j.G...4.F..D.#.B..e{.'..T.n.L..h.vL.C>......A..1.1....J`!..y... ...m49/...d...!.=.....G......&.....a..0......nX..)<O..#....}.(.T..g.....9..J..V..l.........{@VV>... \...|....'....u.".H.".f....F..a...0.Db....4.u...$L.]5/.o...i*JmM.dk...df......,.SM.....a...5V^9$@...uo.p.m\..xMwD.A.@.........f.X.y g......S.F....-WrJC.U.$..9).b......D.wJ...vUg.....C,.T....y..._.}?!;@..N..j......p.........W....6.w....m......$3.v...4.&b._...EL.O1.."I>w..*.h.d.3.~...u../y.Q.O..60...W...i).6o.....;..{.._....m...-...\...s.f......@.2..........$..7n.q.9f.b...-P.@F.01..C5.6_.-2..y..].\)[Tq.^H./.p....v......3.}t.......=......".(~
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                              Category:dropped
                              Size (bytes):5649408
                              Entropy (8bit):6.392614480390128
                              Encrypted:false
                              SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                              MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                              SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                              SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                              SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                              • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56530
                              Entropy (8bit):7.99665961794448
                              Encrypted:true
                              SSDEEP:1536:sU9ckA31pDBI7XiSQW0lIyp0nfdTeJJMnaJbO2:sRkAFpFIfVAX2lsbr
                              MD5:E24AB44862B98B5FF4047392DC9E6154
                              SHA1:4BA925CFA75BBE107DE3BAA24C99C33FEE7E37C3
                              SHA-256:8322FCDE87688C0C1BC42F89AFE46DE3911F74627774888CF0473D6C56C561AB
                              SHA-512:727F7CEA4D5953D75E33E4F03BD14D4F7C2834945AF669653072F9AE381FBE15B3298052EAC76D052E648A23D02664D23B4C230D522A297AE73FD25187E371F3
                              Malicious:false
                              Preview:.@S......./| ...............f..u].L..s.......9....(1.Z.7. .^..>.67........cc1...r..<0r.j...F.iI"7yM2e.oKZK.<l.d]e,6.7..k....Twk1.EKU[e........#..J.H&...#'z..|.B">uM.&+.3...'...........Q....O..[^G0...j...Z..Z......P.Q......SBo...........E....|.U....8.m..8.@*...$8dn...g.3x.8...m.*.CJ...p....d....h......M|x.\=.-*...F..4../...2..Z.T..G.E...i.{&.@d..L.,..Q..%.S.FB.,..mS..a.#![>8.3E1.I.A..Zt.......kO1.....0E.....z.k...~d....q.....f....yH......e.....dP.....l...G....$.\'......A._F.1Y.Z0^F..41..h...........<.p..kI....o..WF.*B.5..dG..m~^~C..Q~j.j+.6.4....B>.{M..5.......4M.fQ..&....~.\ .C.v=..{)7"....\r..!.......0:t.U...d.^A..BA.L...0x.%...>.....P.o....9.=..Y.t....F....A[/z.....S.'_*.*1.C.....66...._r<.Dm.6..,.>..J.qS..0St*!J..I....=...5$......X.......Y}.d....Y...S8%.Z..*.P.,P!.f>....&...CO...... ..!9f..\....I..sC..|..t..B.B..K.......4...P.........[W.3J5Of.g.X...FD..$.cY.c.U..c.F....4nM.g..........7.0.lgsB.!-.....2Z<z.....aWi.{..Z..?.D...r...QF.
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56530
                              Entropy (8bit):7.996659617944482
                              Encrypted:true
                              SSDEEP:768:y02vNxga1LZoq/XnKcxKY5tajmkKWVh7oPUU0LbvtW8YrZ6PnK1li6T1XBHYDa:y02Vxga1Nx/XnKPY5EjzGH0LjkoPKZVH
                              MD5:73D8B945B42E6E03EA8BDEE281D0F951
                              SHA1:48FF54E1A4A13DD64D70B62C9FA0057A9B8EAB42
                              SHA-256:3E2947E4F7C6003A56AE139BE1E7E59AD3B5B896AC637756E3331BCF7056D877
                              SHA-512:68E2BDB7DD42397334DAC2AAF888761F8FD9EA2EC381D6F6B170E01444B9E555F4B3FEB3129D20748EFF62D41BB29DD8F9380310CCAEE29EF53BC6195D852C66
                              Malicious:false
                              Preview:7z..'...P)(........2........V.t;..q.y/.m"J+......>.Y..7.(M.^..:A..K..V.F3...<...?...3.....=.G........5....R..A.......fE.*..!....x.....W.q......x..'n..`Bm............A..D..X1..../..,...k..'..H.....W.y..>3.....F.$...h.O(..Wd=.....4..\./-......{.....!.o...j..4i.b..BB'...p..N............`\J.4>$..I...uz./4....O..,....}.N6K.NI.}eW..,......9.j=R.*..A..yg...........p..;.....&)..K....#....p.W.....`y".S.....S..2.P..g"....4... $Z..).o.w..}w@..6..phf.)m0=9...&9.V...Z...9xye.'U.....[k.g.....f....n..~w.L...fOrn,^=P...gJ...1.0C.d...[....b...(......9....R..Q.m.T(.......m..S#l..>.V.]..8Y.K.CLg.R.E..!.*..gt.......4..k..AF...,A.....[L"..2D...Z.e{f.G...x..M.KgI=.G.W.......,J.2c.8.j`..W6w..........)r.......EW.....05.k......&.g....Y.'...;[....c.T.U.._.t..Ok... e.M.D-{..,..m.d..0.n.J...$..9.^.0....&.....%....PQ-IX..|...J%{..e..[l..*..*..U+.Y.......y.nO<.Q.O&.Az%kRe...G..X.....Q.S5.h........Do..n..X...|.U&A.!d..t^..k..........xV[......NvK.u....eg.T..q..Fx.(.!..5
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255975
                              Encrypted:true
                              SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                              MD5:CEA69F993E1CE0FB945A98BF37A66546
                              SHA1:7114365265F041DA904574D1F5876544506F89BA
                              SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                              SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                              Malicious:false
                              Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255979
                              Encrypted:true
                              SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                              MD5:4CB8B7E557C80FC7B014133AB834A042
                              SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                              SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                              SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                              Malicious:false
                              Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                              MD5:8622FC7228777F64A47BD6C61478ADD9
                              SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                              SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                              SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                              Malicious:false
                              Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                              MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                              SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                              SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                              SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                              Malicious:false
                              Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.99759370165655
                              Encrypted:true
                              SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                              MD5:950338D50B95A25F494EE74E97B7B7A9
                              SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                              SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                              SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                              Malicious:false
                              Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.997593701656546
                              Encrypted:true
                              SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                              MD5:059BA7C31F3E227356CA5F29E4AA2508
                              SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                              SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                              SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                              Malicious:false
                              Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653607
                              Encrypted:true
                              SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                              MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                              SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                              SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                              SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                              Malicious:false
                              Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653608
                              Encrypted:true
                              SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                              MD5:A9C8A3E00692F79E1BA9693003F85D18
                              SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                              SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                              SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                              Malicious:false
                              Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):249968
                              Entropy (8bit):7.999211756066819
                              Encrypted:true
                              SSDEEP:6144:h4MUFOk8txcHNp1w1yXs1aLQI+guQgLE03bzyL5:hj+Ok8rONfw14uaLNeJzO5
                              MD5:902C32D2B07BC62D00E528C624DF4B64
                              SHA1:EC3223C30C2FD29A18975D01BC5FA74442D73248
                              SHA-256:966EDB310BC5221082217ABA9B730BE82DCC7E54FCF2FEFCB52B731FB0EB8D6C
                              SHA-512:D09EE8D46AED66010A47A0BB12365736392FCB6F25A385E6C5C3FCDCFBF885A234DD881B6040F39EA97A8A43DA3368BD6DD13A4E7E36111A57BEBF23101654C6
                              Malicious:false
                              Preview:7z..'...............@..........{....{?.(%e..3s.;`P..6..........C.....s..z.$ZK...V88..7.A8.X.9...<.R&vk2S..x...[h...2.I...q..^.>..ej.....i..D.rJM. .^....cQuP....Pxo.....T..O.R..V>.BK...L0.9.z}....^..`a.Z....................I.._.R.<.-XFGX.E0..^ZvF.....S..00.W..{......E..-.z...k...?..?...A.....3w .t%..T.....y.4zU.v@i.C..T..z..aO..#q>.pLC.(.p...X..U.l....v.........j.*.....`.m..e......3B..k..5........SM.6c.Z...d....$.s..Zj.G.7H.?g*ig...%.:y.I..a. K...].X06.=.^..H/...nl..SOw..WR...D.?......K.....=....c..^99.....^....~K...#qJ.[;....O.Z.Y.,.........Z\....7.~K.&.6`_8.%......>A(.......C.%..C..j...+....@.b.!......{.Y..*.[..........<.Y.Jcv.;.......%0;.<0.T.U5</......C.A.^...f.3...pX....+TSe...En...am......^......:.......C..T.F(.HR._...d 2y$.D.|[k.^....\^M..a4>.ay......R...I..RI......0......o.......@.}I.t.~._....L....t.......O...\.{G.j$.aH.^.E(..}s3.R.{.Us...]]).X..a.D...{.8. .m.UK...A.0.E.....h..C8..a."..Q..`.4.........s..M,....1mqw......|;dH.*..^_b*.)...
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):63640
                              Entropy (8bit):6.482810107683822
                              Encrypted:false
                              SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                              MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                              SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                              SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                              SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 9%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):3.3449406240731085
                              Encrypted:false
                              SSDEEP:48:dXKLzDlnDPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnDP6whldOVQOj6dKbKsz7
                              MD5:1EA10B1FA76DC2F1967E53A3FC2D43C4
                              SHA1:23EADA9D0994D5B9ADE7878493C44551C0B5CF44
                              SHA-256:2748447EBDE83E35B8984D2993A8331DAC7B7924638502024D8531A07E74C63C
                              SHA-512:15BF2663CEF3905AE3B13D0A4ABC2E3BBF1FF213BCA5C568641978D5548A7DBED2EC7FC5A00B330287E90DF675EFB804613D4801F6995C7748840CC0BCBA637F
                              Malicious:false
                              Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                              Category:dropped
                              Size (bytes):5649408
                              Entropy (8bit):6.392614480390128
                              Encrypted:false
                              SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                              MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                              SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                              SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                              SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1940658735648508
                              Encrypted:false
                              SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                              MD5:DA1F22117B9766A1F0220503765A5BA5
                              SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                              SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                              SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                              Malicious:false
                              Preview:@...e.................................R..............@..........
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3366912
                              Entropy (8bit):6.530548291878271
                              Encrypted:false
                              SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                              MD5:9902FA6D39184B87AED7D94A037912D8
                              SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                              SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                              SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                              Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3366912
                              Entropy (8bit):6.530548291878271
                              Encrypted:false
                              SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                              MD5:9902FA6D39184B87AED7D94A037912D8
                              SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                              SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                              SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                              Process:C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3598848
                              Entropy (8bit):7.004949099807939
                              Encrypted:false
                              SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                              MD5:1D1464C73252978A58AC925ECE57F0FB
                              SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                              SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                              SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                              Malicious:false
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3598848
                              Entropy (8bit):7.004949099807939
                              Encrypted:false
                              SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                              MD5:1D1464C73252978A58AC925ECE57F0FB
                              SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                              SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                              SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                              Malicious:false
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:ASCII text, with CRLF, CR line terminators
                              Category:dropped
                              Size (bytes):406
                              Entropy (8bit):5.117520345541057
                              Encrypted:false
                              SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                              MD5:9200058492BCA8F9D88B4877F842C148
                              SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                              SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                              SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                              Malicious:false
                              Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.921226213607136
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 98.04%
                              • Inno Setup installer (109748/4) 1.08%
                              • InstallShield setup (43055/19) 0.42%
                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                              File name:#U5b89#U88c5#U52a9#U624b_1.0.1.exe
                              File size:5'707'247 bytes
                              MD5:e927de0d1a14c591a56b4cea00e4e7a0
                              SHA1:fdf1ffc45903447f2a6ec0a3c11e1f965674ffa5
                              SHA256:2dd9a2505feb807103a8caff637f1c046d2d0dba41ac9403a99979e13acb45b4
                              SHA512:8b33ac84a8d4edd6b8245565f88ebbad40670710630955dca7696410584f20dbcb29f155fc2d910f322a5842c1e8dbdc8b6ad01092023d1ec37962bbdafd1787
                              SSDEEP:98304:XwRE9dQgIudso3UTFvkZlHIU4s2gFO8eZw++bRxbUlOxFtGIidMwZgf:lpdzU0loU4D8eZw+qxbEs
                              TLSH:CA461213F2CBE03EE05D1B3B06B2A15494FBAA616423AD5696ECB4ECCF351601D3E647
                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                              Icon Hash:0c0c2d33ceec80aa
                              Entrypoint:0x4a83bc
                              Entrypoint Section:.itext
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:1
                              File Version Major:6
                              File Version Minor:1
                              Subsystem Version Major:6
                              Subsystem Version Minor:1
                              Import Hash:40ab50289f7ef5fae60801f88d4541fc
                              Instruction
                              push ebp
                              mov ebp, esp
                              add esp, FFFFFFA4h
                              push ebx
                              push esi
                              push edi
                              xor eax, eax
                              mov dword ptr [ebp-3Ch], eax
                              mov dword ptr [ebp-40h], eax
                              mov dword ptr [ebp-5Ch], eax
                              mov dword ptr [ebp-30h], eax
                              mov dword ptr [ebp-38h], eax
                              mov dword ptr [ebp-34h], eax
                              mov dword ptr [ebp-2Ch], eax
                              mov dword ptr [ebp-28h], eax
                              mov dword ptr [ebp-14h], eax
                              mov eax, 004A2EBCh
                              call 00007FF710D4B1C5h
                              xor eax, eax
                              push ebp
                              push 004A8AC1h
                              push dword ptr fs:[eax]
                              mov dword ptr fs:[eax], esp
                              xor edx, edx
                              push ebp
                              push 004A8A7Bh
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              mov eax, dword ptr [004B0634h]
                              call 00007FF710DDCB4Bh
                              call 00007FF710DDC69Eh
                              lea edx, dword ptr [ebp-14h]
                              xor eax, eax
                              call 00007FF710DD7378h
                              mov edx, dword ptr [ebp-14h]
                              mov eax, 004B41F4h
                              call 00007FF710D45273h
                              push 00000002h
                              push 00000000h
                              push 00000001h
                              mov ecx, dword ptr [004B41F4h]
                              mov dl, 01h
                              mov eax, dword ptr [0049CD14h]
                              call 00007FF710DD86A3h
                              mov dword ptr [004B41F8h], eax
                              xor edx, edx
                              push ebp
                              push 004A8A27h
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              call 00007FF710DDCBD3h
                              mov dword ptr [004B4200h], eax
                              mov eax, dword ptr [004B4200h]
                              cmp dword ptr [eax+0Ch], 01h
                              jne 00007FF710DE38BAh
                              mov eax, dword ptr [004B4200h]
                              mov edx, 00000028h
                              call 00007FF710DD8F98h
                              mov edx, dword ptr [004B4200h]
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              .rsrc0xcb0000x110000x1100037d272d79f500ceea55e69cb32835e9dFalse0.18785903033088236data3.7213025055162317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                              RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                              RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                              RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                              RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                              RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                              RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                              RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                              RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                              RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                              RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                              RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                              RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                              RT_STRING0xd8e000x3f8data0.3198818897637795
                              RT_STRING0xd91f80x2dcdata0.36475409836065575
                              RT_STRING0xd94d40x430data0.40578358208955223
                              RT_STRING0xd99040x44cdata0.38636363636363635
                              RT_STRING0xd9d500x2d4data0.39226519337016574
                              RT_STRING0xda0240xb8data0.6467391304347826
                              RT_STRING0xda0dc0x9cdata0.6410256410256411
                              RT_STRING0xda1780x374data0.4230769230769231
                              RT_STRING0xda4ec0x398data0.3358695652173913
                              RT_STRING0xda8840x368data0.3795871559633027
                              RT_STRING0xdabec0x2a4data0.4275147928994083
                              RT_RCDATA0xdae900x10data1.5
                              RT_RCDATA0xdaea00x310data0.6173469387755102
                              RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                              RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                              RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                              RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                              DLLImport
                              kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                              comctl32.dllInitCommonControls
                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                              advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                              NameOrdinalAddress
                              __dbk_fcall_wrapper20x40fc10
                              dbkFCallWrapperAddr10x4b063c
                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States
                              No network behavior found

                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Click to jump to process

                              Target ID:0
                              Start time:23:05:58
                              Start date:22/12/2024
                              Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe"
                              Imagebase:0xe60000
                              File size:5'707'247 bytes
                              MD5 hash:E927DE0D1A14C591A56B4CEA00E4E7A0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              Target ID:2
                              Start time:23:05:58
                              Start date:22/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-213SN.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$10482,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe"
                              Imagebase:0x800000
                              File size:3'366'912 bytes
                              MD5 hash:9902FA6D39184B87AED7D94A037912D8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              Target ID:3
                              Start time:23:05:59
                              Start date:22/12/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                              Imagebase:0x7ff7be880000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:4
                              Start time:23:05:59
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:5
                              Start time:23:05:59
                              Start date:22/12/2024
                              Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENT
                              Imagebase:0xe60000
                              File size:5'707'247 bytes
                              MD5 hash:E927DE0D1A14C591A56B4CEA00E4E7A0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:false

