Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_1.0.1.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_1.0.1.exe
renamed because original name is a hash value
Original sample name:_1.0.1.exe
Analysis ID:1579604
MD5:e927de0d1a14c591a56b4cea00e4e7a0
SHA1:fdf1ffc45903447f2a6ec0a3c11e1f965674ffa5
SHA256:2dd9a2505feb807103a8caff637f1c046d2d0dba41ac9403a99979e13acb45b4
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_1.0.1.exe (PID: 1804 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" MD5: E927DE0D1A14C591A56B4CEA00E4E7A0)
    • #U5b89#U88c5#U52a9#U624b_1.0.1.tmp (PID: 3896 cmdline: "C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$2041E,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 5820 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 4900 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_1.0.1.exe (PID: 3184 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENT MD5: E927DE0D1A14C591A56B4CEA00E4E7A0)
        • #U5b89#U88c5#U52a9#U624b_1.0.1.tmp (PID: 3664 cmdline: "C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$30440,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 5648 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 2248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 3472 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 2308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1924 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5920 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4892 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2832 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2716 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6444 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2144 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5896 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5820 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6752 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5888 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3380 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2632 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3412 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3160 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5160 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5708 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5896 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 516 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2184 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1924 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1540 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5900 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3192 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4888 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6444 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3648 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6044 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2836 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 516 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4552 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6408 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1540 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6280 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4440 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6496 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6484 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6044 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5820 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2184 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5588 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6408 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4892 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6216 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3560 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2144 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5896 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3160 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1052 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2324 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1924 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2632 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6504 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2704 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6488 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4888 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3648 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3568 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6208 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$2041E,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, ParentProcessId: 3896, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5820, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1924, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 5920, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$2041E,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, ParentProcessId: 3896, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5820, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1924, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 5920, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$2041E,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, ParentProcessId: 3896, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5820, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 84.4% probability
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000E.00000003.2304382898.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000E.00000003.2304489025.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.14.dr
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CABAEC0 FindFirstFileA,FindClose,7_2_6CABAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_005A6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_005A7496
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.0000000004210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2167723439.0000000003330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2168545820.000000007EC4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000000.2170180557.0000000000311000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000000.2262816640.00000000007AD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.6.dr, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2167723439.0000000003330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2168545820.000000007EC4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000000.2170180557.0000000000311000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000000.2262816640.00000000007AD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.6.dr, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.2.drStatic PE information: section name: .=~
Source: update.vac.7.drStatic PE information: section name: .=~
Source: hrsw.vbc.7.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6C943886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C943886
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAC5120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,7_2_6CAC5120
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6C943C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C943C62
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6C943D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C943D18
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAC5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6CAC5D60
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6C943D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C943D62
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6C9439CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C9439CF
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6C943A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C943A6A
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6C941950: CreateFileA,DeviceIoControl,CloseHandle,7_2_6C941950
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6C954A277_2_6C954A27
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAC18807_2_6CAC1880
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAC6A437_2_6CAC6A43
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB26CE07_2_6CB26CE0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB94DE07_2_6CB94DE0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB76D107_2_6CB76D10
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAF8EA17_2_6CAF8EA1
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB7EEF07_2_6CB7EEF0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB4AEEF7_2_6CB4AEEF
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB12EC97_2_6CB12EC9
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB448967_2_6CB44896
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB8C8D07_2_6CB8C8D0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB868207_2_6CB86820
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB6E8107_2_6CB6E810
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB948707_2_6CB94870
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB969997_2_6CB96999
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB8A9307_2_6CB8A930
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB769007_2_6CB76900
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAF89727_2_6CAF8972
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB889507_2_6CB88950
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB84AA07_2_6CB84AA0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB50A527_2_6CB50A52
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB6AB907_2_6CB6AB90
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB8EBC07_2_6CB8EBC0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB00BCA7_2_6CB00BCA
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB10B667_2_6CB10B66
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB584AC7_2_6CB584AC
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB844897_2_6CB84489
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB7E4D07_2_6CB7E4D0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB7C5807_2_6CB7C580
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB725807_2_6CB72580
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB745D07_2_6CB745D0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB625217_2_6CB62521
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB885207_2_6CB88520
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB946C07_2_6CB946C0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB8E6007_2_6CB8E600
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB867A07_2_6CB867A0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB5C7F37_2_6CB5C7F3
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAFC7CF7_2_6CAFC7CF
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB967C07_2_6CB967C0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB7E0E07_2_6CB7E0E0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB700207_2_6CB70020
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB8C2A07_2_6CB8C2A0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB882007_2_6CB88200
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB95D907_2_6CB95D90
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB73D507_2_6CB73D50
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB47D437_2_6CB47D43
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB79E807_2_6CB79E80
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB51F117_2_6CB51F11
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB6589F7_2_6CB6589F
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB878C87_2_6CB878C8
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB799F07_2_6CB799F0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB71AA07_2_6CB71AA0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB6DAD07_2_6CB6DAD0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB6FA507_2_6CB6FA50
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB1540A7_2_6CB1540A
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB3F5EC7_2_6CB3F5EC
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB7F5C07_2_6CB7F5C0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB796E07_2_6CB796E0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB6B6507_2_6CB6B650
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB8F6407_2_6CB8F640
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB937C07_2_6CB937C0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB997007_2_6CB99700
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB130927_2_6CB13092
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB7F0507_2_6CB7F050
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB771F07_2_6CB771F0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB7D2807_2_6CB7D280
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB7D3807_2_6CB7D380
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB86AF07_2_6CB86AF0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB837507_2_6CB83750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E81EC11_2_005E81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006281C011_2_006281C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063824011_2_00638240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0061425011_2_00614250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063C3C011_2_0063C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006304C811_2_006304C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0061865011_2_00618650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F094311_2_005F0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0061C95011_2_0061C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00618C2011_2_00618C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00630E0011_2_00630E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00634EA011_2_00634EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006010AC11_2_006010AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0062D08911_2_0062D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063112011_2_00631120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006391C011_2_006391C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0061D1D011_2_0061D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0062518011_2_00625180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063D2C011_2_0063D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006053F311_2_006053F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A53CF11_2_005A53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063D47011_2_0063D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006354D011_2_006354D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005ED49611_2_005ED496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A157211_2_005A1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063155011_2_00631550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F965211_2_005F9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0062D6A011_2_0062D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005B976611_2_005B9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A97CA11_2_005A97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063D9E011_2_0063D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A1AA111_2_005A1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00625E8011_2_00625E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00625F8011_2_00625F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005BE00A11_2_005BE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006222E011_2_006222E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0064230011_2_00642300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0060E49F11_2_0060E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006225F011_2_006225F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006166D011_2_006166D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0061A6A011_2_0061A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063E99011_2_0063E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00622A8011_2_00622A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005FAB1111_2_005FAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00626CE011_2_00626CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006270D011_2_006270D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0060B12111_2_0060B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0061B18011_2_0061B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063720011_2_00637200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063F3C011_2_0063F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005CB3E411_2_005CB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0062F3A011_2_0062F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0062F42011_2_0062F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0061741011_2_00617410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063353011_2_00633530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0061F50011_2_0061F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0064351A11_2_0064351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063F59911_2_0063F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0064360111_2_00643601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006377C011_2_006377C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0061379011_2_00613790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005CF8E011_2_005CF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0061F91011_2_0061F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005BBAC911_2_005BBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00627AF011_2_00627AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F3AEF11_2_005F3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00627C5011_2_00627C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005BBC9211_2_005BBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0061FDF011_2_0061FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0063FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 005A1E40 appears 152 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 005A28E3 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: String function: 6CAF9240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: String function: 6CB96F10 appears 727 times
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000000.2165718377.0000000000749000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2168545820.000000007EF4A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2167723439.000000000344E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.14.drBinary string: \Device\TfSysMon
Source: tProtect.dll.14.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal80.evad.winEXE@133/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAC5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6CAC5D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_005A9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005B3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_005B3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_005A9252
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAC5240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,7_2_6CAC5240