                              Target ID:6
                              Start time:23:06:00
                              Start date:22/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-2OO0O.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$2049A,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENT
                              Imagebase:0x460000
                              File size:3'366'912 bytes
                              MD5 hash:9902FA6D39184B87AED7D94A037912D8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              Target ID:7
                              Start time:23:06:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:8
                              Start time:23:06:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:9
                              Start time:23:06:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:10
                              Start time:23:06:02
                              Start date:22/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                              Imagebase:0x9f0000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              Target ID:11
                              Start time:23:06:03
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:12
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                              Imagebase:0x9f0000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              Target ID:13
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:14
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:15
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:16
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:17
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:18
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:19
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff6ef0c0000
                              File size:496'640 bytes
                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:false

                              Target ID:20
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:21
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:22
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:23
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:24
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:25
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:26
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:27
                              Start time:23:06:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:28
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:29
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:30
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:31
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:32
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:33
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:34
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:35
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:36
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:37
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:38
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:39
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:40
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:41
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:42
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:43
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:44
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:45
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:46
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:47
                              Start time:23:06:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:48
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:49
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:50
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:51
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:52
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:53
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:54
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:55
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:56
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:57
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:58
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:59
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:60
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:61
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:62
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:63
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:64
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:65
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:66
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:67
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:68
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:69
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:70
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:71
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:72
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:73
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:74
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:75
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:76
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:77
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:78
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:79
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:80
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:81
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:82
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:83
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:84
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:85
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:86
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:87
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:88
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:89
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:90
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:91
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:92
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:93
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:94
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:95
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:96
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:97
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:98
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:99
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:100
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:101
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:102
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:103
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:104
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:105
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:106
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff660d90000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:107
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:108
                              Start time:23:06:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff61f7b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Reset < >

                                Execution Graph

                                Execution Coverage:1.6%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:15.6%
                                Total number of Nodes:776
                                Total number of Limit Nodes:10
                                execution_graph 100131 6c904a27 100133 6c904a5d _strlen 100131->100133 100132 6c91639e 100261 6ca80130 18 API calls 2 library calls 100132->100261 100133->100132 100134 6c905b58 100133->100134 100135 6c905b6f 100133->100135 100139 6c905b09 _Yarn 100133->100139 100247 6ca76a43 100134->100247 100138 6ca76a43 std::_Facet_Register 4 API calls 100135->100138 100138->100139 100222 6ca6aec0 100139->100222 100142 6c905bad std::ios_base::_Ios_base_dtor 100142->100132 100145 6c909ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100142->100145 100226 6ca74ff0 CreateProcessA 100142->100226 100143 6ca76a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100143->100145 100144 6ca6aec0 FindFirstFileA 100144->100145 100145->100132 100145->100143 100145->100144 100146 6c90a292 Sleep 100145->100146 100164 6c90e619 100145->100164 100165 6c909bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 100146->100165 100147 6c906624 100149 6ca76a43 std::_Facet_Register 4 API calls 100147->100149 100148 6c90660d 100150 6ca76a43 std::_Facet_Register 4 API calls 100148->100150 100157 6c9065bc _Yarn _strlen 100149->100157 100150->100157 100151 6c9061cb _strlen 100151->100132 100151->100147 100151->100148 100151->100157 100152 6ca74ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 100152->100165 100153 6c909bbd GetCurrentProcess TerminateProcess 100153->100145 100154 6c9163b2 100262 6c8f15e0 18 API calls std::ios_base::_Ios_base_dtor 100154->100262 100156 6c9164f8 100157->100154 100158 6c906970 100157->100158 100159 6c906989 100157->100159 100162 6c906920 _Yarn 100157->100162 100160 6ca76a43 std::_Facet_Register 4 API calls 100158->100160 100161 6ca76a43 std::_Facet_Register 4 API calls 100159->100161 100160->100162 100161->100162 100230 6ca75960 100162->100230 100167 6c90f243 CreateFileA 100164->100167 100165->100132 100165->100145 100165->100152 100165->100153 100165->100154 100182 6ca76a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100165->100182 100200 6ca75960 104 API calls 100165->100200 100166 6c9069d6 std::ios_base::_Ios_base_dtor _strlen 100166->100132 100168 6c906dd2 100166->100168 100169 6c906dbb 100166->100169 100180 6c906d69 _Yarn _strlen 100166->100180 100181 6c90f2a7 100167->100181 100171 6ca76a43 std::_Facet_Register 4 API calls 100168->100171 100170 6ca76a43 std::_Facet_Register 4 API calls 100169->100170 100170->100180 100171->100180 100172 6c9102ca 100173 6c907440 100176 6ca76a43 std::_Facet_Register 4 API calls 100173->100176 100174 6c907427 100175 6ca76a43 std::_Facet_Register 4 API calls 100174->100175 100177 6c9073da _Yarn 100175->100177 100176->100177 100179 6ca75960 104 API calls 100177->100179 100178 6c9102ac GetCurrentProcess TerminateProcess 100178->100172 100183 6c90748d std::ios_base::_Ios_base_dtor _strlen 100179->100183 100180->100154 100180->100173 100180->100174 100180->100177 100181->100172 100181->100178 100182->100165 100183->100132 100184 6c907991 100183->100184 100185 6c9079a8 100183->100185 100188 6c907940 _Yarn _strlen 100183->100188 100187 6ca76a43 std::_Facet_Register 4 API calls 100184->100187 100186 6ca76a43 std::_Facet_Register 4 API calls 100185->100186 100186->100188 100187->100188 100188->100154 100189 6c907de2 100188->100189 100190 6c907dc9 100188->100190 100193 6c907d7c _Yarn 100188->100193 100192 6ca76a43 std::_Facet_Register 4 API calls 100189->100192 100191 6ca76a43 std::_Facet_Register 4 API calls 100190->100191 100191->100193 100192->100193 100194 6ca75960 104 API calls 100193->100194 100195 6c907e2f std::ios_base::_Ios_base_dtor _strlen 100194->100195 100195->100132 100196 6c9085a8 100195->100196 100197 6c9085bf 100195->100197 100201 6c908556 _Yarn _strlen 100195->100201 100198 6ca76a43 std::_Facet_Register 4 API calls 100196->100198 100199 6ca76a43 std::_Facet_Register 4 API calls 100197->100199 100198->100201 100199->100201 100200->100165 100201->100154 100202 6c908983 100201->100202 100203 6c90896a 100201->100203 100206 6c90891d _Yarn 100201->100206 100205 6ca76a43 std::_Facet_Register 4 API calls 100202->100205 100204 6ca76a43 std::_Facet_Register 4 API calls 100203->100204 100204->100206 100205->100206 100207 6ca75960 104 API calls 100206->100207 100210 6c9089d0 std::ios_base::_Ios_base_dtor _strlen 100207->100210 100208 6c908f36 100212 6ca76a43 std::_Facet_Register 4 API calls 100208->100212 100209 6c908f1f 100211 6ca76a43 std::_Facet_Register 4 API calls 100209->100211 100210->100132 100210->100208 100210->100209 100213 6c908ecd _Yarn _strlen 100210->100213 100211->100213 100212->100213 100213->100154 100214 6c909354 100213->100214 100215 6c90936d 100213->100215 100218 6c909307 _Yarn 100213->100218 100216 6ca76a43 std::_Facet_Register 4 API calls 100214->100216 100217 6ca76a43 std::_Facet_Register 4 API calls 100215->100217 100216->100218 100217->100218 100219 6ca75960 104 API calls 100218->100219 100221 6c9093ba std::ios_base::_Ios_base_dtor 100219->100221 100220 6ca74ff0 4 API calls 100220->100145 100221->100132 100221->100220 100223 6ca6aed6 FindFirstFileA 100222->100223 100224 6ca6aed4 100222->100224 100225 6ca6af10 100223->100225 100224->100223 100225->100142 100227 6ca750ca 100226->100227 100228 6ca75080 WaitForSingleObject CloseHandle CloseHandle 100227->100228 100229 6ca750e3 100227->100229 100228->100227 100229->100151 100231 6ca759b7 100230->100231 100263 6ca75ff0 100231->100263 100233 6ca759c8 100282 6c916ba0 100233->100282 100235 6ca75a67 100334 6c93e010 100235->100334 100237 6ca75a9f std::ios_base::_Ios_base_dtor 100240 6c93e010 67 API calls 100237->100240 100239 6ca759ec 100239->100235 100241 6ca75a54 100239->100241 100301 6ca76340 100239->100301 100309 6c952000 100239->100309 100242 6ca75ae2 std::ios_base::_Ios_base_dtor 100240->100242 100319 6ca75b90 100241->100319 100242->100166 100245 6ca75a5c 100340 6c917090 100245->100340 100249 6ca76a48 100247->100249 100248 6ca76a62 100248->100139 100249->100248 100252 6ca76a64 std::_Facet_Register 100249->100252 100799 6ca7f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100249->100799 100251 6ca778c3 std::_Facet_Register 100803 6ca79379 RaiseException 100251->100803 100252->100251 100800 6ca79379 RaiseException 100252->100800 100254 6ca780bc IsProcessorFeaturePresent 100260 6ca780e1 100254->100260 100256 6ca77883 100801 6ca79379 RaiseException 100256->100801 100258 6ca778a3 std::invalid_argument::invalid_argument 100802 6ca79379 RaiseException 100258->100802 100260->100139 100262->100156 100264 6ca76025 100263->100264 100353 6c942020 100264->100353 100266 6ca760c6 100267 6ca76a43 std::_Facet_Register 4 API calls 100266->100267 100268 6ca760fe 100267->100268 100370 6ca77327 100268->100370 100270 6ca76112 100382 6c941d90 100270->100382 100273 6ca761ec 100273->100233 100275 6ca76226 100390 6c9426e0 24 API calls 4 library calls 100275->100390 100277 6ca76238 100391 6ca79379 RaiseException 100277->100391 100279 6ca7624d 100280 6c93e010 67 API calls 100279->100280 100281 6ca7625f 100280->100281 100281->100233 100283 6c916bd5 100282->100283 100284 6c942020 52 API calls 100283->100284 100285 6c916c68 100284->100285 100286 6ca76a43 std::_Facet_Register 4 API calls 100285->100286 100287 6c916ca0 100286->100287 100288 6ca77327 43 API calls 100287->100288 100289 6c916cb4 100288->100289 100290 6c941d90 89 API calls 100289->100290 100291 6c916d5d 100290->100291 100292 6c916d8e 100291->100292 100701 6c942250 30 API calls 100291->100701 100292->100239 100294 6c916dc8 100702 6c9426e0 24 API calls 4 library calls 100294->100702 100296 6c916dda 100703 6ca79379 RaiseException 100296->100703 100298 6c916def 100299 6c93e010 67 API calls 100298->100299 100300 6c916e0f 100299->100300 100300->100239 100302 6ca7638d 100301->100302 100704 6ca765a0 100302->100704 100304 6ca7647c 100304->100239 100307 6ca763a5 100307->100304 100722 6c942250 30 API calls 100307->100722 100723 6c9426e0 24 API calls 4 library calls 100307->100723 100724 6ca79379 RaiseException 100307->100724 100310 6c95203f 100309->100310 100314 6c952053 100310->100314 100733 6c943560 32 API calls std::_Xinvalid_argument 100310->100733 100312 6c95210e 100316 6c952121 100312->100316 100734 6c9437e0 32 API calls std::_Xinvalid_argument 100312->100734 100314->100312 100735 6c942250 30 API calls 100314->100735 100736 6c9426e0 24 API calls 4 library calls 100314->100736 100737 6ca79379 RaiseException 100314->100737 100316->100239 100320 6ca75b9e 100319->100320 100323 6ca75bd1 100319->100323 100738 6c9401f0 100320->100738 100321 6ca75c83 100321->100245 100323->100321 100742 6c942250 30 API calls 100323->100742 100325 6ca80b18 67 API calls 100325->100323 100327 6ca75cae 100743 6c942340 24 API calls 100327->100743 100329 6ca75cbe 100744 6ca79379 RaiseException 100329->100744 100331 6ca75cc9 100332 6c93e010 67 API calls 100331->100332 100333 6ca75d22 std::ios_base::_Ios_base_dtor 100332->100333 100333->100245 100336 6c93e04b 100334->100336 100335 6c93e0a3 100335->100237 100336->100335 100337 6c9401f0 64 API calls 100336->100337 100338 6c93e098 100337->100338 100339 6ca80b18 67 API calls 100338->100339 100339->100335 100341 6c91709e 100340->100341 100342 6c9170d1 100340->100342 100344 6c9401f0 64 API calls 100341->100344 100343 6c917183 100342->100343 100796 6c942250 30 API calls 100342->100796 100343->100235 100345 6c9170c4 100344->100345 100347 6ca80b18 67 API calls 100345->100347 100347->100342 100348 6c9171ae 100797 6c942340 24 API calls 100348->100797 100350 6c9171be 100798 6ca79379 RaiseException 100350->100798 100352 6c9171c9 100354 6ca76a43 std::_Facet_Register 4 API calls 100353->100354 100355 6c94207e 100354->100355 100356 6ca77327 43 API calls 100355->100356 100357 6c942092 100356->100357 100392 6c942f60 42 API calls 4 library calls 100357->100392 100359 6c94210d 100362 6c942120 100359->100362 100393 6ca76f8e 9 API calls 2 library calls 100359->100393 100360 6c9420c8 100360->100359 100361 6c942136 100360->100361 100394 6c942250 30 API calls 100361->100394 100362->100266 100365 6c94215b 100395 6c942340 24 API calls 100365->100395 100367 6c942171 100396 6ca79379 RaiseException 100367->100396 100369 6c94217c 100369->100266 100371 6ca77333 __EH_prolog3 100370->100371 100397 6ca76eb5 100371->100397 100376 6ca77351 100411 6ca773ba 39 API calls std::locale::_Setgloballocale 100376->100411 100377 6ca7736f 100403 6ca76ee6 100377->100403 100379 6ca773ac 100379->100270 100380 6ca77359 100412 6ca771b1 HeapFree GetLastError _Yarn ___std_exception_destroy 100380->100412 100383 6c941dc7 100382->100383 100384 6c941ddc 100382->100384 100383->100273 100389 6c942250 30 API calls 100383->100389 100417 6ca77447 100384->100417 100388 6c941e82 100389->100275 100390->100277 100391->100279 100392->100360 100393->100362 100394->100365 100395->100367 100396->100369 100398 6ca76ec4 100397->100398 100399 6ca76ecb 100397->100399 100413 6ca803cd 6 API calls std::_Lockit::_Lockit 100398->100413 100402 6ca76ec9 100399->100402 100414 6ca7858b EnterCriticalSection 100399->100414 100402->100377 100410 6ca77230 6 API calls 2 library calls 100402->100410 100404 6ca803db 100403->100404 100405 6ca76ef0 100403->100405 100416 6ca803b6 LeaveCriticalSection 100404->100416 100406 6ca76f03 100405->100406 100415 6ca78599 LeaveCriticalSection 100405->100415 100406->100379 100409 6ca803e2 100409->100379 100410->100376 100411->100380 100412->100377 100413->100402 100414->100402 100415->100406 100416->100409 100418 6ca77450 100417->100418 100421 6c941dea 100418->100421 100426 6ca7fd4a 100418->100426 100420 6ca7749c 100420->100421 100437 6ca7fa58 65 API calls 100420->100437 100421->100383 100425 6ca7c563 18 API calls __wsopen_s 100421->100425 100423 6ca774b7 100423->100421 100438 6ca80b18 100423->100438 100425->100388 100427 6ca7fd55 __wsopen_s 100426->100427 100428 6ca7fd88 100427->100428 100429 6ca7fd68 100427->100429 100433 6ca7fd78 100428->100433 100449 6ca8ae0c 100428->100449 100463 6ca80120 18 API calls __wsopen_s 100429->100463 100433->100420 100437->100423 100439 6ca80b24 __wsopen_s 100438->100439 100440 6ca80b2e 100439->100440 100441 6ca80b43 100439->100441 100587 6ca80120 18 API calls __wsopen_s 100440->100587 100442 6ca80b3e 100441->100442 100572 6ca7c5a9 EnterCriticalSection 100441->100572 100442->100421 100445 6ca80b60 100573 6ca80b9c 100445->100573 100447 6ca80b6b 100588 6ca80b92 LeaveCriticalSection 100447->100588 100450 6ca8ae18 __wsopen_s 100449->100450 100465 6ca8039f EnterCriticalSection 100450->100465 100452 6ca8ae26 100466 6ca8aeb0 100452->100466 100457 6ca8af72 100458 6ca8b091 100457->100458 100490 6ca8b114 100458->100490 100461 6ca7fdcc 100464 6ca7fdf5 LeaveCriticalSection 100461->100464 100463->100433 100464->100433 100465->100452 100467 6ca8aed3 100466->100467 100468 6ca8af2b 100467->100468 100474 6ca8ae33 100467->100474 100483 6ca7c5a9 EnterCriticalSection 100467->100483 100484 6ca7c5bd LeaveCriticalSection 100467->100484 100485 6ca871e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100468->100485 100470 6ca8af34 100486 6ca847bb HeapFree GetLastError __dosmaperr 100470->100486 100473 6ca8af3d 100473->100474 100487 6ca86c1f 6 API calls std::_Lockit::_Lockit 100473->100487 100480 6ca8ae6c 100474->100480 100476 6ca8af5c 100488 6ca7c5a9 EnterCriticalSection 100476->100488 100479 6ca8af6f 100479->100474 100489 6ca803b6 LeaveCriticalSection 100480->100489 100482 6ca7fda3 100482->100433 100482->100457 100483->100467 100484->100467 100485->100470 100486->100473 100487->100476 100488->100479 100489->100482 100491 6ca8b133 100490->100491 100492 6ca8b146 100491->100492 100495 6ca8b15b 100491->100495 100506 6ca80120 18 API calls __wsopen_s 100492->100506 100494 6ca8b0a7 100494->100461 100503 6ca93fde 100494->100503 100501 6ca8b27b 100495->100501 100507 6ca93ea8 37 API calls __wsopen_s 100495->100507 100498 6ca8b2cb 100498->100501 100508 6ca93ea8 37 API calls __wsopen_s 100498->100508 100500 6ca8b2e9 100500->100501 100509 6ca93ea8 37 API calls __wsopen_s 100500->100509 100501->100494 100510 6ca80120 18 API calls __wsopen_s 100501->100510 100511 6ca94396 100503->100511 100506->100494 100507->100498 100508->100500 100509->100501 100510->100494 100513 6ca943a2 __wsopen_s 100511->100513 100512 6ca943a9 100529 6ca80120 18 API calls __wsopen_s 100512->100529 100513->100512 100514 6ca943d4 100513->100514 100520 6ca93ffe 100514->100520 100517 6ca93ff9 100517->100461 100531 6ca806cb 100520->100531 100526 6ca94034 100527 6ca94066 100526->100527 100571 6ca847bb HeapFree GetLastError __dosmaperr 100526->100571 100530 6ca9442b LeaveCriticalSection __wsopen_s 100527->100530 100529->100517 100530->100517 100532 6ca7bceb __fassign 37 API calls 100531->100532 100533 6ca806dd 100532->100533 100534 6ca869d5 __wsopen_s 5 API calls 100533->100534 100535 6ca806ef 100533->100535 100534->100535 100536 6ca7bdf6 100535->100536 100537 6ca7be4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 100536->100537 100538 6ca7be0e 100537->100538 100538->100526 100539 6ca9406c 100538->100539 100540 6ca944ec __wsopen_s 18 API calls 100539->100540 100541 6ca94089 100540->100541 100542 6ca9160c __wsopen_s 14 API calls 100541->100542 100544 6ca9409e __dosmaperr 100541->100544 100543 6ca940bc 100542->100543 100543->100544 100545 6ca94457 __wsopen_s CreateFileW 100543->100545 100544->100526 100550 6ca94115 100545->100550 100546 6ca94192 GetFileType 100548 6ca9419d GetLastError 100546->100548 100549 6ca941e4 100546->100549 100547 6ca94167 GetLastError 100547->100544 100551 6ca7f9f2 __dosmaperr 100548->100551 100554 6ca917b0 __wsopen_s SetStdHandle 100549->100554 100550->100546 100550->100547 100552 6ca94457 __wsopen_s CreateFileW 100550->100552 100553 6ca941ab CloseHandle 100551->100553 100555 6ca9415a 100552->100555 100553->100544 100568 6ca941d4 100553->100568 100556 6ca94205 100554->100556 100555->100546 100555->100547 100558 6ca94666 __wsopen_s 70 API calls 100556->100558 100560 6ca94251 100556->100560 100557 6ca94710 __wsopen_s 70 API calls 100559 6ca94286 100557->100559 100558->100560 100561 6ca94258 100559->100561 100562 6ca94294 100559->100562 100560->100557 100560->100561 100563 6ca8b925 __wsopen_s 21 API calls 100561->100563 100562->100544 100564 6ca94310 CloseHandle 100562->100564 100563->100544 100565 6ca94457 __wsopen_s CreateFileW 100564->100565 100566 6ca9433b 100565->100566 100567 6ca94345 GetLastError 100566->100567 100566->100568 100569 6ca94351 __dosmaperr 100567->100569 100568->100544 100570 6ca9171f __wsopen_s SetStdHandle 100569->100570 100570->100568 100571->100527 100572->100445 100574 6ca80ba9 100573->100574 100575 6ca80bbe 100573->100575 100611 6ca80120 18 API calls __wsopen_s 100574->100611 100579 6ca80bb9 100575->100579 100589 6ca80cb9 100575->100589 100579->100447 100583 6ca80be1 100604 6ca8b898 100583->100604 100585 6ca80be7 100585->100579 100612 6ca847bb HeapFree GetLastError __dosmaperr 100585->100612 100587->100442 100588->100442 100590 6ca80bd3 100589->100590 100591 6ca80cd1 100589->100591 100595 6ca8873e 100590->100595 100591->100590 100592 6ca89c60 18 API calls 100591->100592 100593 6ca80cef 100592->100593 100613 6ca8bb6c 100593->100613 100596 6ca80bdb 100595->100596 100597 6ca88755 100595->100597 100599 6ca89c60 100596->100599 100597->100596 100669 6ca847bb HeapFree GetLastError __dosmaperr 100597->100669 100600 6ca89c6c 100599->100600 100601 6ca89c81 100599->100601 100670 6ca80120 18 API calls __wsopen_s 100600->100670 100601->100583 100603 6ca89c7c 100603->100583 100605 6ca8b8be 100604->100605 100609 6ca8b8a9 __dosmaperr 100604->100609 100606 6ca8b8e5 100605->100606 100608 6ca8b907 __dosmaperr 100605->100608 100671 6ca8b9c1 100606->100671 100679 6ca80120 18 API calls __wsopen_s 100608->100679 100609->100585 100611->100579 100612->100579 100615 6ca8bb78 __wsopen_s 100613->100615 100614 6ca8bc33 __dosmaperr 100654 6ca80120 18 API calls __wsopen_s 100614->100654 100615->100614 100616 6ca8bbca 100615->100616 100618 6ca8bb80 __dosmaperr 100615->100618 100624 6ca91990 EnterCriticalSection 100616->100624 100618->100590 100619 6ca8bbd0 100622 6ca8bbec __dosmaperr 100619->100622 100625 6ca8bc5e 100619->100625 100653 6ca8bc2b LeaveCriticalSection __wsopen_s 100622->100653 100624->100619 100626 6ca8bc80 100625->100626 100652 6ca8bc9c __dosmaperr 100625->100652 100627 6ca8bcd4 100626->100627 100628 6ca8bc84 __dosmaperr 100626->100628 100629 6ca8bce7 100627->100629 100663 6ca8ac69 20 API calls __wsopen_s 100627->100663 100662 6ca80120 18 API calls __wsopen_s 100628->100662 100655 6ca8be40 100629->100655 100634 6ca8bd3c 100638 6ca8bd50 100634->100638 100639 6ca8bd95 WriteFile 100634->100639 100635 6ca8bcfd 100636 6ca8bd01 100635->100636 100637 6ca8bd26 100635->100637 100636->100652 100664 6ca8c25b 6 API calls __wsopen_s 100636->100664 100665 6ca8beb1 43 API calls 5 library calls 100637->100665 100642 6ca8bd5b 100638->100642 100643 6ca8bd85 100638->100643 100641 6ca8bdb9 GetLastError 100639->100641 100639->100652 100641->100652 100646 6ca8bd60 100642->100646 100647 6ca8bd75 100642->100647 100668 6ca8c2c3 7 API calls 2 library calls 100643->100668 100648 6ca8bd65 100646->100648 100646->100652 100667 6ca8c487 8 API calls 3 library calls 100647->100667 100666 6ca8c39e 7 API calls 2 library calls 100648->100666 100650 6ca8bd73 100650->100652 100652->100622 100653->100618 100654->100618 100656 6ca919e5 __wsopen_s 18 API calls 100655->100656 100657 6ca8be51 100656->100657 100658 6ca849b2 __Getctype 37 API calls 100657->100658 100661 6ca8bcf8 100657->100661 100659 6ca8be74 100658->100659 100660 6ca8be8e GetConsoleMode 100659->100660 100659->100661 100660->100661 100661->100634 100661->100635 100662->100652 100663->100629 100664->100652 100665->100652 100666->100650 100667->100650 100668->100650 100669->100596 100670->100603 100672 6ca8b9cd __wsopen_s 100671->100672 100680 6ca91990 EnterCriticalSection 100672->100680 100674 6ca8b9db 100675 6ca8ba08 100674->100675 100681 6ca8b925 100674->100681 100694 6ca8ba41 LeaveCriticalSection __wsopen_s 100675->100694 100678 6ca8ba2a 100678->100609 100679->100609 100680->100674 100695 6ca915a2 100681->100695 100683 6ca8b93b 100700 6ca9171f SetStdHandle __dosmaperr __wsopen_s 100683->100700 100684 6ca8b935 100684->100683 100685 6ca8b96d 100684->100685 100687 6ca915a2 __wsopen_s 18 API calls 100684->100687 100685->100683 100688 6ca915a2 __wsopen_s 18 API calls 100685->100688 100689 6ca8b964 100687->100689 100690 6ca8b979 CloseHandle 100688->100690 100691 6ca915a2 __wsopen_s 18 API calls 100689->100691 100690->100683 100692 6ca8b985 GetLastError 100690->100692 100691->100685 100692->100683 100693 6ca8b993 __dosmaperr 100693->100675 100694->100678 100696 6ca915af __dosmaperr 100695->100696 100698 6ca915c4 __dosmaperr 100695->100698 100696->100684 100697 6ca915e9 100697->100684 100698->100697 100699 6ca80120 __wsopen_s 18 API calls 100698->100699 100699->100696 100700->100693 100701->100294 100702->100296 100703->100298 100705 6ca765dc 100704->100705 100706 6ca76608 100704->100706 100707 6ca76601 100705->100707 100727 6c942250 30 API calls 100705->100727 100712 6ca76619 100706->100712 100725 6c943560 32 API calls std::_Xinvalid_argument 100706->100725 100707->100307 100710 6ca767e8 100728 6c942340 24 API calls 100710->100728 100712->100707 100726 6c942f60 42 API calls 4 library calls 100712->100726 100713 6ca767f7 100729 6ca79379 RaiseException 100713->100729 100717 6ca76827 100731 6c942340 24 API calls 100717->100731 100719 6ca7683d 100732 6ca79379 RaiseException 100719->100732 100721 6ca76653 100721->100707 100730 6c942250 30 API calls 100721->100730 100722->100307 100723->100307 100724->100307 100725->100712 100726->100721 100727->100710 100728->100713 100729->100721 100730->100717 100731->100719 100732->100707 100733->100314 100734->100316 100735->100314 100736->100314 100737->100314 100739 6c94022e 100738->100739 100740 6c9404d6 100739->100740 100745 6ca817db 100739->100745 100740->100325 100742->100327 100743->100329 100744->100331 100746 6ca817e9 100745->100746 100747 6ca81806 100745->100747 100746->100747 100748 6ca8180a 100746->100748 100749 6ca817f6 100746->100749 100747->100739 100753 6ca81a02 100748->100753 100761 6ca80120 18 API calls __wsopen_s 100749->100761 100754 6ca81a0e __wsopen_s 100753->100754 100762 6ca7c5a9 EnterCriticalSection 100754->100762 100756 6ca81a1c 100763 6ca819bf 100756->100763 100760 6ca8183c 100760->100739 100761->100747 100762->100756 100771 6ca885a6 100763->100771 100769 6ca819f9 100770 6ca81a51 LeaveCriticalSection 100769->100770 100770->100760 100772 6ca89c60 18 API calls 100771->100772 100773 6ca885b7 100772->100773 100788 6ca919e5 100773->100788 100775 6ca819d3 100778 6ca8183e 100775->100778 100776 6ca885bd __wsopen_s 100776->100775 100793 6ca847bb HeapFree GetLastError __dosmaperr 100776->100793 100779 6ca81850 100778->100779 100782 6ca8186e 100778->100782 100780 6ca8185e 100779->100780 100779->100782 100785 6ca81886 _Yarn 100779->100785 100795 6ca80120 18 API calls __wsopen_s 100780->100795 100787 6ca88659 62 API calls 100782->100787 100783 6ca80cb9 62 API calls 100783->100785 100784 6ca89c60 18 API calls 100784->100785 100785->100782 100785->100783 100785->100784 100786 6ca8bb6c __wsopen_s 62 API calls 100785->100786 100786->100785 100787->100769 100789 6ca919f2 100788->100789 100791 6ca919ff 100788->100791 100789->100776 100790 6ca91a0b 100790->100776 100791->100790 100794 6ca80120 18 API calls __wsopen_s 100791->100794 100793->100775 100794->100789 100795->100782 100796->100348 100797->100350 100798->100352 100799->100249 100800->100256 100801->100258 100802->100251 100803->100254 100804 6ca7ef3f 100805 6ca7ef4b __wsopen_s 100804->100805 100806 6ca7ef52 GetLastError ExitThread 100805->100806 100807 6ca7ef5f 100805->100807 100816 6ca849b2 GetLastError 100807->100816 100812 6ca7ef7b 100849 6ca7eeaa 16 API calls 2 library calls 100812->100849 100815 6ca7ef9d 100817 6ca849c9 100816->100817 100818 6ca849cf 100816->100818 100850 6ca86b23 6 API calls std::_Lockit::_Lockit 100817->100850 100822 6ca849d5 SetLastError 100818->100822 100851 6ca86b62 6 API calls std::_Lockit::_Lockit 100818->100851 100821 6ca849ed 100821->100822 100823 6ca849f1 100821->100823 100829 6ca84a69 100822->100829 100830 6ca7ef64 100822->100830 100852 6ca871e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100823->100852 100825 6ca849fd 100827 6ca84a1c 100825->100827 100828 6ca84a05 100825->100828 100855 6ca86b62 6 API calls std::_Lockit::_Lockit 100827->100855 100853 6ca86b62 6 API calls std::_Lockit::_Lockit 100828->100853 100858 6ca80ac9 37 API calls std::locale::_Setgloballocale 100829->100858 100843 6ca89d66 100830->100843 100834 6ca84a13 100854 6ca847bb HeapFree GetLastError __dosmaperr 100834->100854 100836 6ca84a28 100837 6ca84a2c 100836->100837 100838 6ca84a3d 100836->100838 100856 6ca86b62 6 API calls std::_Lockit::_Lockit 100837->100856 100857 6ca847bb HeapFree GetLastError __dosmaperr 100838->100857 100841 6ca84a19 100841->100822 100844 6ca89d78 GetPEB 100843->100844 100847 6ca7ef6f 100843->100847 100845 6ca89d8b 100844->100845 100844->100847 100859 6ca86e18 5 API calls std::_Lockit::_Lockit 100845->100859 100847->100812 100848 6ca86d6f 5 API calls std::_Lockit::_Lockit 100847->100848 100848->100812 100849->100815 100850->100818 100851->100821 100852->100825 100853->100834 100854->100841 100855->100836 100856->100834 100857->100841 100859->100847 100860 6ca8cad3 100861 6ca8cafd 100860->100861 100862 6ca8cae5 __dosmaperr 100860->100862 100861->100862 100863 6ca8cb77 100861->100863 100865 6ca8cb48 __dosmaperr 100861->100865 100866 6ca8cb90 100863->100866 100867 6ca8cbe7 __wsopen_s 100863->100867 100868 6ca8cbab __dosmaperr 100863->100868 100902 6ca80120 18 API calls __wsopen_s 100865->100902 100866->100868 100887 6ca8cb95 100866->100887 100896 6ca847bb HeapFree GetLastError __dosmaperr 100867->100896 100895 6ca80120 18 API calls __wsopen_s 100868->100895 100869 6ca919e5 __wsopen_s 18 API calls 100871 6ca8cd3e 100869->100871 100874 6ca8cdb4 100871->100874 100877 6ca8cd57 GetConsoleMode 100871->100877 100872 6ca8cc07 100897 6ca847bb HeapFree GetLastError __dosmaperr 100872->100897 100876 6ca8cdb8 ReadFile 100874->100876 100879 6ca8ce2c GetLastError 100876->100879 100880 6ca8cdd2 100876->100880 100877->100874 100881 6ca8cd68 100877->100881 100878 6ca8cc0e 100882 6ca8cbc2 __dosmaperr __wsopen_s 100878->100882 100898 6ca8ac69 20 API calls __wsopen_s 100878->100898 100879->100882 100880->100879 100888 6ca8cda9 100880->100888 100881->100876 100883 6ca8cd6e ReadConsoleW 100881->100883 100899 6ca847bb HeapFree GetLastError __dosmaperr 100882->100899 100884 6ca8cd8a GetLastError 100883->100884 100883->100888 100884->100882 100887->100869 100888->100882 100889 6ca8ce0e 100888->100889 100890 6ca8cdf7 100888->100890 100889->100882 100892 6ca8ce25 100889->100892 100900 6ca8cefe 23 API calls 3 library calls 100890->100900 100901 6ca8d1b6 21 API calls __wsopen_s 100892->100901 100894 6ca8ce2a 100894->100882 100895->100882 100896->100872 100897->100878 100898->100887 100899->100862 100900->100882 100901->100894 100902->100862 100903 6c8f4b53 100904 6ca76a43 std::_Facet_Register 4 API calls 100903->100904 100905 6c8f4b5c _Yarn 100904->100905 100906 6ca6aec0 FindFirstFileA 100905->100906 100911 6c8f4bae std::ios_base::_Ios_base_dtor 100906->100911 100907 6c91639e 101094 6ca80130 18 API calls 2 library calls 100907->101094 100909 6c8f4cff 100910 6c8f5164 CreateFileA CloseHandle 100915 6c8f51ec 100910->100915 100911->100907 100911->100909 100911->100910 100912 6c90245a _Yarn _strlen 100911->100912 100912->100907 100914 6ca6aec0 FindFirstFileA 100912->100914 100930 6c902a83 std::ios_base::_Ios_base_dtor 100914->100930 101061 6ca75120 OpenSCManagerA 100915->101061 100917 6c8ffc00 101087 6ca75240 CreateToolhelp32Snapshot 100917->101087 100919 6ca76a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100957 6c8f5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 100919->100957 100922 6ca6aec0 FindFirstFileA 100922->100957 100923 6c9037d0 Sleep 100967 6c9037e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100923->100967 100924 6c9163b2 101095 6c8f15e0 18 API calls std::ios_base::_Ios_base_dtor 100924->101095 100925 6ca75240 4 API calls 100943 6c90053a 100925->100943 100927 6ca75240 4 API calls 100949 6c9012e2 100927->100949 100928 6c9164f8 100929 6c8fffe3 100929->100925 100935 6c900abc 100929->100935 100930->100907 101065 6ca60390 100930->101065 100931 6c916ba0 104 API calls 100931->100957 100932 6c916e60 32 API calls 100932->100957 100934 6ca75240 4 API calls 100934->100935 100935->100912 100935->100927 100936 6c917090 77 API calls 100936->100957 100937 6ca75240 4 API calls 100954 6c901dd9 100937->100954 100938 6c90211c 100938->100912 100939 6c90241a 100938->100939 100942 6ca60390 11 API calls 100939->100942 100940 6ca6aec0 FindFirstFileA 100940->100967 100941 6c93e010 67 API calls 100941->100957 100945 6c90244d 100942->100945 100943->100934 100943->100935 100944 6c8f6722 101084 6ca71880 25 API calls 4 library calls 100944->101084 101093 6ca75d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100945->101093 100947 6c902452 Sleep 100947->100912 100948 6c9016ac 100949->100937 100949->100938 100949->100948 100950 6c8f6162 100951 6c8f740b 100952 6ca74ff0 4 API calls 100951->100952 100960 6c8f775a _strlen 100952->100960 100953 6ca75240 4 API calls 100953->100938 100954->100938 100954->100953 100955 6c916ba0 104 API calls 100955->100967 100957->100907 100957->100917 100957->100919 100957->100922 100957->100931 100957->100932 100957->100936 100957->100941 100957->100944 100957->100950 100958 6c917090 77 API calls 100958->100967 100959 6c93e010 67 API calls 100959->100967 100960->100907 100961 6c8f7ba9 100960->100961 100962 6c8f7b92 100960->100962 100965 6c8f7b43 _Yarn 100960->100965 100964 6ca76a43 std::_Facet_Register 4 API calls 100961->100964 100963 6ca76a43 std::_Facet_Register 4 API calls 100962->100963 100963->100965 100964->100965 100966 6ca6aec0 FindFirstFileA 100965->100966 100976 6c8f7be7 std::ios_base::_Ios_base_dtor 100966->100976 100967->100907 100967->100940 100967->100955 100967->100958 100967->100959 101074 6c916e60 100967->101074 100968 6ca74ff0 4 API calls 100979 6c8f8a07 100968->100979 100969 6c8f9d7f 100973 6ca76a43 std::_Facet_Register 4 API calls 100969->100973 100970 6c8f9d68 100972 6ca76a43 std::_Facet_Register 4 API calls 100970->100972 100971 6c8f962c _strlen 100971->100907 100971->100969 100971->100970 100974 6c8f9d18 _Yarn 100971->100974 100972->100974 100973->100974 100975 6ca6aec0 FindFirstFileA 100974->100975 100982 6c8f9dbd std::ios_base::_Ios_base_dtor 100975->100982 100976->100907 100976->100968 100976->100971 100977 6c8f8387 100976->100977 100978 6ca74ff0 4 API calls 100987 6c8f9120 100978->100987 100979->100978 100980 6ca74ff0 4 API calls 100997 6c8fa215 _strlen 100980->100997 100981 6ca74ff0 4 API calls 100983 6c8f9624 100981->100983 100982->100907 100982->100980 100988 6c8fe8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100982->100988 101085 6ca75d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100983->101085 100984 6ca76a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100984->100988 100986 6ca6aec0 FindFirstFileA 100986->100988 100987->100981 100988->100907 100988->100984 100988->100986 100989 6c8fed02 Sleep 100988->100989 100990 6c8ff7b1 100988->100990 101009 6c8fe8c1 100989->101009 101086 6ca75d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100990->101086 100992 6c8fe8dd GetCurrentProcess TerminateProcess 100992->100988 100993 6c8fa9bb 100996 6ca76a43 std::_Facet_Register 4 API calls 100993->100996 100994 6c8fa9a4 100995 6ca76a43 std::_Facet_Register 4 API calls 100994->100995 101004 6c8fa953 _Yarn _strlen 100995->101004 100996->101004 100997->100907 100997->100993 100997->100994 100997->101004 100998 6ca74ff0 4 API calls 100998->101009 100999 6c8ffbb8 101000 6c8ffbe8 ExitWindowsEx Sleep 100999->101000 101000->100917 101001 6c8ff7c0 101001->100999 101002 6c8fb009 101006 6ca76a43 std::_Facet_Register 4 API calls 101002->101006 101003 6c8faff0 101005 6ca76a43 std::_Facet_Register 4 API calls 101003->101005 101004->100924 101004->101002 101004->101003 101007 6c8fafa0 _Yarn 101004->101007 101005->101007 101006->101007 101008 6ca75960 104 API calls 101007->101008 101010 6c8fb059 std::ios_base::_Ios_base_dtor _strlen 101008->101010 101009->100988 101009->100992 101009->100998 101010->100907 101011 6c8fb42c 101010->101011 101012 6c8fb443 101010->101012 101015 6c8fb3da _Yarn _strlen 101010->101015 101013 6ca76a43 std::_Facet_Register 4 API calls 101011->101013 101014 6ca76a43 std::_Facet_Register 4 API calls 101012->101014 101013->101015 101014->101015 101015->100924 101016 6c8fb79e 101015->101016 101017 6c8fb7b7 101015->101017 101020 6c8fb751 _Yarn 101015->101020 101019 6ca76a43 std::_Facet_Register 4 API calls 101016->101019 101018 6ca76a43 std::_Facet_Register 4 API calls 101017->101018 101018->101020 101019->101020 101021 6ca75960 104 API calls 101020->101021 101022 6c8fb804 std::ios_base::_Ios_base_dtor _strlen 101021->101022 101022->100907 101023 6c8fbc0f 101022->101023 101024 6c8fbc26 101022->101024 101027 6c8fbbbd _Yarn _strlen 101022->101027 101025 6ca76a43 std::_Facet_Register 4 API calls 101023->101025 101026 6ca76a43 std::_Facet_Register 4 API calls 101024->101026 101025->101027 101026->101027 101027->100924 101028 6c8fc08e 101027->101028 101029 6c8fc075 101027->101029 101032 6c8fc028 _Yarn 101027->101032 101031 6ca76a43 std::_Facet_Register 4 API calls 101028->101031 101030 6ca76a43 std::_Facet_Register 4 API calls 101029->101030 101030->101032 101031->101032 101033 6ca75960 104 API calls 101032->101033 101038 6c8fc0db std::ios_base::_Ios_base_dtor _strlen 101033->101038 101034 6c8fc7bc 101037 6ca76a43 std::_Facet_Register 4 API calls 101034->101037 101035 6c8fc7a5 101036 6ca76a43 std::_Facet_Register 4 API calls 101035->101036 101045 6c8fc753 _Yarn _strlen 101036->101045 101037->101045 101038->100907 101038->101034 101038->101035 101038->101045 101039 6c8fd3ed 101041 6ca76a43 std::_Facet_Register 4 API calls 101039->101041 101040 6c8fd406 101042 6ca76a43 std::_Facet_Register 4 API calls 101040->101042 101043 6c8fd39a _Yarn 101041->101043 101042->101043 101044 6ca75960 104 API calls 101043->101044 101046 6c8fd458 std::ios_base::_Ios_base_dtor _strlen 101044->101046 101045->100924 101045->101039 101045->101040 101045->101043 101051 6c8fcb2f 101045->101051 101046->100907 101047 6c8fd8bb 101046->101047 101048 6c8fd8a4 101046->101048 101052 6c8fd852 _Yarn _strlen 101046->101052 101050 6ca76a43 std::_Facet_Register 4 API calls 101047->101050 101049 6ca76a43 std::_Facet_Register 4 API calls 101048->101049 101049->101052 101050->101052 101052->100924 101053 6c8fdccf 101052->101053 101054 6c8fdcb6 101052->101054 101057 6c8fdc69 _Yarn 101052->101057 101056 6ca76a43 std::_Facet_Register 4 API calls 101053->101056 101055 6ca76a43 std::_Facet_Register 4 API calls 101054->101055 101055->101057 101056->101057 101058 6ca75960 104 API calls 101057->101058 101060 6c8fdd1c std::ios_base::_Ios_base_dtor 101058->101060 101059 6ca74ff0 4 API calls 101059->100988 101060->100907 101060->101059 101062 6ca75156 101061->101062 101063 6ca751e8 OpenServiceA 101062->101063 101064 6ca7522f 101062->101064 101063->101062 101064->100957 101071 6ca603a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 101065->101071 101066 6ca63f5f CloseHandle 101066->101071 101067 6ca6310e CloseHandle 101067->101071 101068 6ca4c1e0 WriteFile WriteFile WriteFile ReadFile 101068->101071 101069 6ca6251b CloseHandle 101069->101071 101070 6c9037cb 101073 6ca75d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101070->101073 101071->101066 101071->101067 101071->101068 101071->101069 101071->101070 101096 6ca4b730 101071->101096 101073->100923 101075 6c916e9f 101074->101075 101078 6c916eb3 101075->101078 101107 6c943560 32 API calls std::_Xinvalid_argument 101075->101107 101079 6c916f5b 101078->101079 101109 6c942250 30 API calls 101078->101109 101110 6c9426e0 24 API calls 4 library calls 101078->101110 101111 6ca79379 RaiseException 101078->101111 101080 6c916f6e 101079->101080 101108 6c9437e0 32 API calls std::_Xinvalid_argument 101079->101108 101080->100967 101084->100951 101085->100971 101086->101001 101088 6ca752a0 std::locale::_Setgloballocale 101087->101088 101089 6ca75277 CloseHandle 101088->101089 101090 6ca75320 Process32NextW 101088->101090 101091 6ca753b1 101088->101091 101092 6ca75345 Process32FirstW 101088->101092 101089->101088 101090->101088 101091->100929 101092->101088 101093->100947 101095->100928 101097 6ca4b743 _Yarn __wsopen_s std::locale::_Setgloballocale 101096->101097 101098 6ca4c180 101097->101098 101099 6ca4bced CreateFileA 101097->101099 101101 6ca4aa30 101097->101101 101098->101071 101099->101097 101102 6ca4aa43 __wsopen_s std::locale::_Setgloballocale 101101->101102 101103 6ca4b3e9 WriteFile 101102->101103 101104 6ca4b43d WriteFile 101102->101104 101105 6ca4b718 101102->101105 101106 6ca4ab95 ReadFile 101102->101106 101103->101102 101104->101102 101105->101097 101106->101102 101107->101078 101108->101080 101109->101078 101110->101078 101111->101078 101112 6c8f3d62 101114 6c8f3bc0 101112->101114 101113 6c8f3e8a GetCurrentThread NtSetInformationThread 101115 6c8f3eea 101113->101115 101114->101113
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: _strlen
                                • String ID: HR^
                                • API String ID: 4218353326-1341859651
                                • Opcode ID: c427457ba7a5d069c66f52ac0779cad9e3f557a515597ce0ad2bce37b699aa86
                                • Instruction ID: cc510f0592a8371ab727ac7e2e6fedac87714085e539731dd2b85e93d280e973
                                • Opcode Fuzzy Hash: c427457ba7a5d069c66f52ac0779cad9e3f557a515597ce0ad2bce37b699aa86
                                • Instruction Fuzzy Hash: C4740471644B028FC738CF28C9D0A95B7E2FF95318B198E2DC0A68BA55E774B54BCB50
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: }jk$;T55$L@^
                                • API String ID: 0-4218709813
                                • Opcode ID: bfee5237578faeb5a98b82220a8be594a2dfe674608d4d14c328842c010f16c4
                                • Instruction ID: 688a976df9f50581e81ae9e6df104e7aa6e00bcf97e6a5be577ea26f9620cdfb
                                • Opcode Fuzzy Hash: bfee5237578faeb5a98b82220a8be594a2dfe674608d4d14c328842c010f16c4
                                • Instruction Fuzzy Hash: F334F571745B018FC728CF28C8D0696B7E3EF95318B198A6DC0A68BB55EB34F54ACB50