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\is-9SJIN.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5236:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3552:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6208:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4892:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5920:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5708:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3512:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2324:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2884:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2704:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:368:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6096:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3412:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5888:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-11HPC.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$2041E,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$30440,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$2041E,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$30440,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic file information: File size 5707247 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000E.00000003.2304382898.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000E.00000003.2304489025.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.14.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006257D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_006257D0
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: update.vac.7.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: real checksum: 0x0 should be: 0x57a2f0
Source: hrsw.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.14.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.6.drStatic PE information: section name: .didata
Source: 7zr.exe.7.drStatic PE information: section name: .sxdata
Source: update.vac.7.drStatic PE information: section name: .00cfg
Source: update.vac.7.drStatic PE information: section name: .voltbl
Source: update.vac.7.drStatic PE information: section name: .=~
Source: is-5O4M7.tmp.7.drStatic PE information: section name: .xdata
Source: hrsw.vbc.7.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.7.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.7.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAC86FF push ecx; ret 7_2_6CAC86FE
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6C964BB4 push 89DA2953h; retf 7_2_6C964BB9
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB96F10 push eax; ret 7_2_6CB96F2E
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAFB9F4 push 004AC35Ch; ret 7_2_6CAFBA0E
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB97290 push eax; ret 7_2_6CB972BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A45F4 push 0064C35Ch; ret 11_2_005A460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063FB10 push eax; ret 11_2_0063FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0063FE90 push eax; ret 11_2_0063FEBE
Source: update.vac.2.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.7.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.7.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HFVUL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1OQC2.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1OQC2.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\is-5O4M7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HFVUL.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HFVUL.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1OQC2.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6712Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3118Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpWindow / User API: threadDelayed 591Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpWindow / User API: threadDelayed 582Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpWindow / User API: threadDelayed 553Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HFVUL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1OQC2.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1OQC2.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-5O4M7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HFVUL.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.3 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6504Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CABAEC0 FindFirstFileA,FindClose,7_2_6CABAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_005A6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_005A7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A9C60 GetSystemInfo,11_2_005A9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000002.2277020554.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\X
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000002.2277020554.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000002.2277020554.000000000136E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar&Prod_VMware_SATA_CD00#4&224f42
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6C943886 NtSetInformationThread 00000000,00000011,00000000,000000007_2_6C943886
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAD0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6CAD0181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_006257D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_006257D0
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAD9D66 mov eax, dword ptr fs:[00000030h]7_2_6CAD9D66
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAC8CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6CAC8CBD
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CAD0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6CAD0181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.14.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmpCode function: 7_2_6CB97720 cpuid 7_2_6CB97720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005AAB2A GetSystemTimeAsFileTime,11_2_005AAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00640090 GetVersion,11_2_00640090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory321
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579604 Sample: #U5b89#U88c5#U52a9#U624b_1.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 80 92 Found driver which could be used to inject code into processes 2->92 94 PE file contains section with special chars 2->94 96 AI detected suspicious sample 2->96 98 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->98 10 #U5b89#U88c5#U52a9#U624b_1.0.1.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 30 other processes 2->17 process3 file4 90 C:\...\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, PE32 10->90 dropped 19 #U5b89#U88c5#U52a9#U624b_1.0.1.tmp 3 5 10->19         started        23 sc.exe 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 26 other processes 17->33 process5 file6 76 C:\Users\user\AppData\Local\...\update.vac, PE32 19->76 dropped 78 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->78 dropped 100 Adds a directory exclusion to Windows Defender 19->100 35 #U5b89#U88c5#U52a9#U624b_1.0.1.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 25 other processes 33->53 signatures7 process8 file9 80 C:\...\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, PE32 35->80 dropped 55 #U5b89#U88c5#U52a9#U624b_1.0.1.tmp 4 16 35->55         started        102 Loading BitLocker PowerShell Module 38->102 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        63 Conhost.exe 41->63         started        signatures10 process11 file12 82 C:\Users\user\AppData\Local\...\update.vac, PE32 55->82 dropped 84 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->84 dropped 86 C:\Program Files (x86)\...\trash (copy), PE32+ 55->86 dropped 88 3 other files (none is malicious) 55->88 dropped 104 Query firmware table information (likely to detect VMs) 55->104 106 Protects its processes via BreakOnTermination flag 55->106 108 Hides threads from debuggers 55->108 110 Contains functionality to hide a thread from the debugger 55->110 65 7zr.exe 2 55->65         started        68 7zr.exe 6 55->68         started        signatures13 process14 file15 74 C:\Program Files (x86)\...\tProtect.dll, PE32+ 65->74 dropped 70 conhost.exe 65->70         started        72 conhost.exe 68->72         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_1.0.1.exe0%ReversingLabs
#U5b89#U88c5#U52a9#U624b_1.0.1.exe6%VirustotalBrowse
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-5O4M7.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-1OQC2.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-HFVUL.tmp\_isetup\_setup64.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drfalse
    unknown
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_1.0.1.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drfalse
          unknown
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2167723439.0000000003330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2168545820.000000007EC4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000000.2170180557.0000000000311000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000000.2262816640.00000000007AD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.6.dr, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drfalse
              unknown
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2167723439.0000000003330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.exe, 00000000.00000003.2168545820.000000007EC4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000000.2170180557.0000000000311000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000007.00000000.2262816640.00000000007AD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.6.dr, #U5b89#U88c5#U52a9#U624b_1.0.1.tmp.0.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_1.0.1.tmp, 00000002.00000003.2259224248.00000000046B9000.00000004.00001000.00020000.00000000.sdmp, is-5O4M7.tmp.7.drfalse
                    unknown
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579604
                    Start date and time:2024-12-23 05:15:51 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 6s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:108
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b_1.0.1.exe
                    renamed because original name is a hash value
                    Original Sample Name:_1.0.1.exe
                    Detection:MAL
                    Classification:mal80.evad.winEXE@133/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 67%
                    • Number of executed functions: 19
                    • Number of non-executed functions: 120
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                        #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                          #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                            ekTL8jTI4D.msiGet hashmaliciousUnknownBrowse
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):831200
                              Entropy (8bit):6.671005303304742
                              Encrypted:false
                              SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                              MD5:84DC4B92D860E8AEA55D12B1E87EA108
                              SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                              SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                              SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                              • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                              • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                              • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                              • Filename: ekTL8jTI4D.msi, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):249968
                              Entropy (8bit):7.999211756066816
                              Encrypted:true
                              SSDEEP:6144:N0wZbYJgxjYCjmIbsdVQV5FhxZO9y4DJSJJxXdChL54nxXg:JygWCKnVQVzh69hQ7MhF4nxXg
                              MD5:45CB5DC5018CDEB5A473F0B00E0C8BAE
                              SHA1:0A645DA501A7E2D22711F5C9548EDA6D6AC3D3AD
                              SHA-256:BDA1698AD6C7072F9BAF5B180171B0765269C6BC46A619BF17242F542BAC0177
                              SHA-512:3DE7E64CA36E43066B5C698FC18569F6B279E886B3FB762BFE3929B676BA23C1981B1810A11F7837095F13956E831195EC75C806118FFEEACFF700039226AD9A
                              Malicious:false
                              Preview:.@S....HO(..,................d..Im%..K..Qp....eQ.f,..h*.Y...&........".M..'.j....{.F....7.{..........W"K.....(A....E{.[..i.....D.(.".~...........S.......C.kT...;.5..7.u..]E6..>...eE..s..PU.R'..G...H./....s.E..$DJ...1.8>..G.|...x....:...1....!.C0BH.....*.]y.Ko;....<..n....K.U)1.JQ.u!:.i).B;......gz.....\..........P@..).K+..i...Y........?..\j.G...4.F..D.#.B..e{.'..T.n.L..h.vL.C>......A..1.1....J`!..y... ...m49/...d...!.=.....G......&.....a..0......nX..)<O..#....}.(.T..g.....9..J..V..l.........{@VV>... \...|....'....u.".H.".f....F..a...0.Db....4.u...$L.]5/.o...i*JmM.dk...df......,.SM.....a...5V^9$@...uo.p.m\..xMwD.A.@.........f.X.y g......S.F....-WrJC.U.$..9).b......D.wJ...vUg.....C,.T....y..._.}?!;@..N..j......p.........W....6.w....m......$3.v...4.&b._...EL.O1.."I>w..*.h.d.3.~...u../y.Q.O..60...W...i).6o.....;..{.._....m...-...\...s.f......@.2..........$..7n.q.9f.b...-P.@F.01..C5.6_.-2..y..].\)[Tq.^H./.p....v......3.}t.......=......".(~
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3598848
                              Entropy (8bit):7.004949099807939
                              Encrypted:false
                              SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                              MD5:1D1464C73252978A58AC925ECE57F0FB
                              SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                              SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                              SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                              Malicious:false
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                              Category:dropped
                              Size (bytes):5649408
                              Entropy (8bit):6.392614480390128
                              Encrypted:false
                              SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                              MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                              SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                              SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                              SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):249968
                              Entropy (8bit):7.999211756066816
                              Encrypted:true
                              SSDEEP:6144:N0wZbYJgxjYCjmIbsdVQV5FhxZO9y4DJSJJxXdChL54nxXg:JygWCKnVQVzh69hQ7MhF4nxXg
                              MD5:45CB5DC5018CDEB5A473F0B00E0C8BAE
                              SHA1:0A645DA501A7E2D22711F5C9548EDA6D6AC3D3AD
                              SHA-256:BDA1698AD6C7072F9BAF5B180171B0765269C6BC46A619BF17242F542BAC0177
                              SHA-512:3DE7E64CA36E43066B5C698FC18569F6B279E886B3FB762BFE3929B676BA23C1981B1810A11F7837095F13956E831195EC75C806118FFEEACFF700039226AD9A
                              Malicious:false
                              Preview:.@S....HO(..,................d..Im%..K..Qp....eQ.f,..h*.Y...&........".M..'.j....{.F....7.{..........W"K.....(A....E{.[..i.....D.(.".~...........S.......C.kT...;.5..7.u..]E6..>...eE..s..PU.R'..G...H./....s.E..$DJ...1.8>..G.|...x....:...1....!.C0BH.....*.]y.Ko;....<..n....K.U)1.JQ.u!:.i).B;......gz.....\..........P@..).K+..i...Y........?..\j.G...4.F..D.#.B..e{.'..T.n.L..h.vL.C>......A..1.1....J`!..y... ...m49/...d...!.=.....G......&.....a..0......nX..)<O..#....}.(.T..g.....9..J..V..l.........{@VV>... \...|....'....u.".H.".f....F..a...0.Db....4.u...$L.]5/.o...i*JmM.dk...df......,.SM.....a...5V^9$@...uo.p.m\..xMwD.A.@.........f.X.y g......S.F....-WrJC.U.$..9).b......D.wJ...vUg.....C,.T....y..._.}?!;@..N..j......p.........W....6.w....m......$3.v...4.&b._...EL.O1.."I>w..*.h.d.3.~...u../y.Q.O..60...W...i).6o.....;..{.._....m...-...\...s.f......@.2..........$..7n.q.9f.b...-P.@F.01..C5.6_.-2..y..].\)[Tq.^H./.p....v......3.}t.......=......".(~
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56530
                              Entropy (8bit):7.99665961794448
                              Encrypted:true
                              SSDEEP:1536:sU9ckA31pDBI7XiSQW0lIyp0nfdTeJJMnaJbO2:sRkAFpFIfVAX2lsbr
                              MD5:E24AB44862B98B5FF4047392DC9E6154
                              SHA1:4BA925CFA75BBE107DE3BAA24C99C33FEE7E37C3
                              SHA-256:8322FCDE87688C0C1BC42F89AFE46DE3911F74627774888CF0473D6C56C561AB
                              SHA-512:727F7CEA4D5953D75E33E4F03BD14D4F7C2834945AF669653072F9AE381FBE15B3298052EAC76D052E648A23D02664D23B4C230D522A297AE73FD25187E371F3
                              Malicious:false
                              Preview:.@S......./| ...............f..u].L..s.......9....(1.Z.7. .^..>.67........cc1...r..<0r.j...F.iI"7yM2e.oKZK.<l.d]e,6.7..k....Twk1.EKU[e........#..J.H&...#'z..|.B">uM.&+.3...'...........Q....O..[^G0...j...Z..Z......P.Q......SBo...........E....|.U....8.m..8.@*...$8dn...g.3x.8...m.*.CJ...p....d....h......M|x.\=.-*...F..4../...2..Z.T..G.E...i.{&.@d..L.,..Q..%.S.FB.,..mS..a.#![>8.3E1.I.A..Zt.......kO1.....0E.....z.k...~d....q.....f....yH......e.....dP.....l...G....$.\'......A._F.1Y.Z0^F..41..h...........<.p..kI....o..WF.*B.5..dG..m~^~C..Q~j.j+.6.4....B>.{M..5.......4M.fQ..&....~.\ .C.v=..{)7"....\r..!.......0:t.U...d.^A..BA.L...0x.%...>.....P.o....9.=..Y.t....F....A[/z.....S.'_*.*1.C.....66...._r<.Dm.6..,.>..J.qS..0St*!J..I....=...5$......X.......Y}.d....Y...S8%.Z..*.P.,P!.f>....&...CO...... ..!9f..\....I..sC..|..t..B.B..K.......4...P.........[W.3J5Of.g.X...FD..$.cY.c.U..c.F....4nM.g..........7.0.lgsB.!-.....2Z<z.....aWi.{..Z..?.D...r...QF.
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56530
                              Entropy (8bit):7.996659617944482
                              Encrypted:true
                              SSDEEP:768:y02vNxga1LZoq/XnKcxKY5tajmkKWVh7oPUU0LbvtW8YrZ6PnK1li6T1XBHYDa:y02Vxga1Nx/XnKPY5EjzGH0LjkoPKZVH
                              MD5:73D8B945B42E6E03EA8BDEE281D0F951
                              SHA1:48FF54E1A4A13DD64D70B62C9FA0057A9B8EAB42
                              SHA-256:3E2947E4F7C6003A56AE139BE1E7E59AD3B5B896AC637756E3331BCF7056D877
                              SHA-512:68E2BDB7DD42397334DAC2AAF888761F8FD9EA2EC381D6F6B170E01444B9E555F4B3FEB3129D20748EFF62D41BB29DD8F9380310CCAEE29EF53BC6195D852C66
                              Malicious:false
                              Preview:7z..'...P)(........2........V.t;..q.y/.m"J+......>.Y..7.(M.^..:A..K..V.F3...<...?...3.....=.G........5....R..A.......fE.*..!....x.....W.q......x..'n..`Bm............A..D..X1..../..,...k..'..H.....W.y..>3.....F.$...h.O(..Wd=.....4..\./-......{.....!.o...j..4i.b..BB'...p..N............`\J.4>$..I...uz./4....O..,....}.N6K.NI.}eW..,......9.j=R.*..A..yg...........p..;.....&)..K....#....p.W.....`y".S.....S..2.P..g"....4... $Z..).o.w..}w@..6..phf.)m0=9...&9.V...Z...9xye.'U.....[k.g.....f....n..~w.L...fOrn,^=P...gJ...1.0C.d...[....b...(......9....R..Q.m.T(.......m..S#l..>.V.]..8Y.K.CLg.R.E..!.*..gt.......4..k..AF...,A.....[L"..2D...Z.e{f.G...x..M.KgI=.G.W.......,J.2c.8.j`..W6w..........)r.......EW.....05.k......&.g....Y.'...;[....c.T.U.._.t..Ok... e.M.D-{..,..m.d..0.n.J...$..9.^.0....&.....%....PQ-IX..|...J%{..e..[l..*..*..U+.Y.......y.nO<.Q.O&.Az%kRe...G..X.....Q.S5.h........Do..n..X...|.U&A.!d..t^..k..........xV[......NvK.u....eg.T..q..Fx.(.!..5