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7677 6ca75240-6ca75275 CreateToolhelp32Snapshot 7678 6ca752a0-6ca752a9 7677->7678 7679 6ca752e0-6ca752e5 7678->7679 7680 6ca752ab-6ca752b0 7678->7680 7681 6ca75377-6ca753a1 call 6ca82c05 7679->7681 7682 6ca752eb-6ca752f0 7679->7682 7683 6ca75315-6ca7531a 7680->7683 7684 6ca752b2-6ca752b7 7680->7684 7681->7678 7685 6ca75277-6ca75292 CloseHandle 7682->7685 7686 6ca752f2-6ca752f7 7682->7686 7687 6ca753a6-6ca753ab 7683->7687 7688 6ca75320-6ca75332 Process32NextW 7683->7688 7690 6ca75334-6ca7535d call 6ca7b920 Process32FirstW 7684->7690 7691 6ca752b9-6ca752be 7684->7691 7685->7678 7686->7678 7692 6ca752f9-6ca75313 7686->7692 7687->7678 7697 6ca753b1-6ca753bf 7687->7697 7694 6ca75362-6ca75372 7688->7694 7690->7694 7691->7678 7696 6ca752c0-6ca752d1 7691->7696 7692->7678 7694->7678 7696->7678
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CA7524E
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CreateSnapshotToolhelp32
                                • String ID:
                                • API String ID: 3332741929-0
                                • Opcode ID: 649c30695dd7a309396ff61555c847be1a33c1e5f5158799fb10b9b3f4fd6258
                                • Instruction ID: 7c2690f50c1b6e650e97bde39e6705a19095e3abc67bac70b9ddd0baafaee097
                                • Opcode Fuzzy Hash: 649c30695dd7a309396ff61555c847be1a33c1e5f5158799fb10b9b3f4fd6258
                                • Instruction Fuzzy Hash: 57314B786083009FD7209F28C888B0ABBF4BF95744F54492EE898D7760D771D8888FA2