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255975
                              Encrypted:true
                              SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                              MD5:CEA69F993E1CE0FB945A98BF37A66546
                              SHA1:7114365265F041DA904574D1F5876544506F89BA
                              SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                              SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                              Malicious:false
                              Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255979
                              Encrypted:true
                              SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                              MD5:4CB8B7E557C80FC7B014133AB834A042
                              SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                              SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                              SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                              Malicious:false
                              Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                              MD5:8622FC7228777F64A47BD6C61478ADD9
                              SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                              SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                              SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                              Malicious:false
                              Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                              MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                              SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                              SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                              SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                              Malicious:false
                              Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.99759370165655
                              Encrypted:true
                              SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                              MD5:950338D50B95A25F494EE74E97B7B7A9
                              SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                              SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                              SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                              Malicious:false
                              Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.997593701656546
                              Encrypted:true
                              SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                              MD5:059BA7C31F3E227356CA5F29E4AA2508
                              SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                              SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                              SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                              Malicious:false
                              Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653607
                              Encrypted:true
                              SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                              MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                              SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                              SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                              SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                              Malicious:false
                              Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653608
                              Encrypted:true
                              SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                              MD5:A9C8A3E00692F79E1BA9693003F85D18
                              SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                              SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                              SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                              Malicious:false
                              Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):249968
                              Entropy (8bit):7.999211756066819
                              Encrypted:true
                              SSDEEP:6144:h4MUFOk8txcHNp1w1yXs1aLQI+guQgLE03bzyL5:hj+Ok8rONfw14uaLNeJzO5
                              MD5:902C32D2B07BC62D00E528C624DF4B64
                              SHA1:EC3223C30C2FD29A18975D01BC5FA74442D73248
                              SHA-256:966EDB310BC5221082217ABA9B730BE82DCC7E54FCF2FEFCB52B731FB0EB8D6C
                              SHA-512:D09EE8D46AED66010A47A0BB12365736392FCB6F25A385E6C5C3FCDCFBF885A234DD881B6040F39EA97A8A43DA3368BD6DD13A4E7E36111A57BEBF23101654C6
                              Malicious:false
                              Preview:7z..'...............@..........{....{?.(%e..3s.;`P..6..........C.....s..z.$ZK...V88..7.A8.X.9...<.R&vk2S..x...[h...2.I...q..^.>..ej.....i..D.rJM. .^....cQuP....Pxo.....T..O.R..V>.BK...L0.9.z}....^..`a.Z....................I.._.R.<.-XFGX.E0..^ZvF.....S..00.W..{......E..-.z...k...?..?...A.....3w .t%..T.....y.4zU.v@i.C..T..z..aO..#q>.pLC.(.p...X..U.l....v.........j.*.....`.m..e......3B..k..5........SM.6c.Z...d....$.s..Zj.G.7H.?g*ig...%.:y.I..a. K...].X06.=.^..H/...nl..SOw..WR...D.?......K.....=....c..^99.....^....~K...#qJ.[;....O.Z.Y.,.........Z\....7.~K.&.6`_8.%......>A(.......C.%..C..j...+....@.b.!......{.Y..*.[..........<.Y.Jcv.;.......%0;.<0.T.U5</......C.A.^...f.3...pX....+TSe...En...am......^......:.......C..T.F(.HR._...d 2y$.D.|[k.^....\^M..a4>.ay......R...I..RI......0......o.......@.}I.t.~._....L....t.......O...\.{G.j$.aH.^.E(..}s3.R.{.Us...]]).X..a.D...{.8. .m.UK...A.0.E.....h..C8..a."..Q..`.4.........s..M,....1mqw......|;dH.*..^_b*.)...
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):63640
                              Entropy (8bit):6.482810107683822
                              Encrypted:false
                              SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                              MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                              SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                              SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                              SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 9%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):3.3482223822620667
                              Encrypted:false
                              SSDEEP:48:dXKLzDln/L6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnewhldOVQOj6dKbKsz7
                              MD5:1E1D0466AB0FE8F2802587D337A10567
                              SHA1:362B3B6EFBE51EBD0702167061812CA567BB11BD
                              SHA-256:8B761FF2FDDF15A5E1AB4758D2112550B9A857F3B77F6A8EDC5F33586AEA06EC
                              SHA-512:4F37DAE32D421BB88B4C2B079461BE28F47343E84A1546519CC8107C2A842C16D14D736504457E4586BFB92E68B01D905BC3B45C4F68FA1FF6E87B41A9996809
                              Malicious:false
                              Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwo
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                              Category:dropped
                              Size (bytes):5649408
                              Entropy (8bit):6.392614480390128
                              Encrypted:false
                              SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                              MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                              SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                              SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                              SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1628158735648508
                              Encrypted:false
                              SSDEEP:3:Nlllul5mxllp:NllU4x/
                              MD5:3A925CB766CE4286E251C26E90B55CE8
                              SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                              SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                              SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                              Malicious:false
                              Preview:@...e................................................@..........
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3366912
                              Entropy (8bit):6.530548291878271
                              Encrypted:false
                              SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                              MD5:9902FA6D39184B87AED7D94A037912D8
                              SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                              SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                              SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3598848
                              Entropy (8bit):7.004949099807939
                              Encrypted:false
                              SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                              MD5:1D1464C73252978A58AC925ECE57F0FB
                              SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                              SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                              SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                              Malicious:false
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3366912
                              Entropy (8bit):6.530548291878271
                              Encrypted:false
                              SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                              MD5:9902FA6D39184B87AED7D94A037912D8
                              SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                              SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                              SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                              Process:C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3598848
                              Entropy (8bit):7.004949099807939
                              Encrypted:false
                              SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                              MD5:1D1464C73252978A58AC925ECE57F0FB
                              SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                              SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                              SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                              Malicious:false
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:ASCII text, with CRLF, CR line terminators
                              Category:dropped
                              Size (bytes):406
                              Entropy (8bit):5.117520345541057
                              Encrypted:false
                              SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                              MD5:9200058492BCA8F9D88B4877F842C148
                              SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                              SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                              SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                              Malicious:false
                              Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.921226213607136
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 98.04%
                              • Inno Setup installer (109748/4) 1.08%
                              • InstallShield setup (43055/19) 0.42%
                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                              File name:#U5b89#U88c5#U52a9#U624b_1.0.1.exe
                              File size:5'707'247 bytes
                              MD5:e927de0d1a14c591a56b4cea00e4e7a0
                              SHA1:fdf1ffc45903447f2a6ec0a3c11e1f965674ffa5
                              SHA256:2dd9a2505feb807103a8caff637f1c046d2d0dba41ac9403a99979e13acb45b4
                              SHA512:8b33ac84a8d4edd6b8245565f88ebbad40670710630955dca7696410584f20dbcb29f155fc2d910f322a5842c1e8dbdc8b6ad01092023d1ec37962bbdafd1787
                              SSDEEP:98304:XwRE9dQgIudso3UTFvkZlHIU4s2gFO8eZw++bRxbUlOxFtGIidMwZgf:lpdzU0loU4D8eZw+qxbEs
                              TLSH:CA461213F2CBE03EE05D1B3B06B2A15494FBAA616423AD5696ECB4ECCF351601D3E647
                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                              Icon Hash:0c0c2d33ceec80aa
                              Entrypoint:0x4a83bc
                              Entrypoint Section:.itext
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:1
                              File Version Major:6
                              File Version Minor:1
                              Subsystem Version Major:6
                              Subsystem Version Minor:1
                              Import Hash:40ab50289f7ef5fae60801f88d4541fc
                              Instruction
                              push ebp
                              mov ebp, esp
                              add esp, FFFFFFA4h
                              push ebx
                              push esi
                              push edi
                              xor eax, eax
                              mov dword ptr [ebp-3Ch], eax
                              mov dword ptr [ebp-40h], eax
                              mov dword ptr [ebp-5Ch], eax
                              mov dword ptr [ebp-30h], eax
                              mov dword ptr [ebp-38h], eax
                              mov dword ptr [ebp-34h], eax
                              mov dword ptr [ebp-2Ch], eax
                              mov dword ptr [ebp-28h], eax
                              mov dword ptr [ebp-14h], eax
                              mov eax, 004A2EBCh
                              call 00007FC92CE44FE5h
                              xor eax, eax
                              push ebp
                              push 004A8AC1h
                              push dword ptr fs:[eax]
                              mov dword ptr fs:[eax], esp
                              xor edx, edx
                              push ebp
                              push 004A8A7Bh
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              mov eax, dword ptr [004B0634h]
                              call 00007FC92CED696Bh
                              call 00007FC92CED64BEh
                              lea edx, dword ptr [ebp-14h]
                              xor eax, eax
                              call 00007FC92CED1198h
                              mov edx, dword ptr [ebp-14h]
                              mov eax, 004B41F4h
                              call 00007FC92CE3F093h
                              push 00000002h
                              push 00000000h
                              push 00000001h
                              mov ecx, dword ptr [004B41F4h]
                              mov dl, 01h
                              mov eax, dword ptr [0049CD14h]
                              call 00007FC92CED24C3h
                              mov dword ptr [004B41F8h], eax
                              xor edx, edx
                              push ebp
                              push 004A8A27h
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              call 00007FC92CED69F3h
                              mov dword ptr [004B4200h], eax
                              mov eax, dword ptr [004B4200h]
                              cmp dword ptr [eax+0Ch], 01h
                              jne 00007FC92CEDD6DAh
                              mov eax, dword ptr [004B4200h]
                              mov edx, 00000028h
                              call 00007FC92CED2DB8h
                              mov edx, dword ptr [004B4200h]
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              .rsrc0xcb0000x110000x1100037d272d79f500ceea55e69cb32835e9dFalse0.18785903033088236data3.7213025055162317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                              RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                              RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                              RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                              RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                              RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                              RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                              RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                              RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                              RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                              RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                              RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                              RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                              RT_STRING0xd8e000x3f8data0.3198818897637795
                              RT_STRING0xd91f80x2dcdata0.36475409836065575
                              RT_STRING0xd94d40x430data0.40578358208955223
                              RT_STRING0xd99040x44cdata0.38636363636363635
                              RT_STRING0xd9d500x2d4data0.39226519337016574
                              RT_STRING0xda0240xb8data0.6467391304347826
                              RT_STRING0xda0dc0x9cdata0.6410256410256411
                              RT_STRING0xda1780x374data0.4230769230769231
                              RT_STRING0xda4ec0x398data0.3358695652173913
                              RT_STRING0xda8840x368data0.3795871559633027
                              RT_STRING0xdabec0x2a4data0.4275147928994083
                              RT_RCDATA0xdae900x10data1.5
                              RT_RCDATA0xdaea00x310data0.6173469387755102
                              RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                              RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                              RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                              RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                              DLLImport
                              kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                              comctl32.dllInitCommonControls
                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                              advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                              NameOrdinalAddress
                              __dbk_fcall_wrapper20x40fc10
                              dbkFCallWrapperAddr10x4b063c
                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States
                              No network behavior found

                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Click to jump to process

                              Target ID:0
                              Start time:23:16:47
                              Start date:22/12/2024
                              Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe"
                              Imagebase:0x690000
                              File size:5'707'247 bytes
                              MD5 hash:E927DE0D1A14C591A56B4CEA00E4E7A0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              Target ID:2
                              Start time:23:16:47
                              Start date:22/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-11HPC.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$2041E,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe"
                              Imagebase:0x310000
                              File size:3'366'912 bytes
                              MD5 hash:9902FA6D39184B87AED7D94A037912D8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              Target ID:3
                              Start time:23:16:48
                              Start date:22/12/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                              Imagebase:0x7ff6e3d50000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:4
                              Start time:23:16:48
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:5
                              Start time:23:16:52
                              Start date:22/12/2024
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff717f30000
                              File size:496'640 bytes
                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              Target ID:6
                              Start time:23:16:56
                              Start date:22/12/2024
                              Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENT
                              Imagebase:0x690000
                              File size:5'707'247 bytes
                              MD5 hash:E927DE0D1A14C591A56B4CEA00E4E7A0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:false

                              Target ID:7
                              Start time:23:16:57
                              Start date:22/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-8KP71.tmp\#U5b89#U88c5#U52a9#U624b_1.0.1.tmp" /SL5="$30440,4752854,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.1.exe" /VERYSILENT
                              Imagebase:0x530000
                              File size:3'366'912 bytes
                              MD5 hash:9902FA6D39184B87AED7D94A037912D8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              Target ID:8
                              Start time:23:16:59
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:9
                              Start time:23:16:59
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:10
                              Start time:23:16:59
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:11
                              Start time:23:16:59
                              Start date:22/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                              Imagebase:0x5a0000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              Has exited:true

                              Target ID:12
                              Start time:23:16:59
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:14
                              Start time:23:17:00
                              Start date:22/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                              Imagebase:0x5a0000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:15
                              Start time:23:17:00
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:16
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:17
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:18
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:19
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:20
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:21
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:22
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:23
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:24
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:25
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:26
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:27
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:28
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:29
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:30
                              Start time:23:17:01
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:31
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:32
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:33
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:34
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:35
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:36
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:37
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:38
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:39
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:40
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:41
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:42
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:43
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:44
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff799c70000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:45
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:46
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:47
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:48
                              Start time:23:17:02
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7934f0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:49
                              Start time:23:17:03
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:50
                              Start time:23:17:03
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:51
                              Start time:23:17:03
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:52
                              Start time:23:17:03
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:53
                              Start time:23:17:03
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:54
                              Start time:23:17:03
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:55
                              Start time:23:17:03
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:56
                              Start time:23:17:03
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:57
                              Start time:23:17:03
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:58
                              Start time:23:17:03
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:59
                              Start time:23:17:03
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:60
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7403e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:61
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:62
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:63
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:64
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:65
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:66
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:67
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:68
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:69
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:70
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:71
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:72
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:73
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:74
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:75
                              Start time:23:17:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:76
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:77
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:78
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:79
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:80
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:81
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:82
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:83
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:84
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:85
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:86
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:87
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:88
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:89
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:90
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:91
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:92
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:93
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:94
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:95
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:96
                              Start time:23:17:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:97
                              Start time:23:17:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:98
                              Start time:23:17:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:99
                              Start time:23:17:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:100
                              Start time:23:17:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:101
                              Start time:23:17:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:102
                              Start time:23:17:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:103
                              Start time:23:17:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:104
                              Start time:23:17:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff7f4390000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:105
                              Start time:23:17:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:106
                              Start time:23:17:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff618ab0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:266
                              Start time:23:17:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\Conhost.exe
                              Wow64 process (32bit):
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:
                              Has administrator privileges:
                              Programmed in:C, C++ or other language
                              Has exited:false

                              Reset < >

                                Execution Graph

                                Execution Coverage:1%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:48.6%
                                Total number of Nodes:214
                                Total number of Limit Nodes:12
                                execution_graph 91869 6c966bd6 91870 6c966c1b 91869->91870 91873 6cac6a43 91870->91873 91872 6c966ca0 91874 6cac6a48 91873->91874 91875 6cac6a62 91874->91875 91878 6cac6a64 std::_Facet_Register 91874->91878 91887 6cacf014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 91874->91887 91875->91872 91877 6cac78c3 std::_Facet_Register 91891 6cac9379 RaiseException 91877->91891 91878->91877 91888 6cac9379 RaiseException 91878->91888 91881 6cac80bc IsProcessorFeaturePresent 91886 6cac80e1 91881->91886 91882 6cac7883 91889 6cac9379 RaiseException 91882->91889 91884 6cac78a3 std::invalid_argument::invalid_argument 91890 6cac9379 RaiseException 91884->91890 91886->91872 91887->91874 91888->91882 91889->91884 91890->91877 91891->91881 91892 6c954a27 91893 6c954a5d _strlen 91892->91893 91894 6c96639e 91893->91894 91896 6c955b6f 91893->91896 91897 6c955b58 91893->91897 91901 6c955b09 _Yarn 91893->91901 91976 6cad0130 18 API calls 2 library calls 91894->91976 91899 6cac6a43 std::_Facet_Register 4 API calls 91896->91899 91898 6cac6a43 std::_Facet_Register 4 API calls 91897->91898 91898->91901 91899->91901 91968 6cabaec0 91901->91968 91903 6c955bad std::ios_base::_Ios_base_dtor 91903->91894 91907 6c959ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 91903->91907 91972 6cac4ff0 CreateProcessA 91903->91972 91904 6cac6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 91904->91907 91905 6cabaec0 FindFirstFileA 91905->91907 91906 6c95a292 Sleep 91939 6c959bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 91906->91939 91907->91894 91907->91904 91907->91905 91907->91906 91923 6c95e619 91907->91923 91908 6c956624 91911 6cac6a43 std::_Facet_Register 4 API calls 91908->91911 91909 6c95660d 91910 6cac6a43 std::_Facet_Register 4 API calls 91909->91910 91917 6c9565bc _Yarn _strlen 91910->91917 91911->91917 91912 6c9561cb _strlen 91912->91894 91912->91908 91912->91909 91912->91917 91913 6c959bbd GetCurrentProcess TerminateProcess 91913->91907 91914 6c9663b2 91977 6c9415e0 18 API calls std::ios_base::_Ios_base_dtor 91914->91977 91916 6c9664f8 91917->91914 91918 6c956970 91917->91918 91919 6c956989 91917->91919 91924 6c956920 std::ios_base::_Ios_base_dtor _Yarn _strlen 91917->91924 91920 6cac6a43 std::_Facet_Register 4 API calls 91918->91920 91921 6cac6a43 std::_Facet_Register 4 API calls 91919->91921 91920->91924 91921->91924 91922 6cac6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 91922->91939 91924->91894 91925 6c956dd2 91924->91925 91926 6c956dbb 91924->91926 91933 6c956d69 _Yarn _strlen 91924->91933 91928 6cac6a43 std::_Facet_Register 4 API calls 91925->91928 91927 6cac6a43 std::_Facet_Register 4 API calls 91926->91927 91927->91933 91928->91933 91929 6c957427 91931 6cac6a43 std::_Facet_Register 4 API calls 91929->91931 91930 6c957440 91932 6cac6a43 std::_Facet_Register 4 API calls 91930->91932 91934 6c9573da std::ios_base::_Ios_base_dtor _Yarn _strlen 91931->91934 91932->91934 91933->91914 91933->91929 91933->91930 91933->91934 91934->91894 91935 6c957991 91934->91935 91936 6c9579a8 91934->91936 91942 6c957940 _Yarn _strlen 91934->91942 91937 6cac6a43 std::_Facet_Register 4 API calls 91935->91937 91938 6cac6a43 std::_Facet_Register 4 API calls 91936->91938 91937->91942 91938->91942 91939->91894 91939->91907 91939->91913 91939->91914 91939->91922 91967 6cac4ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 91939->91967 91940 6c957de2 91944 6cac6a43 std::_Facet_Register 4 API calls 91940->91944 91941 6c957dc9 91943 6cac6a43 std::_Facet_Register 4 API calls 91941->91943 91942->91914 91942->91940 91942->91941 91945 6c957d7c std::ios_base::_Ios_base_dtor _Yarn _strlen 91942->91945 91943->91945 91944->91945 91945->91894 91946 6c9585bf 91945->91946 91947 6c9585a8 91945->91947 91954 6c958556 _Yarn _strlen 91945->91954 91949 6cac6a43 std::_Facet_Register 4 API calls 91946->91949 91948 6cac6a43 std::_Facet_Register 4 API calls 91947->91948 91948->91954 91949->91954 91950 6c958983 91953 6cac6a43 std::_Facet_Register 4 API calls 91950->91953 91951 6c95896a 91952 6cac6a43 std::_Facet_Register 4 API calls 91951->91952 91955 6c95891d std::ios_base::_Ios_base_dtor _Yarn _strlen 91952->91955 91953->91955 91954->91914 91954->91950 91954->91951 91954->91955 91955->91894 91956 6c958f36 91955->91956 91957 6c958f1f 91955->91957 91962 6c958ecd _Yarn _strlen 91955->91962 91958 6cac6a43 std::_Facet_Register 4 API calls 91956->91958 91959 6cac6a43 std::_Facet_Register 4 API calls 91957->91959 91958->91962 91959->91962 91960 6c959354 91963 6cac6a43 std::_Facet_Register 4 API calls 91960->91963 91961 6c95936d 91964 6cac6a43 std::_Facet_Register 4 API calls 91961->91964 91962->91914 91962->91960 91962->91961 91966 6c959307 std::ios_base::_Ios_base_dtor _Yarn 91962->91966 91963->91966 91964->91966 91965 6cac4ff0 4 API calls 91965->91907 91966->91894 91966->91965 91967->91939 91969 6cabaed6 FindFirstFileA 91968->91969 91970 6cabaed4 91968->91970 91971 6cabaf10 91969->91971 91970->91969 91971->91903 91973 6cac50ca 91972->91973 91974 6cac5080 WaitForSingleObject CloseHandle CloseHandle 91973->91974 91975 6cac50e3 91973->91975 91974->91973 91975->91912 91977->91916 91978 6cacef3f 91979 6cacef4b std::_Locinfo::_Locinfo_ctor 91978->91979 91980 6cacef5f 91979->91980 91981 6cacef52 GetLastError ExitThread 91979->91981 91990 6cad49b2 GetLastError 91980->91990 91986 6cacef7b 92018 6caceeaa 14 API calls __Getctype 91986->92018 91989 6cacef9d 91991 6cad49c9 91990->91991 91992 6cad49cf 91990->91992 92019 6cad6b23 6 API calls __Getctype 91991->92019 91996 6cad49d5 SetLastError 91992->91996 92020 6cad6b62 6 API calls __Getctype 91992->92020 91995 6cad49ed 91995->91996 91997 6cad49f1 91995->91997 92003 6cad4a69 91996->92003 92004 6cacef64 91996->92004 92021 6cad71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 91997->92021 92000 6cad49fd 92001 6cad4a1c 92000->92001 92002 6cad4a05 92000->92002 92023 6cad6b62 6 API calls __Getctype 92001->92023 92022 6cad6b62 6 API calls __Getctype 92002->92022 92025 6cad0ac9 11 API calls __Getctype 92003->92025 92012 6cad9d66 92004->92012 92009 6cad4a28 92011 6cad4a13 92009->92011 92024 6cad6b62 6 API calls __Getctype 92009->92024 92011->91996 92013 6cad9d78 GetPEB 92012->92013 92016 6cacef6f 92012->92016 92014 6cad9d8b 92013->92014 92013->92016 92026 6cad6e18 5 API calls __Getctype 92014->92026 92016->91986 92017 6cad6d6f 5 API calls __Getctype 92016->92017 92017->91986 92018->91989 92019->91992 92020->91995 92021->92000 92022->92011 92023->92009 92024->92011 92026->92016 92027 6c953ce6 92031 6c953c28 92027->92031 92028 6c953d7d 92030 6c9549b3 std::ios_base::_Ios_base_dtor 92031->92028 92032 6c966e60 92031->92032 92033 6c966e9f 92032->92033 92035 6c966eb3 92033->92035 92041 6c993560 22 API calls std::_Xinvalid_argument 92033->92041 92037 6c966f5b 92035->92037 92043 6c9926e0 22 API calls 4 library calls 92035->92043 92044 6cac9379 RaiseException 92035->92044 92038 6c966f6e 92037->92038 92042 6c9937e0 22 API calls std::_Xinvalid_argument 92037->92042 92038->92030 92041->92035 92042->92038 92043->92035 92044->92035 92045 6cad0cb9 92046 6cad0cd1 92045->92046 92048 6cad0cef 92045->92048 92046->92048 92049 6cad9c60 92046->92049 92050 6cad9c6c 92049->92050 92051 6cad9c81 92049->92051 92054 6cad0120 18 API calls __fassign 92050->92054 92051->92048 92053 6cad9c7c 92053->92048 92054->92053 92055 6c95f8a3 92056 6c95f887 92055->92056 92057 6c9602ac GetCurrentProcess TerminateProcess 92056->92057 92059 6c9602d7 92057->92059 92058 6c960ac6 CreateFileA 92063 6c960b31 _Yarn _strlen 92058->92063 92059->92058 92060 6c96639e 92070 6cad0130 18 API calls 2 library calls 92060->92070 92062 6cabaec0 FindFirstFileA 92062->92063 92063->92060 92063->92062 92066 6c960b04 std::ios_base::_Ios_base_dtor 92063->92066 92064 6c960ea2 Sleep 92064->92066 92065 6c960b20 GetCurrentProcess TerminateProcess 92065->92063 92066->92060 92066->92063 92066->92064 92066->92065 92071 6c943d62 92073 6c943bc0 92071->92073 92072 6c943e8a GetCurrentThread NtSetInformationThread 92074 6c943eea 92072->92074 92073->92072 92075 6c944ddc 92077 6c944c2d 92075->92077 92076 6c945164 CreateFileA CloseHandle 92079 6c9451ec 92076->92079 92077->92076 92089 6cac5120 OpenSCManagerA 92079->92089 92080 6c96639e 92093 6cad0130 18 API calls 2 library calls 92080->92093 92082 6cabaec0 FindFirstFileA 92085 6c945478 std::ios_base::_Ios_base_dtor _Yarn _strlen 92082->92085 92083 6c966e60 22 API calls 92083->92085 92084 6c946162 92085->92080 92085->92082 92085->92083 92085->92084 92090 6cac5156 92089->92090 92091 6cac51e8 OpenServiceA 92090->92091 92092 6cac522f 92090->92092 92091->92090 92092->92085 92094 6c952b1c 92096 6c952b20 92094->92096 92096->92094 92108 6cac5240 CreateToolhelp32Snapshot 92096->92108 92098 6c9537e0 92099 6c9538c9 92098->92099 92123 6cad0130 18 API calls 2 library calls 92098->92123 92103 6c9537d0 Sleep 92103->92098 92104 6c952e81 std::ios_base::_Ios_base_dtor 92104->92098 92114 6cab0390 92104->92114 92109 6cac52a0 __Getctype 92108->92109 92110 6cac5320 Process32NextW 92109->92110 92111 6cac5277 CloseHandle 92109->92111 92112 6cac53b1 92109->92112 92113 6cac5345 Process32FirstW 92109->92113 92110->92109 92111->92109 92112->92104 92113->92109 92120 6cab03a3 _Yarn __Getctype _strlen 92114->92120 92115 6cab3f5f CloseHandle 92115->92120 92116 6cab310e CloseHandle 92116->92120 92117 6cab251b CloseHandle 92117->92120 92118 6c9537cb 92122 6cac5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 92118->92122 92119 6ca9c1e0 WriteFile WriteFile WriteFile ReadFile 92119->92120 92120->92115 92120->92116 92120->92117 92120->92118 92120->92119 92124 6ca9b730 92120->92124 92122->92103 92125 6ca9b743 _Yarn __Getctype 92124->92125 92126 6ca9c180 92125->92126 92128 6ca9bced CreateFileA 92125->92128 92129 6ca9aa30 92125->92129 92126->92120 92128->92125 92132 6ca9aa43 __Getctype 92129->92132 92130 6ca9b3e9 WriteFile 92130->92132 92131 6ca9b43d WriteFile 92131->92132 92132->92130 92132->92131 92133 6ca9b718 92132->92133 92134 6ca9ab95 ReadFile 92132->92134 92133->92125 92134->92132
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: }jk$;T55$L@^
                                • API String ID: 0-4218709813
                                • Opcode ID: bede895037778ef9b64a6eec927ea73f1d13420dd845f8b008fbf45a193cbba1
                                • Instruction ID: 55086b52c83ddf3dbde39fe135ad65cb4113a86684b04444c5b6b17f504dbcfc
                                • Opcode Fuzzy Hash: bede895037778ef9b64a6eec927ea73f1d13420dd845f8b008fbf45a193cbba1
                                • Instruction Fuzzy Hash: C03418716457018FC728CF28C8D0AA6B7F3EF85318B598A6DC0A64BB55EB34F55ACB40