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7821 6c8f3886-6c8f388e 7822 6c8f3894-6c8f3896 7821->7822 7823 6c8f3970-6c8f397d 7821->7823 7822->7823 7826 6c8f389c-6c8f38b9 7822->7826 7824 6c8f397f-6c8f3989 7823->7824 7825 6c8f39f1-6c8f39f8 7823->7825 7824->7826 7827 6c8f398f-6c8f3994 7824->7827 7828 6c8f39fe-6c8f3a03 7825->7828 7829 6c8f3ab5-6c8f3aba 7825->7829 7830 6c8f38c0-6c8f38c1 7826->7830 7832 6c8f399a-6c8f399f 7827->7832 7833 6c8f3b16-6c8f3b18 7827->7833 7834 6c8f3a09-6c8f3a2f 7828->7834 7835 6c8f38d2-6c8f38d4 7828->7835 7829->7826 7831 6c8f3ac0-6c8f3ac7 7829->7831 7836 6c8f395e 7830->7836 7831->7830 7838 6c8f3acd-6c8f3ad6 7831->7838 7839 6c8f383b-6c8f3855 call 6ca41470 call 6ca41480 7832->7839 7840 6c8f39a5-6c8f39bf 7832->7840 7833->7830 7841 6c8f38f8-6c8f3955 7834->7841 7842 6c8f3a35-6c8f3a3a 7834->7842 7843 6c8f3957-6c8f395c 7835->7843 7837 6c8f3960-6c8f3964 7836->7837 7845 6c8f396a 7837->7845 7846 6c8f3860-6c8f3885 7837->7846 7838->7833 7847 6c8f3ad8-6c8f3aeb 7838->7847 7839->7846 7848 6c8f3a5a-6c8f3a5d 7840->7848 7841->7843 7849 6c8f3b1d-6c8f3b22 7842->7849 7850 6c8f3a40-6c8f3a57 7842->7850 7843->7836 7852 6c8f3ba1-6c8f3bb6 7845->7852 7846->7821 7847->7841 7853 6c8f3af1-6c8f3af8 7847->7853 7857 6c8f3aa9-6c8f3ab0 7848->7857 7855 6c8f3b49-6c8f3b50 7849->7855 7856 6c8f3b24-6c8f3b44 7849->7856 7850->7848 7864 6c8f3bc0-6c8f3bda call 6ca41470 call 6ca41480 7852->7864 7859 6c8f3afa-6c8f3aff 7853->7859 7860 6c8f3b62-6c8f3b85 7853->7860 7855->7830 7863 6c8f3b56-6c8f3b5d 7855->7863 7856->7857 7857->7837 7859->7843 7860->7841 7867 6c8f3b8b 7860->7867 7863->7837 7872 6c8f3be0-6c8f3bfe 7864->7872 7867->7852 7875 6c8f3e7b 7872->7875 7876 6c8f3c04-6c8f3c11 7872->7876 7877 6c8f3e81-6c8f3ee0 call 6c8f3750 GetCurrentThread NtSetInformationThread 7875->7877 7878 6c8f3c17-6c8f3c20 7876->7878 7879 6c8f3ce0-6c8f3cea 7876->7879 7896 6c8f3eea-6c8f3f04 call 6ca41470 call 6ca41480 7877->7896 7881 6c8f3c26-6c8f3c2d 7878->7881 7882 6c8f3dc5 7878->7882 7883 6c8f3cec-6c8f3d0c 7879->7883 7884 6c8f3d3a-6c8f3d3c 7879->7884 7887 6c8f3dc3 7881->7887 7888 6c8f3c33-6c8f3c3a 7881->7888 7886 6c8f3dc6 7882->7886 7889 6c8f3d90-6c8f3d95 7883->7889 7890 6c8f3d3e-6c8f3d45 7884->7890 7891 6c8f3d70-6c8f3d8d 7884->7891 7893 6c8f3dc8-6c8f3dcc 7886->7893 7887->7882 7897 6c8f3e26-6c8f3e2b 7888->7897 7898 6c8f3c40-6c8f3c5b 7888->7898 7894 6c8f3dba-6c8f3dc1 7889->7894 7895 6c8f3d97-6c8f3db8 7889->7895 7892 6c8f3d50-6c8f3d57 7890->7892 7891->7889 7892->7886 7893->7872 7899 6c8f3dd2 7893->7899 7894->7887 7900 6c8f3dd7-6c8f3ddc 7894->7900 7895->7882 7915 6c8f3f75-6c8f3fa1 7896->7915 7902 6c8f3c7b-6c8f3cd0 7897->7902 7903 6c8f3e31 7897->7903 7904 6c8f3e1b-6c8f3e24 7898->7904 7905 6c8f3e76-6c8f3e79 7899->7905 7906 6c8f3dde-6c8f3e17 7900->7906 7907 6c8f3e36-6c8f3e3d 7900->7907 7902->7892 7903->7864 7904->7893 7904->7905 7905->7877 7906->7904 7911 6c8f3e3f-6c8f3e5a 7907->7911 7912 6c8f3e5c-6c8f3e5f 7907->7912 7911->7904 7912->7902 7914 6c8f3e65-6c8f3e69 7912->7914 7914->7893 7914->7905 7919 6c8f3fa3-6c8f3fa8 7915->7919 7920 6c8f4020-6c8f4026 7915->7920 7921 6c8f3fae-6c8f3fcf 7919->7921 7922 6c8f407c-6c8f4081 7919->7922 7923 6c8f402c-6c8f403c 7920->7923 7924 6c8f3f06-6c8f3f35 7920->7924 7926 6c8f40aa-6c8f40ae 7921->7926 7922->7926 7929 6c8f4083-6c8f408a 7922->7929 7927 6c8f403e-6c8f4058 7923->7927 7928 6c8f40b3-6c8f40b8 7923->7928 7925 6c8f3f38-6c8f3f61 7924->7925 7930 6c8f3f64-6c8f3f67 7925->7930 7931 6c8f3f6b-6c8f3f6f 7926->7931 7932 6c8f405a-6c8f4063 7927->7932 7928->7921 7934 6c8f40be-6c8f40c9 7928->7934 7929->7925 7933 6c8f4090 7929->7933 7935 6c8f3f69 7930->7935 7931->7915 7936 6c8f4069-6c8f406c 7932->7936 7937 6c8f40f5-6c8f413f 7932->7937 7933->7896 7938 6c8f40a7 7933->7938 7934->7926 7939 6c8f40cb-6c8f40d4 7934->7939 7935->7931 7942 6c8f4144-6c8f414b 7936->7942 7943 6c8f4072-6c8f4077 7936->7943 7937->7935 7938->7926 7939->7938 7940 6c8f40d6-6c8f40f0 7939->7940 7940->7932 7942->7931 7943->7930
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 249e91ca053d37aae5da7aca68827f5d0c7e68ad4ae2ddd648a18942ae0ca34d
                                • Instruction ID: 7aa399ae2d1b59bb3bb27467f0cfafcbdc585057b2ffb89fdc3e3811ad843c78
                                • Opcode Fuzzy Hash: 249e91ca053d37aae5da7aca68827f5d0c7e68ad4ae2ddd648a18942ae0ca34d
                                • Instruction Fuzzy Hash: 2532F132245B018FC334CF28C990695B7E3EFC1354B6A8E6DC0BA4BA95D774B84B8B51

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7969 6c8f3a6a-6c8f3a85 7970 6c8f3a87-6c8f3aa7 7969->7970 7971 6c8f3aa9-6c8f3ab0 7970->7971 7972 6c8f3960-6c8f3964 7971->7972 7973 6c8f396a 7972->7973 7974 6c8f3860-6c8f388e 7972->7974 7975 6c8f3ba1-6c8f3bb6 7973->7975 7984 6c8f3894-6c8f3896 7974->7984 7985 6c8f3970-6c8f397d 7974->7985 7978 6c8f3bc0-6c8f3bda call 6ca41470 call 6ca41480 7975->7978 7990 6c8f3be0-6c8f3bfe 7978->7990 7984->7985 7989 6c8f389c-6c8f38b9 7984->7989 7987 6c8f397f-6c8f3989 7985->7987 7988 6c8f39f1-6c8f39f8 7985->7988 7987->7989 7991 6c8f398f-6c8f3994 7987->7991 7992 6c8f39fe-6c8f3a03 7988->7992 7993 6c8f3ab5-6c8f3aba 7988->7993 7994 6c8f38c0-6c8f38c1 7989->7994 8011 6c8f3e7b 7990->8011 8012 6c8f3c04-6c8f3c11 7990->8012 7997 6c8f399a-6c8f399f 7991->7997 7998 6c8f3b16-6c8f3b18 7991->7998 7999 6c8f3a09-6c8f3a2f 7992->7999 8000 6c8f38d2-6c8f38d4 7992->8000 7993->7989 7995 6c8f3ac0-6c8f3ac7 7993->7995 8001 6c8f395e 7994->8001 7995->7994 8002 6c8f3acd-6c8f3ad6 7995->8002 8004 6c8f383b-6c8f3855 call 6ca41470 call 6ca41480 7997->8004 8005 6c8f39a5-6c8f39bf 7997->8005 7998->7994 8006 6c8f38f8-6c8f3955 7999->8006 8007 6c8f3a35-6c8f3a3a 7999->8007 8008 6c8f3957-6c8f395c 8000->8008 8001->7972 8002->7998 8010 6c8f3ad8-6c8f3aeb 8002->8010 8004->7974 8013 6c8f3a5a-6c8f3a5d 8005->8013 8006->8008 8014 6c8f3b1d-6c8f3b22 8007->8014 8015 6c8f3a40-6c8f3a57 8007->8015 8008->8001 8010->8006 8018 6c8f3af1-6c8f3af8 8010->8018 8017 6c8f3e81-6c8f3ee0 call 6c8f3750 GetCurrentThread NtSetInformationThread 8011->8017 8019 6c8f3c17-6c8f3c20 8012->8019 8020 6c8f3ce0-6c8f3cea 8012->8020 8013->7971 8021 6c8f3b49-6c8f3b50 8014->8021 8022 6c8f3b24-6c8f3b44 8014->8022 8015->8013 8045 6c8f3eea-6c8f3f04 call 6ca41470 call 6ca41480 8017->8045 8024 6c8f3afa-6c8f3aff 8018->8024 8025 6c8f3b62-6c8f3b85 8018->8025 8027 6c8f3c26-6c8f3c2d 8019->8027 8028 6c8f3dc5 8019->8028 8030 6c8f3cec-6c8f3d0c 8020->8030 8031 6c8f3d3a-6c8f3d3c 8020->8031 8021->7994 8029 6c8f3b56-6c8f3b5d 8021->8029 8022->7970 8024->8008 8025->8006 8037 6c8f3b8b 8025->8037 8035 6c8f3dc3 8027->8035 8036 6c8f3c33-6c8f3c3a 8027->8036 8034 6c8f3dc6 8028->8034 8029->7972 8038 6c8f3d90-6c8f3d95 8030->8038 8039 6c8f3d3e-6c8f3d45 8031->8039 8040 6c8f3d70-6c8f3d8d 8031->8040 8042 6c8f3dc8-6c8f3dcc 8034->8042 8035->8028 8046 6c8f3e26-6c8f3e2b 8036->8046 8047 6c8f3c40-6c8f3c5b 8036->8047 8037->7975 8043 6c8f3dba-6c8f3dc1 8038->8043 8044 6c8f3d97-6c8f3db8 8038->8044 8041 6c8f3d50-6c8f3d57 8039->8041 8040->8038 8041->8034 8042->7990 8048 6c8f3dd2 8042->8048 8043->8035 8049 6c8f3dd7-6c8f3ddc 8043->8049 8044->8028 8064 6c8f3f75-6c8f3fa1 8045->8064 8051 6c8f3c7b-6c8f3cd0 8046->8051 8052 6c8f3e31 8046->8052 8053 6c8f3e1b-6c8f3e24 8047->8053 8054 6c8f3e76-6c8f3e79 8048->8054 8055 6c8f3dde-6c8f3e17 8049->8055 8056 6c8f3e36-6c8f3e3d 8049->8056 8051->8041 8052->7978 8053->8042 8053->8054 8054->8017 8055->8053 8060 6c8f3e3f-6c8f3e5a 8056->8060 8061 6c8f3e5c-6c8f3e5f 8056->8061 8060->8053 8061->8051 8063 6c8f3e65-6c8f3e69 8061->8063 8063->8042 8063->8054 8068 6c8f3fa3-6c8f3fa8 8064->8068 8069 6c8f4020-6c8f4026 8064->8069 8070 6c8f3fae-6c8f3fcf 8068->8070 8071 6c8f407c-6c8f4081 8068->8071 8072 6c8f402c-6c8f403c 8069->8072 8073 6c8f3f06-6c8f3f35 8069->8073 8075 6c8f40aa-6c8f40ae 8070->8075 8071->8075 8078 6c8f4083-6c8f408a 8071->8078 8076 6c8f403e-6c8f4058 8072->8076 8077 6c8f40b3-6c8f40b8 8072->8077 8074 6c8f3f38-6c8f3f61 8073->8074 8079 6c8f3f64-6c8f3f67 8074->8079 8080 6c8f3f6b-6c8f3f6f 8075->8080 8081 6c8f405a-6c8f4063 8076->8081 8077->8070 8083 6c8f40be-6c8f40c9 8077->8083 8078->8074 8082 6c8f4090 8078->8082 8084 6c8f3f69 8079->8084 8080->8064 8085 6c8f4069-6c8f406c 8081->8085 8086 6c8f40f5-6c8f413f 8081->8086 8082->8045 8087 6c8f40a7 8082->8087 8083->8075 8088 6c8f40cb-6c8f40d4 8083->8088 8084->8080 8091 6c8f4144-6c8f414b 8085->8091 8092 6c8f4072-6c8f4077 8085->8092 8086->8084 8087->8075 8088->8087 8089 6c8f40d6-6c8f40f0 8088->8089 8089->8081 8091->8080 8092->8079
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CurrentThread
                                • String ID:
                                • API String ID: 2882836952-0
                                • Opcode ID: 4d9d06386ed703595c7ad3baabb260db6f99319219946d164c2261a4cf274dc9
                                • Instruction ID: d311232ca313a0124b1480020dfcd42143aae12f18adcb436cfa82c6ad8bcd31
                                • Opcode Fuzzy Hash: 4d9d06386ed703595c7ad3baabb260db6f99319219946d164c2261a4cf274dc9
                                • Instruction Fuzzy Hash: 3051DE71104B018FC3308F28CA80795B7A3AFD2394F698E1DC0F65BA95DB74B94B8B52
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CurrentThread
                                • String ID:
                                • API String ID: 2882836952-0
                                • Opcode ID: f0b59f43076ee4a62dff435dcabccd024cc4d8950d7ea84cd893d0a072fa88dc
                                • Instruction ID: 3ac843aea2a89611fdc942c89397f009db07ddb4f978e53c69cf3e5ebcdda1c2
                                • Opcode Fuzzy Hash: f0b59f43076ee4a62dff435dcabccd024cc4d8950d7ea84cd893d0a072fa88dc
                                • Instruction Fuzzy Hash: A351BE71104B018BC3308F28C680795B7A3AFD6394F698E1DC0F65BA95DB70B94B8B92
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6C8F3E9D
                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C8F3EAA
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Thread$CurrentInformation
                                • String ID:
                                • API String ID: 1650627709-0
                                • Opcode ID: 592ec8b7b5c8c2294bb036274dd1164ab32231140222af71b23d85e8260a7909
                                • Instruction ID: 910fdab6d63199a0113bbd5a74a825091069abcdb2441295a68122f0edf1802b
                                • Opcode Fuzzy Hash: 592ec8b7b5c8c2294bb036274dd1164ab32231140222af71b23d85e8260a7909
                                • Instruction Fuzzy Hash: D2310331105B018BD330CF24C9847C6B7A3AFD6394F298E1DC0B65BA80DB74784A8B62
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6C8F3E9D
                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C8F3EAA
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Thread$CurrentInformation
                                • String ID:
                                • API String ID: 1650627709-0
                                • Opcode ID: 44faa51213fef1b87e8620086ba349ca52ae7faa8d53e928f89a8c81d06520c9
                                • Instruction ID: 9f7234d45e6134491caa6ff625a1937abe1b0d0825ec7cfc56693d4095a926c1
                                • Opcode Fuzzy Hash: 44faa51213fef1b87e8620086ba349ca52ae7faa8d53e928f89a8c81d06520c9
                                • Instruction Fuzzy Hash: 8A312131104B058BD734CF28C690796B7B2AF92384F254E1DC0F65BA81DB71784ACB52
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6C8F3E9D
                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C8F3EAA
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Thread$CurrentInformation
                                • String ID:
                                • API String ID: 1650627709-0
                                • Opcode ID: d1312757866189d1b94d7ae605316125b11d72daeb3705fa6e62667f11cd1a27
                                • Instruction ID: 1327a07ce5472bc7cebf45e2d929f8c07bcb50ae1443c303fc4d36ca0ae85027
                                • Opcode Fuzzy Hash: d1312757866189d1b94d7ae605316125b11d72daeb3705fa6e62667f11cd1a27
                                • Instruction Fuzzy Hash: 302108701187058BD774CF24CA9079677B6AFC2385F544E1DC0B687A90DB74794A8B62
                                APIs
                                • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CA75130
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ManagerOpen
                                • String ID:
                                • API String ID: 1889721586-0
                                • Opcode ID: 941b98dc6c481e0e9fc171f76101ffbc67b4b203a546a2a554dcfa6541770000
                                • Instruction ID: 231045fa0fb6568cc59c46df3d8a356b68b7a241ab392538180e408b2bf3f070
                                • Opcode Fuzzy Hash: 941b98dc6c481e0e9fc171f76101ffbc67b4b203a546a2a554dcfa6541770000
                                • Instruction Fuzzy Hash: C83129B8608351EFC7219F29C544A0ABBF0FB8A765F54895AF888C7360C371D9859B63
                                APIs
                                • FindFirstFileA.KERNEL32(?,?), ref: 6CA6AEDC
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID:
                                • API String ID: 1974802433-0
                                • Opcode ID: 434e945bd96cc24c2ee3b9218802d395700ef2390cf5cb04d5d8fee752441b17
                                • Instruction ID: dc88ca38cf9478117e2e821a88b4ed47089d5620034a0694d1896716b324bbff
                                • Opcode Fuzzy Hash: 434e945bd96cc24c2ee3b9218802d395700ef2390cf5cb04d5d8fee752441b17
                                • Instruction Fuzzy Hash: F21148B4518360AFD7108F2AD54450EBBE5BF86315F188E99F4A9CBB91D330CC848B23
                                APIs
                                • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6CA4ABA7
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                • API String ID: 2738559852-1563143607
                                • Opcode ID: d18d9615371f14d595b705e7d4a2fa1928f1a918161885ac22fa8f8522726cc2
                                • Instruction ID: b9af244613bfbbec74f4e1bf5d2304f9c65008c28e3719b3087152e5641eee46
                                • Opcode Fuzzy Hash: d18d9615371f14d595b705e7d4a2fa1928f1a918161885ac22fa8f8522726cc2
                                • Instruction Fuzzy Hash: A9624B7160D7818FC724CF18D490A5EBBE2ABD9304F248E2EE999CB751D735D8868B43