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3975 6cac5240-6cac5275 CreateToolhelp32Snapshot 3976 6cac52a0-6cac52a9 3975->3976 3977 6cac52ab-6cac52b0 3976->3977 3978 6cac52e0-6cac52e5 3976->3978 3979 6cac5315-6cac531a 3977->3979 3980 6cac52b2-6cac52b7 3977->3980 3981 6cac52eb-6cac52f0 3978->3981 3982 6cac5377-6cac53a1 call 6cad2c05 3978->3982 3983 6cac53a6-6cac53ab 3979->3983 3984 6cac5320-6cac5332 Process32NextW 3979->3984 3986 6cac52b9-6cac52be 3980->3986 3987 6cac5334-6cac535d call 6cacb920 Process32FirstW 3980->3987 3988 6cac5277-6cac5292 CloseHandle 3981->3988 3989 6cac52f2-6cac52f7 3981->3989 3982->3976 3983->3976 3994 6cac53b1-6cac53bf 3983->3994 3991 6cac5362-6cac5372 3984->3991 3986->3976 3993 6cac52c0-6cac52d1 3986->3993 3987->3991 3988->3976 3989->3976 3995 6cac52f9-6cac5313 3989->3995 3991->3976 3993->3976 3995->3976
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CAC524E
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CreateSnapshotToolhelp32
                                • String ID:
                                • API String ID: 3332741929-0
                                • Opcode ID: 62b24de29259d820133c1d67bd51f983ae85ee5acccb347b06789904e46723c3
                                • Instruction ID: c9765d20f293c22c3448b74318e6d8fe5f107cd3fd9b8ac61b1734248f8d595d
                                • Opcode Fuzzy Hash: 62b24de29259d820133c1d67bd51f983ae85ee5acccb347b06789904e46723c3
                                • Instruction Fuzzy Hash: 22315974608300AFD7109F68C888B1ABBF4AF9A748F90492EF498D7360D771D9889F53

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4029 6c943886-6c94388e 4030 6c943894-6c943896 4029->4030 4031 6c943970-6c94397d 4029->4031 4030->4031 4034 6c94389c-6c9438b9 4030->4034 4032 6c9439f1-6c9439f8 4031->4032 4033 6c94397f-6c943989 4031->4033 4036 6c943ab5-6c943aba 4032->4036 4037 6c9439fe-6c943a03 4032->4037 4033->4034 4035 6c94398f-6c943994 4033->4035 4038 6c9438c0-6c9438c1 4034->4038 4040 6c943b16-6c943b18 4035->4040 4041 6c94399a-6c94399f 4035->4041 4036->4034 4039 6c943ac0-6c943ac7 4036->4039 4042 6c9438d2-6c9438d4 4037->4042 4043 6c943a09-6c943a2f 4037->4043 4044 6c94395e 4038->4044 4039->4038 4046 6c943acd-6c943ad6 4039->4046 4040->4038 4047 6c9439a5-6c9439bf 4041->4047 4048 6c94383b-6c943855 call 6ca91470 call 6ca91480 4041->4048 4051 6c943957-6c94395c 4042->4051 4049 6c943a35-6c943a3a 4043->4049 4050 6c9438f8-6c943955 4043->4050 4045 6c943960-6c943964 4044->4045 4053 6c943860-6c943885 4045->4053 4054 6c94396a 4045->4054 4046->4040 4055 6c943ad8-6c943aeb 4046->4055 4056 6c943a5a-6c943a5d 4047->4056 4048->4053 4057 6c943a40-6c943a57 4049->4057 4058 6c943b1d-6c943b22 4049->4058 4050->4051 4051->4044 4053->4029 4060 6c943ba1-6c943bb6 4054->4060 4055->4050 4061 6c943af1-6c943af8 4055->4061 4065 6c943aa9-6c943ab0 4056->4065 4057->4056 4063 6c943b24-6c943b44 4058->4063 4064 6c943b49-6c943b50 4058->4064 4072 6c943bc0-6c943bda call 6ca91470 call 6ca91480 4060->4072 4067 6c943b62-6c943b85 4061->4067 4068 6c943afa-6c943aff 4061->4068 4063->4065 4064->4038 4071 6c943b56-6c943b5d 4064->4071 4065->4045 4067->4050 4075 6c943b8b 4067->4075 4068->4051 4071->4045 4080 6c943be0-6c943bfe 4072->4080 4075->4060 4083 6c943c04-6c943c11 4080->4083 4084 6c943e7b 4080->4084 4086 6c943c17-6c943c20 4083->4086 4087 6c943ce0-6c943cea 4083->4087 4085 6c943e81-6c943ee0 call 6c943750 GetCurrentThread NtSetInformationThread 4084->4085 4106 6c943eea-6c943f04 call 6ca91470 call 6ca91480 4085->4106 4088 6c943dc5 4086->4088 4089 6c943c26-6c943c2d 4086->4089 4091 6c943cec-6c943d0c 4087->4091 4092 6c943d3a-6c943d3c 4087->4092 4093 6c943dc6 4088->4093 4094 6c943dc3 4089->4094 4095 6c943c33-6c943c3a 4089->4095 4097 6c943d90-6c943d95 4091->4097 4098 6c943d70-6c943d8d 4092->4098 4099 6c943d3e-6c943d45 4092->4099 4103 6c943dc8-6c943dcc 4093->4103 4094->4088 4104 6c943e26-6c943e2b 4095->4104 4105 6c943c40-6c943c5b 4095->4105 4101 6c943d97-6c943db8 4097->4101 4102 6c943dba-6c943dc1 4097->4102 4098->4097 4100 6c943d50-6c943d57 4099->4100 4100->4093 4101->4088 4102->4094 4107 6c943dd7-6c943ddc 4102->4107 4103->4080 4108 6c943dd2 4103->4108 4109 6c943e31 4104->4109 4110 6c943c7b-6c943cd0 4104->4110 4111 6c943e1b-6c943e24 4105->4111 4123 6c943f75-6c943fa1 4106->4123 4113 6c943e36-6c943e3d 4107->4113 4114 6c943dde-6c943e17 4107->4114 4115 6c943e76-6c943e79 4108->4115 4109->4072 4110->4100 4111->4103 4111->4115 4119 6c943e5c-6c943e5f 4113->4119 4120 6c943e3f-6c943e5a 4113->4120 4114->4111 4115->4085 4119->4110 4122 6c943e65-6c943e69 4119->4122 4120->4111 4122->4103 4122->4115 4127 6c944020-6c944026 4123->4127 4128 6c943fa3-6c943fa8 4123->4128 4129 6c943f06-6c943f35 4127->4129 4130 6c94402c-6c94403c 4127->4130 4131 6c94407c-6c944081 4128->4131 4132 6c943fae-6c943fcf 4128->4132 4133 6c943f38-6c943f61 4129->4133 4134 6c9440b3-6c9440b8 4130->4134 4135 6c94403e-6c944058 4130->4135 4136 6c9440aa-6c9440ae 4131->4136 4137 6c944083-6c94408a 4131->4137 4132->4136 4138 6c943f64-6c943f67 4133->4138 4134->4132 4142 6c9440be-6c9440c9 4134->4142 4139 6c94405a-6c944063 4135->4139 4140 6c943f6b-6c943f6f 4136->4140 4137->4133 4141 6c944090 4137->4141 4143 6c943f69 4138->4143 4144 6c9440f5-6c94413f 4139->4144 4145 6c944069-6c94406c 4139->4145 4140->4123 4141->4106 4146 6c9440a7 4141->4146 4142->4136 4147 6c9440cb-6c9440d4 4142->4147 4143->4140 4144->4143 4150 6c944144-6c94414b 4145->4150 4151 6c944072-6c944077 4145->4151 4146->4136 4147->4146 4148 6c9440d6-6c9440f0 4147->4148 4148->4139 4150->4140 4151->4138
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: da120c20fc4694adf885e598321d6ba30caf6457ff55e0a35496fb6b50705971
                                • Instruction ID: 1f98ad2c5ecd7630a7350f8128aee0930de821733d2e30afcaa8ab576e724926
                                • Opcode Fuzzy Hash: da120c20fc4694adf885e598321d6ba30caf6457ff55e0a35496fb6b50705971
                                • Instruction Fuzzy Hash: 41329032245B018FC324CF38C8906A6B7E3FFD5314B69CA6DC0AA5BA95D775F44A8B50

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4152 6c943a6a-6c943a85 4153 6c943a87-6c943aa7 4152->4153 4154 6c943aa9-6c943ab0 4153->4154 4155 6c943960-6c943964 4154->4155 4156 6c943860-6c94388e 4155->4156 4157 6c94396a 4155->4157 4167 6c943894-6c943896 4156->4167 4168 6c943970-6c94397d 4156->4168 4158 6c943ba1-6c943bb6 4157->4158 4161 6c943bc0-6c943bda call 6ca91470 call 6ca91480 4158->4161 4173 6c943be0-6c943bfe 4161->4173 4167->4168 4172 6c94389c-6c9438b9 4167->4172 4170 6c9439f1-6c9439f8 4168->4170 4171 6c94397f-6c943989 4168->4171 4175 6c943ab5-6c943aba 4170->4175 4176 6c9439fe-6c943a03 4170->4176 4171->4172 4174 6c94398f-6c943994 4171->4174 4177 6c9438c0-6c9438c1 4172->4177 4194 6c943c04-6c943c11 4173->4194 4195 6c943e7b 4173->4195 4180 6c943b16-6c943b18 4174->4180 4181 6c94399a-6c94399f 4174->4181 4175->4172 4178 6c943ac0-6c943ac7 4175->4178 4182 6c9438d2-6c9438d4 4176->4182 4183 6c943a09-6c943a2f 4176->4183 4184 6c94395e 4177->4184 4178->4177 4185 6c943acd-6c943ad6 4178->4185 4180->4177 4187 6c9439a5-6c9439bf 4181->4187 4188 6c94383b-6c943855 call 6ca91470 call 6ca91480 4181->4188 4191 6c943957-6c94395c 4182->4191 4189 6c943a35-6c943a3a 4183->4189 4190 6c9438f8-6c943955 4183->4190 4184->4155 4185->4180 4193 6c943ad8-6c943aeb 4185->4193 4196 6c943a5a-6c943a5d 4187->4196 4188->4156 4197 6c943a40-6c943a57 4189->4197 4198 6c943b1d-6c943b22 4189->4198 4190->4191 4191->4184 4193->4190 4201 6c943af1-6c943af8 4193->4201 4202 6c943c17-6c943c20 4194->4202 4203 6c943ce0-6c943cea 4194->4203 4200 6c943e81-6c943ee0 call 6c943750 GetCurrentThread NtSetInformationThread 4195->4200 4196->4154 4197->4196 4204 6c943b24-6c943b44 4198->4204 4205 6c943b49-6c943b50 4198->4205 4230 6c943eea-6c943f04 call 6ca91470 call 6ca91480 4200->4230 4207 6c943b62-6c943b85 4201->4207 4208 6c943afa-6c943aff 4201->4208 4209 6c943dc5 4202->4209 4210 6c943c26-6c943c2d 4202->4210 4213 6c943cec-6c943d0c 4203->4213 4214 6c943d3a-6c943d3c 4203->4214 4204->4153 4205->4177 4211 6c943b56-6c943b5d 4205->4211 4207->4190 4219 6c943b8b 4207->4219 4208->4191 4215 6c943dc6 4209->4215 4217 6c943dc3 4210->4217 4218 6c943c33-6c943c3a 4210->4218 4211->4155 4221 6c943d90-6c943d95 4213->4221 4222 6c943d70-6c943d8d 4214->4222 4223 6c943d3e-6c943d45 4214->4223 4227 6c943dc8-6c943dcc 4215->4227 4217->4209 4228 6c943e26-6c943e2b 4218->4228 4229 6c943c40-6c943c5b 4218->4229 4219->4158 4225 6c943d97-6c943db8 4221->4225 4226 6c943dba-6c943dc1 4221->4226 4222->4221 4224 6c943d50-6c943d57 4223->4224 4224->4215 4225->4209 4226->4217 4231 6c943dd7-6c943ddc 4226->4231 4227->4173 4232 6c943dd2 4227->4232 4233 6c943e31 4228->4233 4234 6c943c7b-6c943cd0 4228->4234 4235 6c943e1b-6c943e24 4229->4235 4247 6c943f75-6c943fa1 4230->4247 4237 6c943e36-6c943e3d 4231->4237 4238 6c943dde-6c943e17 4231->4238 4239 6c943e76-6c943e79 4232->4239 4233->4161 4234->4224 4235->4227 4235->4239 4243 6c943e5c-6c943e5f 4237->4243 4244 6c943e3f-6c943e5a 4237->4244 4238->4235 4239->4200 4243->4234 4246 6c943e65-6c943e69 4243->4246 4244->4235 4246->4227 4246->4239 4251 6c944020-6c944026 4247->4251 4252 6c943fa3-6c943fa8 4247->4252 4253 6c943f06-6c943f35 4251->4253 4254 6c94402c-6c94403c 4251->4254 4255 6c94407c-6c944081 4252->4255 4256 6c943fae-6c943fcf 4252->4256 4257 6c943f38-6c943f61 4253->4257 4258 6c9440b3-6c9440b8 4254->4258 4259 6c94403e-6c944058 4254->4259 4260 6c9440aa-6c9440ae 4255->4260 4261 6c944083-6c94408a 4255->4261 4256->4260 4262 6c943f64-6c943f67 4257->4262 4258->4256 4266 6c9440be-6c9440c9 4258->4266 4263 6c94405a-6c944063 4259->4263 4264 6c943f6b-6c943f6f 4260->4264 4261->4257 4265 6c944090 4261->4265 4267 6c943f69 4262->4267 4268 6c9440f5-6c94413f 4263->4268 4269 6c944069-6c94406c 4263->4269 4264->4247 4265->4230 4270 6c9440a7 4265->4270 4266->4260 4271 6c9440cb-6c9440d4 4266->4271 4267->4264 4268->4267 4274 6c944144-6c94414b 4269->4274 4275 6c944072-6c944077 4269->4275 4270->4260 4271->4270 4272 6c9440d6-6c9440f0 4271->4272 4272->4263 4274->4264 4275->4262
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CurrentThread
                                • String ID:
                                • API String ID: 2882836952-0
                                • Opcode ID: c652bf205e126c0d30817da475c910cf613d07276a538d3bf3c9f834760ae914
                                • Instruction ID: 792e46bcf67d2a29b225172ceef1974c2fb9624fb810c9d05099245c1f63a152
                                • Opcode Fuzzy Hash: c652bf205e126c0d30817da475c910cf613d07276a538d3bf3c9f834760ae914
                                • Instruction Fuzzy Hash: 6251FD72155B018FC320CF38C8847A6B7E3BF95314F69CA5DC0E61BA95DB74B44A8B81

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4276 6c9439cf-6c9439ec 4277 6c943aa9-6c943ab0 4276->4277 4278 6c943960-6c943964 4277->4278 4279 6c943860-6c94388e 4278->4279 4280 6c94396a 4278->4280 4290 6c943894-6c943896 4279->4290 4291 6c943970-6c94397d 4279->4291 4281 6c943ba1-6c943bb6 4280->4281 4284 6c943bc0-6c943bda call 6ca91470 call 6ca91480 4281->4284 4296 6c943be0-6c943bfe 4284->4296 4290->4291 4295 6c94389c-6c9438b9 4290->4295 4293 6c9439f1-6c9439f8 4291->4293 4294 6c94397f-6c943989 4291->4294 4298 6c943ab5-6c943aba 4293->4298 4299 6c9439fe-6c943a03 4293->4299 4294->4295 4297 6c94398f-6c943994 4294->4297 4300 6c9438c0-6c9438c1 4295->4300 4317 6c943c04-6c943c11 4296->4317 4318 6c943e7b 4296->4318 4303 6c943b16-6c943b18 4297->4303 4304 6c94399a-6c94399f 4297->4304 4298->4295 4301 6c943ac0-6c943ac7 4298->4301 4305 6c9438d2-6c9438d4 4299->4305 4306 6c943a09-6c943a2f 4299->4306 4307 6c94395e 4300->4307 4301->4300 4308 6c943acd-6c943ad6 4301->4308 4303->4300 4310 6c9439a5-6c9439bf 4304->4310 4311 6c94383b-6c943855 call 6ca91470 call 6ca91480 4304->4311 4314 6c943957-6c94395c 4305->4314 4312 6c943a35-6c943a3a 4306->4312 4313 6c9438f8-6c943955 4306->4313 4307->4278 4308->4303 4316 6c943ad8-6c943aeb 4308->4316 4319 6c943a5a-6c943a5d 4310->4319 4311->4279 4320 6c943a40-6c943a57 4312->4320 4321 6c943b1d-6c943b22 4312->4321 4313->4314 4314->4307 4316->4313 4324 6c943af1-6c943af8 4316->4324 4325 6c943c17-6c943c20 4317->4325 4326 6c943ce0-6c943cea 4317->4326 4323 6c943e81-6c943ee0 call 6c943750 GetCurrentThread NtSetInformationThread 4318->4323 4319->4277 4320->4319 4327 6c943b24-6c943b44 4321->4327 4328 6c943b49-6c943b50 4321->4328 4354 6c943eea-6c943f04 call 6ca91470 call 6ca91480 4323->4354 4330 6c943b62-6c943b85 4324->4330 4331 6c943afa-6c943aff 4324->4331 4332 6c943dc5 4325->4332 4333 6c943c26-6c943c2d 4325->4333 4337 6c943cec-6c943d0c 4326->4337 4338 6c943d3a-6c943d3c 4326->4338 4327->4277 4328->4300 4335 6c943b56-6c943b5d 4328->4335 4330->4313 4343 6c943b8b 4330->4343 4331->4314 4339 6c943dc6 4332->4339 4341 6c943dc3 4333->4341 4342 6c943c33-6c943c3a 4333->4342 4335->4278 4345 6c943d90-6c943d95 4337->4345 4346 6c943d70-6c943d8d 4338->4346 4347 6c943d3e-6c943d45 4338->4347 4351 6c943dc8-6c943dcc 4339->4351 4341->4332 4352 6c943e26-6c943e2b 4342->4352 4353 6c943c40-6c943c5b 4342->4353 4343->4281 4349 6c943d97-6c943db8 4345->4349 4350 6c943dba-6c943dc1 4345->4350 4346->4345 4348 6c943d50-6c943d57 4347->4348 4348->4339 4349->4332 4350->4341 4355 6c943dd7-6c943ddc 4350->4355 4351->4296 4356 6c943dd2 4351->4356 4357 6c943e31 4352->4357 4358 6c943c7b-6c943cd0 4352->4358 4359 6c943e1b-6c943e24 4353->4359 4371 6c943f75-6c943fa1 4354->4371 4361 6c943e36-6c943e3d 4355->4361 4362 6c943dde-6c943e17 4355->4362 4363 6c943e76-6c943e79 4356->4363 4357->4284 4358->4348 4359->4351 4359->4363 4367 6c943e5c-6c943e5f 4361->4367 4368 6c943e3f-6c943e5a 4361->4368 4362->4359 4363->4323 4367->4358 4370 6c943e65-6c943e69 4367->4370 4368->4359 4370->4351 4370->4363 4375 6c944020-6c944026 4371->4375 4376 6c943fa3-6c943fa8 4371->4376 4377 6c943f06-6c943f35 4375->4377 4378 6c94402c-6c94403c 4375->4378 4379 6c94407c-6c944081 4376->4379 4380 6c943fae-6c943fcf 4376->4380 4381 6c943f38-6c943f61 4377->4381 4382 6c9440b3-6c9440b8 4378->4382 4383 6c94403e-6c944058 4378->4383 4384 6c9440aa-6c9440ae 4379->4384 4385 6c944083-6c94408a 4379->4385 4380->4384 4386 6c943f64-6c943f67 4381->4386 4382->4380 4390 6c9440be-6c9440c9 4382->4390 4387 6c94405a-6c944063 4383->4387 4388 6c943f6b-6c943f6f 4384->4388 4385->4381 4389 6c944090 4385->4389 4391 6c943f69 4386->4391 4392 6c9440f5-6c94413f 4387->4392 4393 6c944069-6c94406c 4387->4393 4388->4371 4389->4354 4394 6c9440a7 4389->4394 4390->4384 4395 6c9440cb-6c9440d4 4390->4395 4391->4388 4392->4391 4398 6c944144-6c94414b 4393->4398 4399 6c944072-6c944077 4393->4399 4394->4384 4395->4394 4396 6c9440d6-6c9440f0 4395->4396 4396->4387 4398->4388 4399->4386
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CurrentThread
                                • String ID:
                                • API String ID: 2882836952-0
                                • Opcode ID: d6a90c5bea8e04a5bab226ec6026147fe56f58cac2c65590c26df7114844a27e
                                • Instruction ID: 42c034fa382a41c5bc9092aa666acafe75dde4f81afcfa875209074e4a5f0c56
                                • Opcode Fuzzy Hash: d6a90c5bea8e04a5bab226ec6026147fe56f58cac2c65590c26df7114844a27e
                                • Instruction Fuzzy Hash: 1151CC71115B018BC320CF38C4807A6B7E3BF99314F69CA5DC0E65BA95DB70F54A8B90