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 6824 6ca8cad3-6ca8cae3 6825 6ca8cafd-6ca8caff 6824->6825 6826 6ca8cae5-6ca8caf8 call 6ca7f9df call 6ca7f9cc 6824->6826 6828 6ca8ce64-6ca8ce71 call 6ca7f9df call 6ca7f9cc 6825->6828 6829 6ca8cb05-6ca8cb0b 6825->6829 6840 6ca8ce7c 6826->6840 6847 6ca8ce77 call 6ca80120 6828->6847 6829->6828 6832 6ca8cb11-6ca8cb37 6829->6832 6832->6828 6835 6ca8cb3d-6ca8cb46 6832->6835 6838 6ca8cb48-6ca8cb5b call 6ca7f9df call 6ca7f9cc 6835->6838 6839 6ca8cb60-6ca8cb62 6835->6839 6838->6847 6843 6ca8cb68-6ca8cb6b 6839->6843 6844 6ca8ce60-6ca8ce62 6839->6844 6846 6ca8ce7f-6ca8ce82 6840->6846 6843->6844 6845 6ca8cb71-6ca8cb75 6843->6845 6844->6846 6845->6838 6849 6ca8cb77-6ca8cb8e 6845->6849 6847->6840 6852 6ca8cbdf-6ca8cbe5 6849->6852 6853 6ca8cb90-6ca8cb93 6849->6853 6857 6ca8cbab-6ca8cbc2 call 6ca7f9df call 6ca7f9cc call 6ca80120 6852->6857 6858 6ca8cbe7-6ca8cbf1 6852->6858 6855 6ca8cba3-6ca8cba9 6853->6855 6856 6ca8cb95-6ca8cb9e 6853->6856 6855->6857 6860 6ca8cbc7-6ca8cbda 6855->6860 6859 6ca8cc63-6ca8cc73 6856->6859 6890 6ca8cd97 6857->6890 6862 6ca8cbf8-6ca8cc16 call 6ca847f5 call 6ca847bb * 2 6858->6862 6863 6ca8cbf3-6ca8cbf5 6858->6863 6864 6ca8cd38-6ca8cd41 call 6ca919e5 6859->6864 6865 6ca8cc79-6ca8cc85 6859->6865 6860->6859 6894 6ca8cc18-6ca8cc2e call 6ca7f9cc call 6ca7f9df 6862->6894 6895 6ca8cc33-6ca8cc5c call 6ca8ac69 6862->6895 6863->6862 6879 6ca8cd43-6ca8cd55 6864->6879 6880 6ca8cdb4 6864->6880 6865->6864 6868 6ca8cc8b-6ca8cc8d 6865->6868 6868->6864 6872 6ca8cc93-6ca8ccb7 6868->6872 6872->6864 6876 6ca8ccb9-6ca8cccf 6872->6876 6876->6864 6881 6ca8ccd1-6ca8ccd3 6876->6881 6879->6880 6885 6ca8cd57-6ca8cd66 GetConsoleMode 6879->6885 6883 6ca8cdb8-6ca8cdd0 ReadFile 6880->6883 6881->6864 6886 6ca8ccd5-6ca8ccfb 6881->6886 6888 6ca8ce2c-6ca8ce37 GetLastError 6883->6888 6889 6ca8cdd2-6ca8cdd8 6883->6889 6885->6880 6891 6ca8cd68-6ca8cd6c 6885->6891 6886->6864 6893 6ca8ccfd-6ca8cd13 6886->6893 6896 6ca8ce39-6ca8ce4b call 6ca7f9cc call 6ca7f9df 6888->6896 6897 6ca8ce50-6ca8ce53 6888->6897 6889->6888 6898 6ca8cdda 6889->6898 6892 6ca8cd9a-6ca8cda4 call 6ca847bb 6890->6892 6891->6883 6899 6ca8cd6e-6ca8cd88 ReadConsoleW 6891->6899 6892->6846 6893->6864 6905 6ca8cd15-6ca8cd17 6893->6905 6894->6890 6895->6859 6896->6890 6902 6ca8ce59-6ca8ce5b 6897->6902 6903 6ca8cd90-6ca8cd96 call 6ca7f9f2 6897->6903 6909 6ca8cddd-6ca8cdef 6898->6909 6900 6ca8cda9-6ca8cdb2 6899->6900 6901 6ca8cd8a GetLastError 6899->6901 6900->6909 6901->6903 6902->6892 6903->6890 6905->6864 6912 6ca8cd19-6ca8cd33 6905->6912 6909->6892 6916 6ca8cdf1-6ca8cdf5 6909->6916 6912->6864 6920 6ca8ce0e-6ca8ce19 6916->6920 6921 6ca8cdf7-6ca8ce07 call 6ca8cefe 6916->6921 6923 6ca8ce1b call 6ca8ce83 6920->6923 6924 6ca8ce25-6ca8ce2a call 6ca8d1b6 6920->6924 6930 6ca8ce0a-6ca8ce0c 6921->6930 6931 6ca8ce20-6ca8ce23 6923->6931 6924->6931 6930->6892 6931->6930
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8Q
                                • API String ID: 0-4022487301
                                • Opcode ID: 58629cf3142f8408564d01d73edc03db29c361661169d8d87c06a1788e9a8493
                                • Instruction ID: d78b031eb095a28fb2ffcafd19b47798b3bc566dcd97a210ec61668b28967240
                                • Opcode Fuzzy Hash: 58629cf3142f8408564d01d73edc03db29c361661169d8d87c06a1788e9a8493
                                • Instruction Fuzzy Hash: 1EC1EA74A06259AFDF01EFA8C880BADBBB0BF4A31CF144259E5149BB41D7709989CF74

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 6933 6ca9406c-6ca9409c call 6ca944ec 6936 6ca9409e-6ca940a9 call 6ca7f9df 6933->6936 6937 6ca940b7-6ca940c3 call 6ca9160c 6933->6937 6942 6ca940ab-6ca940b2 call 6ca7f9cc 6936->6942 6943 6ca940dc-6ca94125 call 6ca94457 6937->6943 6944 6ca940c5-6ca940da call 6ca7f9df call 6ca7f9cc 6937->6944 6953 6ca94391-6ca94395 6942->6953 6951 6ca94192-6ca9419b GetFileType 6943->6951 6952 6ca94127-6ca94130 6943->6952 6944->6942 6957 6ca9419d-6ca941ce GetLastError call 6ca7f9f2 CloseHandle 6951->6957 6958 6ca941e4-6ca941e7 6951->6958 6955 6ca94132-6ca94136 6952->6955 6956 6ca94167-6ca9418d GetLastError call 6ca7f9f2 6952->6956 6955->6956 6962 6ca94138-6ca94165 call 6ca94457 6955->6962 6956->6942 6957->6942 6972 6ca941d4-6ca941df call 6ca7f9cc 6957->6972 6960 6ca941e9-6ca941ee 6958->6960 6961 6ca941f0-6ca941f6 6958->6961 6965 6ca941fa-6ca94248 call 6ca917b0 6960->6965 6961->6965 6966 6ca941f8 6961->6966 6962->6951 6962->6956 6976 6ca9424a-6ca94256 call 6ca94666 6965->6976 6977 6ca94267-6ca9428f call 6ca94710 6965->6977 6966->6965 6972->6942 6976->6977 6984 6ca94258 6976->6984 6982 6ca94291-6ca94292 6977->6982 6983 6ca94294-6ca942d5 6977->6983 6985 6ca9425a-6ca94262 call 6ca8b925 6982->6985 6986 6ca942d7-6ca942db 6983->6986 6987 6ca942f6-6ca94304 6983->6987 6984->6985 6985->6953 6986->6987 6988 6ca942dd-6ca942f1 6986->6988 6989 6ca9430a-6ca9430e 6987->6989 6990 6ca9438f 6987->6990 6988->6987 6989->6990 6992 6ca94310-6ca94343 CloseHandle call 6ca94457 6989->6992 6990->6953 6996 6ca94345-6ca94371 GetLastError call 6ca7f9f2 call 6ca9171f 6992->6996 6997 6ca94377-6ca9438b 6992->6997 6996->6997 6997->6990
                                APIs
                                  • Part of subcall function 6CA94457: CreateFileW.KERNEL32(00000000,00000000,?,6CA94115,?,?,00000000,?,6CA94115,00000000,0000000C), ref: 6CA94474
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA94180
                                • __dosmaperr.LIBCMT ref: 6CA94187
                                • GetFileType.KERNEL32(00000000), ref: 6CA94193
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA9419D
                                • __dosmaperr.LIBCMT ref: 6CA941A6
                                • CloseHandle.KERNEL32(00000000), ref: 6CA941C6
                                • CloseHandle.KERNEL32(6CA8B0D0), ref: 6CA94313
                                • GetLastError.KERNEL32 ref: 6CA94345
                                • __dosmaperr.LIBCMT ref: 6CA9434C
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: 8Q
                                • API String ID: 4237864984-4022487301
                                • Opcode ID: a45008ca59a03371e19b2f9f98de89c0824eb3dab3b5a28894732ba8a88a0fb0
                                • Instruction ID: 3dde85bddee4796bfa83c05fed3681d2e55c65665180badac25a5a25550a29f6
                                • Opcode Fuzzy Hash: a45008ca59a03371e19b2f9f98de89c0824eb3dab3b5a28894732ba8a88a0fb0
                                • Instruction Fuzzy Hash: B2A15B32A241599FCF098F78DC527AE7BF0AB46328F18025DE8219F790CB35895AC751

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7002 6ca4c1e0-6ca4c239 call 6ca76b70 7005 6ca4c260-6ca4c269 7002->7005 7006 6ca4c2b0-6ca4c2b5 7005->7006 7007 6ca4c26b-6ca4c270 7005->7007 7010 6ca4c2b7-6ca4c2bc 7006->7010 7011 6ca4c330-6ca4c335 7006->7011 7008 6ca4c2f0-6ca4c2f5 7007->7008 7009 6ca4c272-6ca4c277 7007->7009 7016 6ca4c431-6ca4c448 WriteFile 7008->7016 7017 6ca4c2fb-6ca4c300 7008->7017 7012 6ca4c372-6ca4c3df WriteFile 7009->7012 7013 6ca4c27d-6ca4c282 7009->7013 7014 6ca4c407-6ca4c41b 7010->7014 7015 6ca4c2c2-6ca4c2c7 7010->7015 7018 6ca4c489-6ca4c4b9 call 6ca7b3a0 7011->7018 7019 6ca4c33b-6ca4c340 7011->7019 7023 6ca4c3e9-6ca4c3fd WriteFile 7012->7023 7022 6ca4c288-6ca4c28d 7013->7022 7013->7023 7024 6ca4c41f-6ca4c42c 7014->7024 7025 6ca4c2cd-6ca4c2d2 7015->7025 7026 6ca4c23b-6ca4c250 7015->7026 7028 6ca4c452-6ca4c47f call 6ca7b920 ReadFile 7016->7028 7027 6ca4c306-6ca4c30b 7017->7027 7017->7028 7018->7005 7020 6ca4c346-6ca4c36d 7019->7020 7021 6ca4c4be-6ca4c4c3 7019->7021 7030 6ca4c253-6ca4c258 7020->7030 7021->7005 7031 6ca4c4c9-6ca4c4d7 7021->7031 7022->7005 7032 6ca4c28f-6ca4c2aa 7022->7032 7023->7014 7024->7005 7025->7005 7033 6ca4c2d4-6ca4c2e7 7025->7033 7026->7030 7027->7005 7035 6ca4c311-6ca4c32b 7027->7035 7028->7018 7030->7005 7032->7030 7033->7030 7035->7024
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: :uW$;uW$;uW$> 4!$> 4!
                                • API String ID: 0-4100612575
                                • Opcode ID: ad52c348ec394ddfa40236968c0d18f4106a92e93e1e6dc16364042333b3735f
                                • Instruction ID: 5abf25a5b9b550bf75dd6d25ebf0c9b9178c5c110b2db8d84901caca9b40f6df
                                • Opcode Fuzzy Hash: ad52c348ec394ddfa40236968c0d18f4106a92e93e1e6dc16364042333b3735f
                                • Instruction Fuzzy Hash: AA716DB0208345AFD710EF55C484B5ABBF4FF8A708F10892EF498D7651D7B1D8889B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: K?Jo$K?Jo$`Rlx$7eO
                                • API String ID: 0-174837320
                                • Opcode ID: 03cc790008e230ebb91f95490726efdc544baa5e39a27a4f99824da49dce8833
                                • Instruction ID: 5b674f23d16bec6bb4f5b14697be8b681f6ac802c11d4d662de8c46ff2b7adf3
                                • Opcode Fuzzy Hash: 03cc790008e230ebb91f95490726efdc544baa5e39a27a4f99824da49dce8833
                                • Instruction Fuzzy Hash: 824247B460A7419FC754CF28D090A1EBBE1AFC9314F288E1EE59587B21D774D889CB53
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: ;T55
                                • API String ID: 0-2572755013
                                • Opcode ID: 12b29d32e9f72f15e5469e8d83aafe18f8971ff7f06db307dc346080d2c00120
                                • Instruction ID: 798096f53b03d0f086069d722b330e08ba311a6441988dd393f238860f75d8cb
                                • Opcode Fuzzy Hash: 12b29d32e9f72f15e5469e8d83aafe18f8971ff7f06db307dc346080d2c00120
                                • Instruction Fuzzy Hash: 3703C331745B018FC728CF28C8D0696B7E3AFD5328719CB6DC0AA4BA95DB74B54ACB50

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7579 6ca74ff0-6ca75077 CreateProcessA 7580 6ca750ca-6ca750d3 7579->7580 7581 6ca750d5-6ca750da 7580->7581 7582 6ca750f0-6ca7510b 7580->7582 7583 6ca75080-6ca750c2 WaitForSingleObject CloseHandle * 2 7581->7583 7584 6ca750dc-6ca750e1 7581->7584 7582->7580 7583->7580 7584->7580 7585 6ca750e3-6ca75118 7584->7585
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID: D
                                • API String ID: 963392458-2746444292
                                • Opcode ID: 8f2ebb36e5dbde895a999e99406e66c9c497a59fce08a6c2722487615b7567ea
                                • Instruction ID: 9a6f80c33c9fd88b4e735669c2fcbdf7f449d9b9438aadfebbfdff34fe81f108
                                • Opcode Fuzzy Hash: 8f2ebb36e5dbde895a999e99406e66c9c497a59fce08a6c2722487615b7567ea
                                • Instruction Fuzzy Hash: 073101718093808FD350DF28C19876ABBF0BB8A318F405E1DF89987250E7B49589CF53

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7587 6ca8bc5e-6ca8bc7a 7588 6ca8be39 7587->7588 7589 6ca8bc80-6ca8bc82 7587->7589 7590 6ca8be3b-6ca8be3f 7588->7590 7591 6ca8bca4-6ca8bcc5 7589->7591 7592 6ca8bc84-6ca8bc97 call 6ca7f9df call 6ca7f9cc call 6ca80120 7589->7592 7594 6ca8bccc-6ca8bcd2 7591->7594 7595 6ca8bcc7-6ca8bcca 7591->7595 7609 6ca8bc9c-6ca8bc9f 7592->7609 7594->7592 7597 6ca8bcd4-6ca8bcd9 7594->7597 7595->7594 7595->7597 7599 6ca8bcea-6ca8bcfb call 6ca8be40 7597->7599 7600 6ca8bcdb-6ca8bce7 call 6ca8ac69 7597->7600 7607 6ca8bd3c-6ca8bd4e 7599->7607 7608 6ca8bcfd-6ca8bcff 7599->7608 7600->7599 7612 6ca8bd50-6ca8bd59 7607->7612 7613 6ca8bd95-6ca8bdb7 WriteFile 7607->7613 7610 6ca8bd01-6ca8bd09 7608->7610 7611 6ca8bd26-6ca8bd32 call 6ca8beb1 7608->7611 7609->7590 7614 6ca8bdcb-6ca8bdce 7610->7614 7615 6ca8bd0f-6ca8bd1c call 6ca8c25b 7610->7615 7623 6ca8bd37-6ca8bd3a 7611->7623 7619 6ca8bd5b-6ca8bd5e 7612->7619 7620 6ca8bd85-6ca8bd93 call 6ca8c2c3 7612->7620 7617 6ca8bdb9-6ca8bdbf GetLastError 7613->7617 7618 6ca8bdc2 7613->7618 7625 6ca8bdd1-6ca8bdd6 7614->7625 7632 6ca8bd1f-6ca8bd21 7615->7632 7617->7618 7624 6ca8bdc5-6ca8bdca 7618->7624 7626 6ca8bd60-6ca8bd63 7619->7626 7627 6ca8bd75-6ca8bd83 call 6ca8c487 7619->7627 7620->7623 7623->7632 7624->7614 7633 6ca8bdd8-6ca8bddd 7625->7633 7634 6ca8be34-6ca8be37 7625->7634 7626->7625 7628 6ca8bd65-6ca8bd73 call 6ca8c39e 7626->7628 7627->7623 7628->7623 7632->7624 7635 6ca8be09-6ca8be15 7633->7635 7636 6ca8bddf-6ca8bde4 7633->7636 7634->7590 7642 6ca8be1c-6ca8be2f call 6ca7f9cc call 6ca7f9df 7635->7642 7643 6ca8be17-6ca8be1a 7635->7643 7639 6ca8bdfd-6ca8be04 call 6ca7f9f2 7636->7639 7640 6ca8bde6-6ca8bdf8 call 6ca7f9cc call 6ca7f9df 7636->7640 7639->7609 7640->7609 7642->7609 7643->7588 7643->7642
                                APIs
                                  • Part of subcall function 6CA8BEB1: GetConsoleCP.KERNEL32(?,6CA8B0D0,?), ref: 6CA8BEF9
                                • WriteFile.KERNEL32(?,?,6CA946EC,00000000,00000000,?,00000000,00000000,6CA95AB6,00000000,00000000,?,00000000,6CA8B0D0,6CA946EC,00000000), ref: 6CA8BDAF
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA946EC,6CA8B0D0,00000000,?,?,?,?,00000000,?), ref: 6CA8BDB9
                                • __dosmaperr.LIBCMT ref: 6CA8BDFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                • String ID: 8Q
                                • API String ID: 251514795-4022487301
                                • Opcode ID: a7c6bd32b76f5fa71f3836d9a3ab1a274e75ee82d24b45beaca8c825be0d4e1d
                                • Instruction ID: 22043a1791718fcdeb4facf3271f38b164645e141431210c73506c8bd67321f9
                                • Opcode Fuzzy Hash: a7c6bd32b76f5fa71f3836d9a3ab1a274e75ee82d24b45beaca8c825be0d4e1d
                                • Instruction Fuzzy Hash: 3C51C571A0220ABFDB01DFA4DD40BEEBBB9EF0931CF180655D510ABA91D77099C98771