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4400 6c943d18-6c943d35 4401 6c943dfe-6c943e17 4400->4401 4402 6c943dc8-6c943dcc 4400->4402 4405 6c943e1b-6c943e24 4401->4405 4403 6c943be0-6c943bfe 4402->4403 4404 6c943dd2 4402->4404 4410 6c943c04-6c943c11 4403->4410 4411 6c943e7b 4403->4411 4407 6c943e76-6c943e79 4404->4407 4405->4402 4405->4407 4409 6c943e81-6c943ee0 call 6c943750 GetCurrentThread NtSetInformationThread 4407->4409 4420 6c943eea-6c943f04 call 6ca91470 call 6ca91480 4409->4420 4413 6c943c17-6c943c20 4410->4413 4414 6c943ce0-6c943cea 4410->4414 4411->4409 4416 6c943dc5 4413->4416 4417 6c943c26-6c943c2d 4413->4417 4418 6c943cec-6c943d0c 4414->4418 4419 6c943d3a-6c943d3c 4414->4419 4421 6c943dc6 4416->4421 4422 6c943dc3 4417->4422 4423 6c943c33-6c943c3a 4417->4423 4424 6c943d90-6c943d95 4418->4424 4426 6c943d70-6c943d8d 4419->4426 4427 6c943d3e-6c943d45 4419->4427 4442 6c943f75-6c943fa1 4420->4442 4421->4402 4422->4416 4431 6c943e26-6c943e2b 4423->4431 4432 6c943c40-6c943c5b 4423->4432 4429 6c943d97-6c943db8 4424->4429 4430 6c943dba-6c943dc1 4424->4430 4426->4424 4428 6c943d50-6c943d57 4427->4428 4428->4421 4429->4416 4430->4422 4435 6c943dd7-6c943ddc 4430->4435 4436 6c943e31 call 6ca91470 call 6ca91480 4431->4436 4437 6c943c7b-6c943cd0 4431->4437 4432->4405 4439 6c943e36-6c943e3d 4435->4439 4440 6c943dde-6c943dfc 4435->4440 4436->4403 4437->4428 4443 6c943e5c-6c943e5f 4439->4443 4444 6c943e3f-6c943e5a 4439->4444 4440->4401 4453 6c944020-6c944026 4442->4453 4454 6c943fa3-6c943fa8 4442->4454 4443->4437 4448 6c943e65-6c943e69 4443->4448 4444->4405 4448->4402 4448->4407 4455 6c943f06-6c943f35 4453->4455 4456 6c94402c-6c94403c 4453->4456 4457 6c94407c-6c944081 4454->4457 4458 6c943fae-6c943fcf 4454->4458 4459 6c943f38-6c943f61 4455->4459 4460 6c9440b3-6c9440b8 4456->4460 4461 6c94403e-6c944058 4456->4461 4462 6c9440aa-6c9440ae 4457->4462 4463 6c944083-6c94408a 4457->4463 4458->4462 4464 6c943f64-6c943f67 4459->4464 4460->4458 4468 6c9440be-6c9440c9 4460->4468 4465 6c94405a-6c944063 4461->4465 4466 6c943f6b-6c943f6f 4462->4466 4463->4459 4467 6c944090 4463->4467 4469 6c943f69 4464->4469 4470 6c9440f5-6c94413f 4465->4470 4471 6c944069-6c94406c 4465->4471 4466->4442 4467->4420 4472 6c9440a7 4467->4472 4468->4462 4473 6c9440cb-6c9440d4 4468->4473 4469->4466 4470->4469 4476 6c944144-6c94414b 4471->4476 4477 6c944072-6c944077 4471->4477 4472->4462 4473->4472 4474 6c9440d6-6c9440f0 4473->4474 4474->4465 4476->4466 4477->4464
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6C943E9D
                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C943EAA
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Thread$CurrentInformation
                                • String ID:
                                • API String ID: 1650627709-0
                                • Opcode ID: 53ba2a0847225b0fe2abbe4709d6f0515cfcd042f2ca3a61699e30f3c4c803d4
                                • Instruction ID: 4504405ccefb98dc27e2773f62857c911040f89f7a72bc27378ea90b625af25e
                                • Opcode Fuzzy Hash: 53ba2a0847225b0fe2abbe4709d6f0515cfcd042f2ca3a61699e30f3c4c803d4
                                • Instruction Fuzzy Hash: 4A312031255B01CFD320CF38C8847D6B7A3BFAA314F29CA5DC0A65BA80DB74B50A9B51

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4478 6c943d62-6c943d69 4479 6c943d97-6c943db8 4478->4479 4480 6c943d6b 4478->4480 4481 6c943dc5 4479->4481 4480->4479 4482 6c943dc6 4481->4482 4483 6c943dc8-6c943dcc 4482->4483 4484 6c943be0-6c943bfe 4483->4484 4485 6c943dd2 4483->4485 4490 6c943c04-6c943c11 4484->4490 4491 6c943e7b 4484->4491 4487 6c943e76-6c943e79 4485->4487 4489 6c943e81-6c943ee0 call 6c943750 GetCurrentThread NtSetInformationThread 4487->4489 4499 6c943eea-6c943f04 call 6ca91470 call 6ca91480 4489->4499 4493 6c943c17-6c943c20 4490->4493 4494 6c943ce0-6c943cea 4490->4494 4491->4489 4493->4481 4496 6c943c26-6c943c2d 4493->4496 4497 6c943cec-6c943d0c 4494->4497 4498 6c943d3a-6c943d3c 4494->4498 4500 6c943dc3 4496->4500 4501 6c943c33-6c943c3a 4496->4501 4502 6c943d90-6c943d95 4497->4502 4504 6c943d70-6c943d8d 4498->4504 4505 6c943d3e-6c943d45 4498->4505 4520 6c943f75-6c943fa1 4499->4520 4500->4481 4508 6c943e26-6c943e2b 4501->4508 4509 6c943c40-6c943c5b 4501->4509 4502->4479 4507 6c943dba-6c943dc1 4502->4507 4504->4502 4506 6c943d50-6c943d57 4505->4506 4506->4482 4507->4500 4512 6c943dd7-6c943ddc 4507->4512 4513 6c943e31 call 6ca91470 call 6ca91480 4508->4513 4514 6c943c7b-6c943cd0 4508->4514 4515 6c943e1b-6c943e24 4509->4515 4517 6c943e36-6c943e3d 4512->4517 4518 6c943dde-6c943e17 4512->4518 4513->4484 4514->4506 4515->4483 4515->4487 4522 6c943e5c-6c943e5f 4517->4522 4523 6c943e3f-6c943e5a 4517->4523 4518->4515 4532 6c944020-6c944026 4520->4532 4533 6c943fa3-6c943fa8 4520->4533 4522->4514 4527 6c943e65-6c943e69 4522->4527 4523->4515 4527->4483 4527->4487 4534 6c943f06-6c943f35 4532->4534 4535 6c94402c-6c94403c 4532->4535 4536 6c94407c-6c944081 4533->4536 4537 6c943fae-6c943fcf 4533->4537 4538 6c943f38-6c943f61 4534->4538 4539 6c9440b3-6c9440b8 4535->4539 4540 6c94403e-6c944058 4535->4540 4541 6c9440aa-6c9440ae 4536->4541 4542 6c944083-6c94408a 4536->4542 4537->4541 4543 6c943f64-6c943f67 4538->4543 4539->4537 4547 6c9440be-6c9440c9 4539->4547 4544 6c94405a-6c944063 4540->4544 4545 6c943f6b-6c943f6f 4541->4545 4542->4538 4546 6c944090 4542->4546 4548 6c943f69 4543->4548 4549 6c9440f5-6c94413f 4544->4549 4550 6c944069-6c94406c 4544->4550 4545->4520 4546->4499 4551 6c9440a7 4546->4551 4547->4541 4552 6c9440cb-6c9440d4 4547->4552 4548->4545 4549->4548 4555 6c944144-6c94414b 4550->4555 4556 6c944072-6c944077 4550->4556 4551->4541 4552->4551 4553 6c9440d6-6c9440f0 4552->4553 4553->4544 4555->4545 4556->4543
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6C943E9D
                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C943EAA
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Thread$CurrentInformation
                                • String ID:
                                • API String ID: 1650627709-0
                                • Opcode ID: e813d9442f3b92a9a0a599f54b1a3e17ed82650ae0a28b7817f7b2957b9c362d
                                • Instruction ID: 0f49ec9a85da82f5aecaca629454764f2fe9a3bf4a070614989ddfe725eeb90b
                                • Opcode Fuzzy Hash: e813d9442f3b92a9a0a599f54b1a3e17ed82650ae0a28b7817f7b2957b9c362d
                                • Instruction Fuzzy Hash: 96310F31114B01CBD724CF38C4947A6B7A6BF9A304F258A5CC0E65BA81DB71B5498B91