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7654 6ca75b90-6ca75b9c 7655 6ca75b9e-6ca75ba9 7654->7655 7656 6ca75bdd 7654->7656 7658 6ca75bbf-6ca75bcc call 6c9401f0 call 6ca80b18 7655->7658 7659 6ca75bab-6ca75bbd 7655->7659 7657 6ca75bdf-6ca75c57 7656->7657 7660 6ca75c83-6ca75c89 7657->7660 7661 6ca75c59-6ca75c81 7657->7661 7667 6ca75bd1-6ca75bdb 7658->7667 7659->7658 7661->7660 7663 6ca75c8a-6ca75d49 call 6c942250 call 6c942340 call 6ca79379 call 6c93e010 call 6ca77088 7661->7663 7667->7657
                                APIs
                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA75D31
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Ios_base_dtorstd::ios_base::_
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 323602529-1866435925
                                • Opcode ID: 1c2ee0a2050f44ecb9da28c7fddc09b744abd87b0bc2bd3616473f10160c776f
                                • Instruction ID: 68d9f173825c11336ae520806f819c15f80b59ddd934e7967a5525e4030e5fcc
                                • Opcode Fuzzy Hash: 1c2ee0a2050f44ecb9da28c7fddc09b744abd87b0bc2bd3616473f10160c776f
                                • Instruction Fuzzy Hash: FE5134B5500B008FD725CF29C585B97BBF1BB58318F048A2DD8864BB90D775B94ACFA0

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7699 6ca8b925-6ca8b939 call 6ca915a2 7702 6ca8b93b-6ca8b93d 7699->7702 7703 6ca8b93f-6ca8b947 7699->7703 7706 6ca8b98d-6ca8b9ad call 6ca9171f 7702->7706 7704 6ca8b949-6ca8b950 7703->7704 7705 6ca8b952-6ca8b955 7703->7705 7704->7705 7707 6ca8b95d-6ca8b971 call 6ca915a2 * 2 7704->7707 7708 6ca8b973-6ca8b983 call 6ca915a2 CloseHandle 7705->7708 7709 6ca8b957-6ca8b95b 7705->7709 7716 6ca8b9bb 7706->7716 7717 6ca8b9af-6ca8b9b9 call 6ca7f9f2 7706->7717 7707->7702 7707->7708 7708->7702 7721 6ca8b985-6ca8b98b GetLastError 7708->7721 7709->7707 7709->7708 7719 6ca8b9bd-6ca8b9c0 7716->7719 7717->7719 7721->7706
                                APIs
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,6CA9425F), ref: 6CA8B97B
                                • GetLastError.KERNEL32(?,00000000,?,6CA9425F), ref: 6CA8B985
                                • __dosmaperr.LIBCMT ref: 6CA8B9B0
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CloseErrorHandleLast__dosmaperr
                                • String ID:
                                • API String ID: 2583163307-0
                                • Opcode ID: 4a80fd0dd3854a27c1ee646e1a42dcceaea7cfaec397217585c3bea966445e97
                                • Instruction ID: d06194707939a6044fe3712f0c26d076c81afaff74098fc354113b6cef98eeae
                                • Opcode Fuzzy Hash: 4a80fd0dd3854a27c1ee646e1a42dcceaea7cfaec397217585c3bea966445e97
                                • Instruction Fuzzy Hash: E9016B33A565205BC21106BABD467AE37AD4F8373CF2E4309E9168BBC0DF60C8CD8250

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7944 6ca80b9c-6ca80ba7 7945 6ca80ba9-6ca80bbc call 6ca7f9cc call 6ca80120 7944->7945 7946 6ca80bbe-6ca80bcb 7944->7946 7957 6ca80c10-6ca80c12 7945->7957 7948 6ca80bcd-6ca80be2 call 6ca80cb9 call 6ca8873e call 6ca89c60 call 6ca8b898 7946->7948 7949 6ca80c06-6ca80c0f call 6ca8ae75 7946->7949 7963 6ca80be7-6ca80bec 7948->7963 7949->7957 7964 6ca80bee-6ca80bf1 7963->7964 7965 6ca80bf3-6ca80bf7 7963->7965 7964->7949 7965->7949 7966 6ca80bf9-6ca80c05 call 6ca847bb 7965->7966 7966->7949
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8Q
                                • API String ID: 0-4022487301
                                • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                • Instruction ID: a23cfc8dd11ac56159272f6d95c5a19687fd7cb86083ee986df2aec8e9c53d2a
                                • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                • Instruction Fuzzy Hash: 7AF0F4B29036546BC7215E3A8E00BCB32A89F4237CF140715E86193EE0DB70D4CEC7A1
                                APIs
                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA75AB4
                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA75AF4
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Ios_base_dtorstd::ios_base::_
                                • String ID:
                                • API String ID: 323602529-0
                                • Opcode ID: cb7a2efc14f5d3d0eff9b201626549fa516c1c7dff4bb33f7b4aabf3b789a0aa
                                • Instruction ID: 2021f13a05eea8903667c3f9a0adec1d673c624722ba881ca4fc29dce1c3ac69
                                • Opcode Fuzzy Hash: cb7a2efc14f5d3d0eff9b201626549fa516c1c7dff4bb33f7b4aabf3b789a0aa
                                • Instruction Fuzzy Hash: 99514675201B04DBD735CF29C585BE6BBE4FB04718F448A2CD4AA4BB91DB30B989CB90
                                APIs
                                • GetLastError.KERNEL32(6CAA6DD8,0000000C), ref: 6CA7EF52
                                • ExitThread.KERNEL32 ref: 6CA7EF59
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ErrorExitLastThread
                                • String ID:
                                • API String ID: 1611280651-0
                                • Opcode ID: 38c33cdd39dfcae7776904ed3d0658a3b53467491bf0e4b7ff62e97e4ac3f817
                                • Instruction ID: fce5c29733667720cc519716b69b34439d7eb40f5cce69701054c59855dd114d
                                • Opcode Fuzzy Hash: 38c33cdd39dfcae7776904ed3d0658a3b53467491bf0e4b7ff62e97e4ac3f817
                                • Instruction Fuzzy Hash: 80F0C2B5A01601AFDF15AFB0C509AAE3B74FF41214F144649F005A7B40CF30598ACBE1
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __wsopen_s
                                • String ID:
                                • API String ID: 3347428461-0
                                • Opcode ID: 0bee7d6d43ee8dd7c7a5bfa98480910d41bddb7ea544474824abc139bfd8ddb5
                                • Instruction ID: d56c35a9bfb3cd8178ec7104c6d9a341b3428aa34d63ce51bb9e7c7a4ea09b13
                                • Opcode Fuzzy Hash: 0bee7d6d43ee8dd7c7a5bfa98480910d41bddb7ea544474824abc139bfd8ddb5
                                • Instruction Fuzzy Hash: E5116671A0420EAFCB05CF58E945A9B3BF8EF48318F044069F809AB311D631E915CBA4
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                • Instruction ID: 5a66fa66eaa93591baa50ec732f9c5e79d626acac7d94d1a4e8ea7b9c68984bf
                                • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                • Instruction Fuzzy Hash: 54014F72C11159BFCF019FE88D01AEE7FF5AF08214F144165ED24E26A0E7358AA8DB91
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000000,?,6CA94115,?,?,00000000,?,6CA94115,00000000,0000000C), ref: 6CA94474
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: d4a0da24f7c2c211f3884530f737ef913258edfe6826218d31024d8ccd4b690d
                                • Instruction ID: 8ebe3dda858f7c48d422fe982d9723cfe7a8f643062cc854773e4ef0aae7db64
                                • Opcode Fuzzy Hash: d4a0da24f7c2c211f3884530f737ef913258edfe6826218d31024d8ccd4b690d
                                • Instruction Fuzzy Hash: 0AD06C3210020EBBDF028E84DC06EDA3BAAFB88714F018000FA1856020C732E862AB90
                                Memory Dump Source
                                • Source File: 00000006.00000002.2209377774.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                • Associated: 00000006.00000002.2209350660.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210722681.000000006CA98000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2212736651.000000006CC62000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                • Instruction ID: 58db62ea4cfa571ff30117c3c0346bac2c522d9595cde735d1a7dbbec72eccb0
                                • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                • Instruction Fuzzy Hash:
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB084B1
                                  • Part of subcall function 6CB0993B: __EH_prolog.LIBCMT ref: 6CB09940
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 1$`)K$h)K
                                • API String ID: 3519838083-3935664338
                                • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                • Instruction ID: a2e14b6d4860e452e9328197413cee8c48a0aa7be3333e784e409005432c8233
                                • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                • Instruction Fuzzy Hash: C3F26C70E04288DFDB11CBA8C988BDDBBB5EF49308F244499D449AB791DB719E85CF11
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CAFAEF4
                                  • Part of subcall function 6CAFE622: __EH_prolog.LIBCMT ref: 6CAFE627
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $h%K
                                • API String ID: 3519838083-1737110039
                                • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                • Instruction ID: 61667fd9eb9a83b762cc4495513440cf3265f3dc3ad1ba25b398ecf8d6bca616
                                • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                • Instruction Fuzzy Hash: D8538A30D01258DFDB25CFA4CA94BDDBBB4AF09308F1441D8E469A7691DB70AE8ACF51
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $J
                                • API String ID: 3519838083-1755042146
                                • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                • Instruction ID: 36c859f83f198ed499d9098df48cdeb7418849d91919204fd1ee902b4eff69a6
                                • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                • Instruction Fuzzy Hash: 39E2BD30A05289DFEF01CFA8D558BDDBFB4EF05308F248099E855AB681DB74D949CB62
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CAD6CE5
                                  • Part of subcall function 6CAACC2A: __EH_prolog.LIBCMT ref: 6CAACC2F
                                  • Part of subcall function 6CAAE6A6: __EH_prolog.LIBCMT ref: 6CAAE6AB
                                  • Part of subcall function 6CAD6A0E: __EH_prolog.LIBCMT ref: 6CAD6A13
                                  • Part of subcall function 6CAD6837: __EH_prolog.LIBCMT ref: 6CAD683C
                                  • Part of subcall function 6CADA143: __EH_prolog.LIBCMT ref: 6CADA148
                                  • Part of subcall function 6CADA143: ctype.LIBCPMT ref: 6CADA16C
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog$ctype
                                • String ID:
                                • API String ID: 1039218491-3916222277
                                • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                • Instruction ID: 518a194101f381276d799594f2b824f5454563df844c716754ba016b20102fba
                                • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                • Instruction Fuzzy Hash: B403AC30805288DEDF15CFA4CA44BDCBBB1AF15308F254099E449A7A91DB746FCEDB62
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: 3J$`/J$`1J$p0J
                                • API String ID: 0-2826663437
                                • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                • Instruction ID: 60bf77e9f256c68cf3d57f9b1d745c401e41c4b805d29b87fe1232d369e7adba
                                • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                • Instruction Fuzzy Hash: 1941E672F10A600AF3488E6A8C855667FC3C7C9346B4AC23DD565C66DDDABDC80792A8
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: W
                                • API String ID: 3519838083-655174618
                                • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                • Instruction ID: 6d465232f873183dbdd4b364f27724166024f7591b6ee143cf0c27fa95b066b6
                                • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                • Instruction Fuzzy Hash: EAB27970A01299DFDB05CFA8C984B9EBBB4EF49308F284099E845EB742C775ED45CB61
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CAF489B
                                  • Part of subcall function 6CAF5FC9: __EH_prolog.LIBCMT ref: 6CAF5FCE
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @ K
                                • API String ID: 3519838083-4216449128
                                • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                • Instruction ID: e82c22394a39251b598d52b0ff90f2392ab7eb40f3e44c70aa6d2d5309fa0c4d
                                • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                • Instruction Fuzzy Hash: 4ED1D131E042088BDB14CFA9C6907DDB7B6FF84318F18816AF425ABA85CB7499C7CB55
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: x=J
                                • API String ID: 3519838083-1497497802
                                • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction ID: e38656a7872e00db44fa8baf676198f1fbaa1bc474bebce8e136aa89802d8f51
                                • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction Fuzzy Hash: BE91BD31D012499ACF04DFF5DA90AEDBBB2AF55348F28806AD45267A50DB3359CFCB90
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                • Instruction ID: fca6390e3e24842412adb1e24cb13ca73c797d74357fe59e6fa0fc5486828c9e
                                • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                • Instruction Fuzzy Hash: D8B29C30A08698CFDB25CF69C494B9EBBF1FF05308F144599D499A7E81E730A989CF52
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @4J$DsL
                                • API String ID: 0-2004129199
                                • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction ID: c70a5a085322fd4b8bc7410adfdecdfe5a43010cbfea8165ecafa180e20fea67
                                • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction Fuzzy Hash: 60218D37AA4D560BD74CCA68EC33BB92681E744305B88527EE94BCB3E1DE6C8800D64C
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                • Instruction ID: d6f7f8db19994269f5c9503711449976fa109288278a2dd4bff5843732aff304
                                • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                • Instruction Fuzzy Hash: ABF16C70900249DFCB14CFA9C590BDDBBB1BF05318F14816EE469AB752D771AA8ACF50
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                • Instruction ID: b77f32b769004532411efaacd136655a74d276bf8446ac208cd29dcd728bc052
                                • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                • Instruction Fuzzy Hash: 50324AB1A083058FC318CF56C48495AF7E2BFCC314F468A5DE98997355DB74AA09CF86
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                • Instruction ID: f0c43ae1aab25c763b566f99ad54d14e36e9a0514b699959fd6c1c0077047aea
                                • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                • Instruction Fuzzy Hash: 461207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A2EE898A7315D770E9568BC6
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aullrem
                                • String ID:
                                • API String ID: 3758378126-0
                                • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction ID: c6418a2cfd23243f171f6492509a8600c7f71c68af376a3045f9a59d48910e8a
                                • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction Fuzzy Hash: 3851DBB1A053859BD710CF5AC4C06EEFBE6EF79214F18C05DE8C497282D27A599AC760
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction ID: de5444147700392229efff7e6f850231967561b4716a4730de8d7ca40cd5053c
                                • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction Fuzzy Hash: 000299316083818BD325CF28C4907AFBBE2EBC9718F144A2DE49997B51C7799949CF83
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                • Instruction ID: e31a9ee382a178e7184fcab9649199810e3dd66289db3dc19f0b07b4905d17a3
                                • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                • Instruction Fuzzy Hash: 3AD13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: (SL
                                • API String ID: 0-669240678
                                • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction ID: 162ff776932396e7b690e30ad7dddf5711d5afa50bd4aadda7588de09a216f5e
                                • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction Fuzzy Hash: BF519473E208314AD78CCE24DC2177572D2E784310F8BC1B99D8BAB6E6DD78989587C4
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                • Instruction ID: 8f3e601b1fcd05f3cc84783eca310decd23e227f54529d57640a1b44013c617f
                                • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                • Instruction Fuzzy Hash: 31728EB26042568FD748CF28C490259FBE1FF89314B5A46ADD85ADBB42D730E8D5CBC1
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction ID: 507b7ecc6309f8cbe6c554ffdb6d36129cfb401ea713da69b033edbb4202b15e
                                • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction Fuzzy Hash: D8525131204B858BD318CF29D5A066AB7E2FF99308F148A2DD4DAC7B51DB78F849CB41
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction ID: c2d088b6eddb94df10bac40420da93ab1e554039fb67b28df815220550d7a4ae
                                • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction Fuzzy Hash: E962F2B5A087A48FCB14CF59C48061ABBE5FFC8744F249A2EE89987715D770E845CF82
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                • Instruction ID: 613a352db69aa7734424e16d86118dc374a6ea361fe9b1cad54fc8c9d06d7859
                                • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                • Instruction Fuzzy Hash: 3B429171604B558FD328CF69C8807AAB3E2FF84304F045A2EE49AC7B94E775E549CB42
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction ID: 603bddfd3b2c4b4eaf52fe9901dcea84554eccafea8bd3d4db748076c4f28fbf
                                • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction Fuzzy Hash: BF12AE712097818BC718CF29C59066AFBE2FF88344F54492DE9DA87B41D739E889CB52
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                • Instruction ID: 9a2d74e68623b4d228ad468bb21c65a9191d99ad368592948987af677eeb12a6
                                • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                • Instruction Fuzzy Hash: E102EA73B083A14BD714CE1DCC8021ABBE3FBC1390F5A572DE89A47794DAB49946CB91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction ID: 0ef2aa27d2d99dc51c65abc7aa78e06916bc611988672e7a1f8ebccb026c4fb5
                                • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction Fuzzy Hash: A802FA32A082718BC319CE2CC490259BFF2FBC4355F195B2EE49A97A94D7759848CF92
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                • Instruction ID: b10fd035514e59993675a29f70ae3676828aedb74e177b784230e65787e38d4e
                                • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                • Instruction Fuzzy Hash: CC12B2706047A18FC324CF2EC49462AFBF2BF85305F148A6ED5DA87A91D735E948CB91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                • Instruction ID: 8129858fc7d8dbdabdef63ab218fa71b3b2abeb7d1ac0dd95c7dd416dce51bb1
                                • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                • Instruction Fuzzy Hash: 0C02AF716087608FC328DF2ED49422AFBF1AF85301F148A6EE5DA87B91D336E549CB51
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                • Instruction ID: 63a0f77a19ad2f1ca3015db0865434477fb51c5441866ee5181cb45425702b15
                                • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                • Instruction Fuzzy Hash: C0E1CF71604B858BD724CE29D4603ABB7E2EFC4314F544A2DC59AC7B81DB79E50ACB82
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                • Instruction ID: 4131371c59487bbd4f374cd1c4b6499d2f989cb7f9145fab9937209a3c73d24c
                                • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                • Instruction Fuzzy Hash: 8CF1C3706087A18FC329CF2DD49026AFBE1EF89304F184A6ED1DAC7A91D379E554CB91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                • Instruction ID: 0da290e1bea534b210c7aa45915aa7386868097d7f6f2aa322715f66d1cf7cf7
                                • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                • Instruction Fuzzy Hash: 3EF1DF70508BB18FC329DF69C49026AFBF1BF85304F189B2ED5DA8AA81D339E155CB51
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                • Instruction ID: 6810d5575bb513bbcd58214ad575112241078f229fe87e6646c20b9fcbe91d79
                                • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                • Instruction Fuzzy Hash: 17C1C271604B468BE328CF2DC4906AAB7E2FBC5314F548A2DC1AAC7B45D638F495CB81
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                • Instruction ID: 5fa5f5e1a91a8e8236a6bdf693946c4c7c8a60a46fd448332352475b9c1b746f
                                • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                • Instruction Fuzzy Hash: B0E1E7B18047A64FE398EF5CDCA4A3577A1EBC8300F4B423DDA650B392D734A942DB94
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                • Instruction ID: ccbe8d9caff4aced2257d6536ebe73641d6ca73b6672b0cd1c46cf5426a35ef0
                                • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                • Instruction Fuzzy Hash: 86B192716012918FC350CF3AC8802597BA2FFC522A77597ADC4A98FA4AD336E407CBD1
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction ID: 2872b42f5c30518303fb43ddc37f99a44f1a96518d014c49a2f00177d1d6e8fb
                                • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction Fuzzy Hash: 91C1F9352087814BC719CF39D0A46A7BBE2EFD9314F148A6DC4CE8BB55DA34A80DCB56
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                • Instruction ID: a8df25d7f1ebff225a8e4a95280abba4ad596c9c3962427c963d7ef9e1884371
                                • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                • Instruction Fuzzy Hash: 19B160716052908FC341CF39C484658BBA2FF8526DB79569EC4988F646E33BE847CB91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                • Instruction ID: 17877c9ecc7d1ed642994aee20ea07549f6f0025831616908375cd096d917b72
                                • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                • Instruction Fuzzy Hash: 73D1F8B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                • Instruction ID: 58e42b8a9521a69780116ee4fbc308336a5813c28fd78efeb7af694321d3fa72
                                • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                • Instruction Fuzzy Hash: 52B1DE31308B858BD325DF79C8907EEB3E1AF84308F04452DD5AA8BF91EF30A9498795
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                • Instruction ID: 4bd829b4d7c2053fc5a81f2c9fddecaa72a44f04545f838580d0bbbed0eb6be6
                                • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                • Instruction Fuzzy Hash: ED6191B23082558FD308CF99E180E66B3E5EB99321B1686BFD109CB761E735DC41CB18
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                • Instruction ID: 85dc153512d930b2bfa787c962e357635ad1f6631397c7f64ab7b41b542468f1
                                • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                • Instruction Fuzzy Hash: 4C8102B2D447298BD310CF88ECC4596B3A1FB88308F0A467DDE591B352D2B9B915DBC0
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                • Instruction ID: a9187ac84ee03b7a1c05c4347dda5def870b94f1fc12a019a66aaec5848b1877
                                • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                • Instruction Fuzzy Hash: 44919176D1872A8BD314CF18D88025AB7E0FB88308F05067EED9997341D73AEA55CBD6
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction ID: d8a208b13a65a67e29738edc11b931b567c0efd611d0b2ee56d5f17ae6e759a2
                                • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction Fuzzy Hash: 00518DB2F046099FDF08CF98D9916EDBBF2EB88308F248169D515E7781D7749A81CB41
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction ID: bafd846772421adf315ab756f22c910ed0f98d24526ef7d79b9d3b215bf66be5
                                • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction Fuzzy Hash: 053114277A440103D70CCD3BCC1679F91635BD462A70EDF396C05DEF55D92CC8524145
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                • Instruction ID: ba2fdb38f6a52168a3a38184527d5492ddc91b2b829c0d9b1b22d430632dc9c0
                                • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                • Instruction Fuzzy Hash: E1313F73500AD50AF711893BC94437BB323DBC1369F29C769D96E87EECC67994078182
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                • Instruction ID: 1a0fd1d92c48513483b1223eec6bbb75649a3f6b9bff84efe7e7158af4053d6f
                                • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                • Instruction Fuzzy Hash: A4419EB29047569BD704CF19C89066AB3E4FF88318F454A6DED5AE7381E330EA25CB91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                • Instruction ID: f4f3a57aefb12e10940de4f188ee800d8bdbd25e9b049270aa2ddd35e71bddb6
                                • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                • Instruction Fuzzy Hash: 40212BB1A087E607E7209E6DCCC037577D2DBC1305F198279D9648F64BD17994A3EA60
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                • Instruction ID: 95ebe1ae9f9560f3650915141ca48eb8c408080970e2068d236e20ac57538cbb
                                • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                • Instruction Fuzzy Hash: 4021377251946587C301DF6DE888677B3E1FFC431DF678A3AD9928B581C624E440EBA1
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                • Instruction ID: 53791a4b805dc6de158045111ca7390137d53a06e7c6b3e049d22fa2ff183ee7
                                • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                • Instruction Fuzzy Hash: F92124326051188FC701EF6AD98469B73E6FFC8365FA7C63DED8147644C630E60A9AA0
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                • Instruction ID: 2fb2957652a62476c74b56158f36c4497f4ae5df07c6c1f2abd3b5c4d10b6298
                                • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                • Instruction Fuzzy Hash: E701817291462E97DB189F48CC45136B390FB95312F49823ADD479B385E734F970C6D4
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                • API String ID: 3519838083-609671
                                • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction ID: 2f4a7b5eab043ae0abffa402d12d0a53afd544ef486e5c75d74b39f3d69037e1
                                • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction Fuzzy Hash: 67D1C571A0420AEFCB15CFA4DA80BEEF7B5FF09308F154519E055A3A50DB71B989CBA1
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $ $$ K$, K$.$o
                                • API String ID: 3519838083-1786814033
                                • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                • Instruction ID: 5423fdbbefa8e9fb8cea85130ceecef01be6ee82971e82e21468b38142a0cf8a
                                • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                • Instruction Fuzzy Hash: 1BD11931D062598FDF01CFA9C5907EEBBF1BF05308F28416AE4B1ABA41C775598ACB52
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv$H_prolog
                                • String ID: >WJ$x$x
                                • API String ID: 2300968129-3162267903
                                • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction ID: b4d77395f04bda61fa430a2392cb79a291f97ac04be5c54d932eea9c0d6c6f10
                                • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction Fuzzy Hash: FD127871A00219EFDF10DFA4C980AEDBBB5FF48318F248569E819AB750DB319989CF51
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv$__aullrem
                                • String ID:
                                • API String ID: 2022606265-0
                                • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction ID: 452415e34060070e381fe58864d6d93033e682e6c312d3f4a754de31a6c4efb3
                                • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction Fuzzy Hash: 7B21CE30905259FFDF208EA5CC80DDF7A7DEF417A9F24C626B52072A94D2B18D90E7A1
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CABA6F1
                                  • Part of subcall function 6CAC9173: __EH_prolog.LIBCMT ref: 6CAC9178
                                • __EH_prolog.LIBCMT ref: 6CABA8F9
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: IJ$WIJ$J
                                • API String ID: 3519838083-740443243
                                • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction ID: 34639beb26b5ddba8c41efc245b6ff8065727961e377cbee41e3ece7e386e67c
                                • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction Fuzzy Hash: 6971BC30A04254DFDB14CFA4C584BEDB7F6AF14308F1480A9D855ABB91DB74AE8ECB90
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CACE41D
                                  • Part of subcall function 6CACEE40: __EH_prolog.LIBCMT ref: 6CACEE45
                                  • Part of subcall function 6CACE8EB: __EH_prolog.LIBCMT ref: 6CACE8F0
                                  • Part of subcall function 6CACE593: __EH_prolog.LIBCMT ref: 6CACE598
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: &qB$0aJ$A0$XqB
                                • API String ID: 3519838083-1326096578
                                • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction ID: 8ebb3d73777a1c480a6e4cc645f6f4d3578b32ce1617e6120d7446b20564f80e
                                • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction Fuzzy Hash: DB21BB70E01248AECB04CBE4DA859ECBBF5AF25318F204029E41273780DB790E8CCB51
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J$DJ$`J
                                • API String ID: 3519838083-2453737217
                                • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction ID: e18cfc3544e1718e30cf92c9d192175ebe07fd4bd97635eb6bfcbbe8ea14d4e7
                                • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction Fuzzy Hash: F31103B0A00B64CEC720CF5AC55029AFBE4FFA5708B00C91FC4A687B10C7F8A549CB89
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $!$@
                                • API String ID: 3519838083-2517134481
                                • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction ID: b5933131459b45e7e20483178e823f92a2c4d3edfa2e5c99600f64aca9acc73b
                                • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction Fuzzy Hash: FB125D74905249EFCF04CFA4C590ADDBBB1BF09308F148569F865EBB51DB31A98ACB60
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog__aulldiv
                                • String ID: $SJ
                                • API String ID: 4125985754-3948962906
                                • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction ID: cc3270c4355d6bf0b6446836456e71374a62ad6ada8b1f3e1bcd5d8a7a1bbc5b
                                • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction Fuzzy Hash: E1B15EB1E00209DFCB14CFA9C9849EEBBB5FF48314F24962EE415A7B50D730AA85CB55
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $CK$CK
                                • API String ID: 3519838083-2957773085
                                • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction ID: 9d2ad6ebbd67e4ac950273e7979eb9c02b5cd4def2a7a82f635270ad76cfa272
                                • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction Fuzzy Hash: FF219071F012058BCB14DFE9C5801FEF7B2FB94304F54462AC422E3B91CB744A868AA2
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CAD4ECC
                                  • Part of subcall function 6CABF58A: __EH_prolog.LIBCMT ref: 6CABF58F
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :hJ$dJ$xJ
                                • API String ID: 3519838083-2437443688
                                • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction ID: 438a874c727610dc2fc019cd18056393b8de7d8491e1c72d96828cc0ef3c9e60
                                • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction Fuzzy Hash: 3221DAB0901B40CFC760CF6AC14429ABBF4BF29708B00C95EC0AA97B11E7B8A54DCF55
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: <J$DJ$HJ$TJ$]
                                • API String ID: 0-686860805
                                • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction ID: b82a0652dbcd0727765974eff784717e36f9770260678f0d3614700e828855c4
                                • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction Fuzzy Hash: 2141B970D05289AFCF14DBE0E5908EEB775AF11308B14C25DD12167960EB36AACDCF06
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction ID: 3a12360a2a6d98fef05547dc54f0ed85cb7fe8f82716b2c2b3d9ef6e51291386
                                • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction Fuzzy Hash: 87119076304244BFEB218AA4CC84EBF7BBDEB89744F10882DB65156B50C6B1AC48D761
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CAAE077
                                  • Part of subcall function 6CAADFF5: __EH_prolog.LIBCMT ref: 6CAADFFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :$\
                                • API String ID: 3519838083-1166558509
                                • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction ID: 90226aca075681b5439d8d676d0d4163d8412f15807492804ad8567307f98f4d
                                • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction Fuzzy Hash: 90E1EF309002099ECF11DFE4CA90BEDB7B1AF15318F144119D8556BBA0EB75AAEFCB91
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$hfJ
                                • API String ID: 3519838083-1391159562
                                • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction ID: 68e47e4f597ec4528d4882f8ab29f96aa46b7d7eef2e5133a260c14109983a4a
                                • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction Fuzzy Hash: C2914BB1911249EFCB10DF99C9849DEFBF4FF18308F54491EE596A7A90D770AA88CB10
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CAC8C5D
                                  • Part of subcall function 6CAC761A: __EH_prolog.LIBCMT ref: 6CAC761F
                                  • Part of subcall function 6CAC7A2E: __EH_prolog.LIBCMT ref: 6CAC7A33
                                  • Part of subcall function 6CAC8EA5: __EH_prolog.LIBCMT ref: 6CAC8EAA
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: WZJ
                                • API String ID: 3519838083-1089469559
                                • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction ID: c7d4f0c05a930f3fc16a6784018eaca52d4104f85e32f790b6972dc89bb12ef7
                                • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction Fuzzy Hash: 16813931E00159DFCF15DFA8DA90ADDB7B5AF18318F10409AE416A77A0DB30AE8DCB61
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog__aullrem
                                • String ID: d%K
                                • API String ID: 3415659256-3110269457
                                • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                • Instruction ID: 0c8c451e9e9d82ae6b400d261f8905be39523bdbde8489e44fcce2c38d0d85ee
                                • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                • Instruction Fuzzy Hash: 8061F571A012099FDF11CF94C5547EE77F2AF4534AF288058E8A4AFA41D771DD8ACBA0
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: CK$CK
                                • API String ID: 3519838083-2096518401
                                • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                • Instruction ID: b3682c34719f9ae0f2bf4dfb3788c6f000513cd8debe3523833b99e467a8de18
                                • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                • Instruction Fuzzy Hash: 30518075A002059FDB04CFA4C884BEEB3B5FB88358F188529E911EB745DB75A9468B60
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: PdJ$Q
                                • API String ID: 3519838083-3674001488
                                • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                • Instruction ID: 07ad8f8a478ae7563272b076c03496f8ccf1527eb5eeaadbbe97aab2ccb75ac6
                                • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                • Instruction Fuzzy Hash: 4141D075D01259DBCB10DFA8C8909DDB3B4FF49318F16C12EEA26B7A40C330AA85CB94
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0|J$`)L
                                • API String ID: 3519838083-117937767
                                • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction ID: d81916c87b6658482faf5839628ed04a749f383fb251ef961dbce5e42e34346c
                                • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction Fuzzy Hash: 7541A031605745EFDB118FF0C6907EABBE6FF49208F04442EE05A57750CB326989DB91
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID: 3333
                                • API String ID: 3732870572-2924271548
                                • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction ID: d369495553f538c9a1727f551cca240708dee26bba7841227dfd69ea7ff3ee02
                                • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction Fuzzy Hash: F421A6B09007446FD730CFA98880B6BBAFDEB48714F108D1EE146E3B41D770A944DBA5
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$LuJ
                                • API String ID: 3519838083-205571748
                                • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction ID: 32ed5ded9cc783f8d3f8798ff5b36916e84f1b7765bd0c0ced2ae7df4624d230
                                • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction Fuzzy Hash: F701ADB2E01249DADB10DFE984809AEF7B4FF59308F40842EE469F3A40C7345948DB99
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$xMJ
                                • API String ID: 3519838083-951924499
                                • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction ID: c740691caeae71024130d8ba0fcb69cd64dd9ff4d8e28d0fa9cadf5d341261da
                                • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction Fuzzy Hash: 10113971A01249DBCB00DF99C4909AEB7B8FF58348B50C86EE469F7A40D3389A85DB95
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: p/K$J
                                • API String ID: 3519838083-2069324279
                                • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                • Instruction ID: 40dc0a2459d150e025aaa597be2502b83aad2e4bb11ca54bd8a9c47e50b72e29
                                • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                • Instruction Fuzzy Hash: 5C01BCB1A117519FD724CF58D5043AEFBF4EF44729F10C81EA096A3B40C7F8A9088BA5
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CAEAFCC
                                  • Part of subcall function 6CAEA4D1: __EH_prolog.LIBCMT ref: 6CAEA4D6
                                  • Part of subcall function 6CAE914B: __EH_prolog.LIBCMT ref: 6CAE9150
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J
                                • API String ID: 3519838083-2882003284
                                • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                • Instruction ID: 137862c14f74db4ae97465ea9f53b88d8e70a47a43e40ffde13ed0155fb9d3db
                                • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                • Instruction Fuzzy Hash: 690105B1804B50CFC325CF65C5A42CAFBF0BB15304F90C95EC0A657B50D7B8A508CB68
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CAE43F9
                                  • Part of subcall function 6CAE4320: __EH_prolog.LIBCMT ref: 6CAE4325
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: `)L$|{J
                                • API String ID: 3519838083-2198066115
                                • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                • Instruction ID: 266c86807152522e779c65b3c8f9a898b32c85e4aff8b40268c88e4c99ac2c2d
                                • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                • Instruction Fuzzy Hash: C9F0A072610014FFCB059F94DD04FDEBBB9FF49314F00802AF915A6650CBB56A18DB98
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: <oJ
                                • API String ID: 3037903784-2791053824
                                • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction ID: e219480a4247e18123d706935f603e37f2504457b981302b92223b5751461b5f
                                • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction Fuzzy Hash: 26E06D32A155209FDB049F48D820BEEF7B5EF85764F12411EE011A7B51CBB1AC448784
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: D)K$H)K$P)K$T)K
                                • API String ID: 0-2262112463
                                • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                • Instruction ID: 36e6a3a527f85d0733614ad9bb69d8d604435527a48d0e67bc3e2c156a3df145
                                • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                • Instruction Fuzzy Hash: 5851E530A042899BCF05CFA0DA40ADEBBB5FF6531CF10441AE81567A90DB72999DCFA5
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2210821744.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAA8000, based on PE: true
                                • Associated: 00000006.00000002.2211547741.000000006CB73000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2211588106.000000006CB79000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6c8f0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: (?K$8?K$H?K$CK
                                • API String ID: 0-3450752836
                                • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                • Instruction ID: ae879b5c657beb941d6c1226de36d13fdb9d974b14b297e90b6c2772d040822e
                                • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                • Instruction Fuzzy Hash: 14F017B06017009FC7208F06D54869BBBF4EB4170AF50C91EE49A9BA40D3B8A5088FA9