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4557 6c943c62-6c943c64 4558 6c943d50-6c943d57 4557->4558 4559 6c943dc6 4558->4559 4560 6c943dc8-6c943dcc 4559->4560 4561 6c943be0-6c943bfe 4560->4561 4562 6c943dd2 4560->4562 4567 6c943c04-6c943c11 4561->4567 4568 6c943e7b 4561->4568 4564 6c943e76-6c943e79 4562->4564 4566 6c943e81-6c943ee0 call 6c943750 GetCurrentThread NtSetInformationThread 4564->4566 4577 6c943eea-6c943f04 call 6ca91470 call 6ca91480 4566->4577 4570 6c943c17-6c943c20 4567->4570 4571 6c943ce0-6c943cea 4567->4571 4568->4566 4573 6c943dc5 4570->4573 4574 6c943c26-6c943c2d 4570->4574 4575 6c943cec-6c943d0c 4571->4575 4576 6c943d3a-6c943d3c 4571->4576 4573->4559 4578 6c943dc3 4574->4578 4579 6c943c33-6c943c3a 4574->4579 4580 6c943d90-6c943d95 4575->4580 4582 6c943d70-6c943d8d 4576->4582 4583 6c943d3e-6c943d45 4576->4583 4598 6c943f75-6c943fa1 4577->4598 4578->4573 4586 6c943e26-6c943e2b 4579->4586 4587 6c943c40-6c943c5b 4579->4587 4584 6c943d97-6c943db8 4580->4584 4585 6c943dba-6c943dc1 4580->4585 4582->4580 4583->4558 4584->4573 4585->4578 4590 6c943dd7-6c943ddc 4585->4590 4591 6c943e31 call 6ca91470 call 6ca91480 4586->4591 4592 6c943c7b-6c943cd0 4586->4592 4593 6c943e1b-6c943e24 4587->4593 4595 6c943e36-6c943e3d 4590->4595 4596 6c943dde-6c943e17 4590->4596 4591->4561 4592->4558 4593->4560 4593->4564 4600 6c943e5c-6c943e5f 4595->4600 4601 6c943e3f-6c943e5a 4595->4601 4596->4593 4610 6c944020-6c944026 4598->4610 4611 6c943fa3-6c943fa8 4598->4611 4600->4592 4605 6c943e65-6c943e69 4600->4605 4601->4593 4605->4560 4605->4564 4612 6c943f06-6c943f35 4610->4612 4613 6c94402c-6c94403c 4610->4613 4614 6c94407c-6c944081 4611->4614 4615 6c943fae-6c943fcf 4611->4615 4616 6c943f38-6c943f61 4612->4616 4617 6c9440b3-6c9440b8 4613->4617 4618 6c94403e-6c944058 4613->4618 4619 6c9440aa-6c9440ae 4614->4619 4620 6c944083-6c94408a 4614->4620 4615->4619 4621 6c943f64-6c943f67 4616->4621 4617->4615 4625 6c9440be-6c9440c9 4617->4625 4622 6c94405a-6c944063 4618->4622 4623 6c943f6b-6c943f6f 4619->4623 4620->4616 4624 6c944090 4620->4624 4626 6c943f69 4621->4626 4627 6c9440f5-6c94413f 4622->4627 4628 6c944069-6c94406c 4622->4628 4623->4598 4624->4577 4629 6c9440a7 4624->4629 4625->4619 4630 6c9440cb-6c9440d4 4625->4630 4626->4623 4627->4626 4633 6c944144-6c94414b 4628->4633 4634 6c944072-6c944077 4628->4634 4629->4619 4630->4629 4631 6c9440d6-6c9440f0 4630->4631 4631->4622 4633->4623 4634->4621
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6C943E9D
                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C943EAA
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Thread$CurrentInformation
                                • String ID:
                                • API String ID: 1650627709-0
                                • Opcode ID: f5101107b5d086e8b507f34a6f3e80a5fade68f509df924edc8d2ee8c0939bda
                                • Instruction ID: b764a083e1535932246a2d899ee20b55e5f2bbd18ed403f5d2f567b6d6d89423
                                • Opcode Fuzzy Hash: f5101107b5d086e8b507f34a6f3e80a5fade68f509df924edc8d2ee8c0939bda
                                • Instruction Fuzzy Hash: 2721F170118B02CBD728CF34C8947A6B7B6BF9A305F14CA1DC0A68BA90DB75F5088B51

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4635 6cac5120-6cac5154 OpenSCManagerA 4636 6cac5180-6cac5189 4635->4636 4637 6cac518b-6cac5190 4636->4637 4638 6cac51c0-6cac51c5 4636->4638 4639 6cac5156-6cac5171 4637->4639 4640 6cac5192-6cac5197 4637->4640 4641 6cac51e8-6cac521f OpenServiceA 4638->4641 4642 6cac51c7-6cac51cc 4638->4642 4639->4636 4643 6cac519d-6cac51b8 4640->4643 4644 6cac5224-6cac5229 4640->4644 4641->4636 4642->4636 4645 6cac51ce-6cac51e6 4642->4645 4643->4636 4644->4636 4646 6cac522f-6cac523a 4644->4646 4645->4636
                                APIs
                                • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CAC5130
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ManagerOpen
                                • String ID:
                                • API String ID: 1889721586-0
                                • Opcode ID: c37d817b2506bc31906c6002a0f2c0434798e2616d0464409efccd1f0822845e
                                • Instruction ID: d28f3102586ca19ba39b8c72956e5f343a46282eb495a80a1a7b6afdcd144c58
                                • Opcode Fuzzy Hash: c37d817b2506bc31906c6002a0f2c0434798e2616d0464409efccd1f0822845e
                                • Instruction Fuzzy Hash: 13312AB4608341EFC7109F29C548B0ABBF0EB8A754F55895EF898C7360C371C985AB53

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4918 6cabaec0-6cabaed2 4919 6cabaed6-6cabaf03 FindFirstFileA 4918->4919 4920 6cabaed4 4918->4920 4921 6cabaf22-6cabaf2b 4919->4921 4920->4919 4922 6cabaf2d-6cabaf32 4921->4922 4923 6cabaf60-6cabaf65 4921->4923 4924 6cabaf10 4922->4924 4925 6cabaf34-6cabaf39 4922->4925 4926 6cabaf6b-6cabaf70 4923->4926 4927 6cabaf67-6cabaf69 4923->4927 4929 6cabaf14-6cabaf1c 4924->4929 4925->4921 4928 6cabaf3b-6cabaf57 4925->4928 4926->4921 4930 6cabaf72-6cabaf7e 4926->4930 4927->4929 4928->4921 4929->4921
                                APIs
                                • FindFirstFileA.KERNEL32(?,?), ref: 6CABAEDC
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID:
                                • API String ID: 1974802433-0
                                • Opcode ID: a1c942b54048affd4857688b5aeab5b8ace9c59b5c9acdd7fb96aaf2777cb326
                                • Instruction ID: 8cd756106c0e95c9268cc16de0a4b699d2570811d04173b6bc775ee4f7a75170
                                • Opcode Fuzzy Hash: a1c942b54048affd4857688b5aeab5b8ace9c59b5c9acdd7fb96aaf2777cb326
                                • Instruction Fuzzy Hash: 331136B4508350AFD7108B28D54459EBBE9BF86315F288E59F4A9DB691D334CD848B22
                                APIs
                                • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6CA9ABA7
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                • API String ID: 2738559852-1563143607
                                • Opcode ID: c161bef7e2ecb4737c162b5b7e5735fbb9eecdca128de0933a494aa2800c24f1
                                • Instruction ID: e97abd359d823839af51fbab29687bfcc2b79032ace9fb524b05b3d4c60f5995
                                • Opcode Fuzzy Hash: c161bef7e2ecb4737c162b5b7e5735fbb9eecdca128de0933a494aa2800c24f1
                                • Instruction Fuzzy Hash: 87625C70A1D3418FC724CF18D49165ABBE2ABDA304F248E1EE99ACB750D735D8858B43
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: s^}y
                                • API String ID: 0-2376343031
                                • Opcode ID: b36c6df4352637a56790038bab53841c9d35bd2b35d3ddf06d24eb49aa0e558e
                                • Instruction ID: 00519de76a0b055f7ed34d3a2175542788464be8fad8ab42e7a7cf9dfd6934f7
                                • Opcode Fuzzy Hash: b36c6df4352637a56790038bab53841c9d35bd2b35d3ddf06d24eb49aa0e558e
                                • Instruction Fuzzy Hash: B3231431641B418FD728CF29C4D0696B7E3AFC5328B59CA6DC0AA4BE95DB74F44ACB40

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3394 6ca9c1e0-6ca9c239 call 6cac6b70 3397 6ca9c260-6ca9c269 3394->3397 3398 6ca9c26b-6ca9c270 3397->3398 3399 6ca9c2b0-6ca9c2b5 3397->3399 3402 6ca9c2f0-6ca9c2f5 3398->3402 3403 6ca9c272-6ca9c277 3398->3403 3400 6ca9c330-6ca9c335 3399->3400 3401 6ca9c2b7-6ca9c2bc 3399->3401 3408 6ca9c489-6ca9c4b9 call 6cacb3a0 3400->3408 3409 6ca9c33b-6ca9c340 3400->3409 3404 6ca9c2c2-6ca9c2c7 3401->3404 3405 6ca9c407-6ca9c41b 3401->3405 3406 6ca9c2fb-6ca9c300 3402->3406 3407 6ca9c431-6ca9c448 WriteFile 3402->3407 3410 6ca9c27d-6ca9c282 3403->3410 3411 6ca9c372-6ca9c3df WriteFile 3403->3411 3415 6ca9c23b-6ca9c250 3404->3415 3416 6ca9c2cd-6ca9c2d2 3404->3416 3414 6ca9c41f-6ca9c42c 3405->3414 3417 6ca9c452-6ca9c47f call 6cacb920 ReadFile 3406->3417 3418 6ca9c306-6ca9c30b 3406->3418 3407->3417 3408->3397 3420 6ca9c4be-6ca9c4c3 3409->3420 3421 6ca9c346-6ca9c36d 3409->3421 3412 6ca9c3e9-6ca9c3fd WriteFile 3410->3412 3413 6ca9c288-6ca9c28d 3410->3413 3411->3412 3412->3405 3413->3397 3422 6ca9c28f-6ca9c2aa 3413->3422 3414->3397 3426 6ca9c253-6ca9c258 3415->3426 3416->3397 3423 6ca9c2d4-6ca9c2e7 3416->3423 3417->3408 3418->3397 3425 6ca9c311-6ca9c32b 3418->3425 3420->3397 3428 6ca9c4c9-6ca9c4d7 3420->3428 3421->3426 3422->3426 3423->3426 3425->3414 3426->3397
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: :uW$;uW$;uW$> 4!$> 4!
                                • API String ID: 0-4100612575
                                • Opcode ID: c7065a9539592b6d83009a9d179175e94e4f404e5d189fd17bddb223c5cf4c29
                                • Instruction ID: c796fef6d8dff453d94bbd8feec68a131f8635fcf10642f327c65ab2bc0ffb21
                                • Opcode Fuzzy Hash: c7065a9539592b6d83009a9d179175e94e4f404e5d189fd17bddb223c5cf4c29
                                • Instruction Fuzzy Hash: EF71ABB0218744AFC710EF54C881BAABBF4BF8A708F50492EF498D7650D771D8888B93
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: K?Jo$K?Jo$`Rlx$7eO
                                • API String ID: 0-174837320
                                • Opcode ID: 09431d1d37c070cfba79793d74e8380e96137579a5f0c4779f8a3d64d6886f90
                                • Instruction ID: 7e01f8933721f3bec916c63d86fb407902d50822db7662ca2766e2e76a5a898d
                                • Opcode Fuzzy Hash: 09431d1d37c070cfba79793d74e8380e96137579a5f0c4779f8a3d64d6886f90
                                • Instruction Fuzzy Hash: F54269B462A3469FC764CF18D091A1ABBF1AFC9314F248E1EE59587B20D734D885CB43

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3575 6cac4ff0-6cac5077 CreateProcessA 3576 6cac50ca-6cac50d3 3575->3576 3577 6cac50d5-6cac50da 3576->3577 3578 6cac50f0-6cac510b 3576->3578 3579 6cac50dc-6cac50e1 3577->3579 3580 6cac5080-6cac50c2 WaitForSingleObject CloseHandle * 2 3577->3580 3578->3576 3579->3576 3581 6cac50e3-6cac5118 3579->3581 3580->3576
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID: D
                                • API String ID: 963392458-2746444292
                                • Opcode ID: a1700037e6cdc6c034c648887dcb75f8872acc92d8ca36c3ce355e080723389b
                                • Instruction ID: e2c46cd9e4c9ef68f02542233076c3a0296e757b491916f6c524e7ddc6612694
                                • Opcode Fuzzy Hash: a1700037e6cdc6c034c648887dcb75f8872acc92d8ca36c3ce355e080723389b
                                • Instruction Fuzzy Hash: AE31E1709193808FD740DF28D19872ABBF0EB9A358F505A1DF89997250E7B596888F43
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID:
                                • API String ID: 1974802433-0
                                • Opcode ID: 3f6acf3c02de70b87916c79052d6762d6b26ecda5678e9359598578257b1bc8d
                                • Instruction ID: a506378be737252562fd7b37005c07703ba33644009e9813508f69e141f5a8b0
                                • Opcode Fuzzy Hash: 3f6acf3c02de70b87916c79052d6762d6b26ecda5678e9359598578257b1bc8d
                                • Instruction Fuzzy Hash: 74E2F571644B018FC728CF28C8D0796B7E2AF95318B59CA2DC0A68BB95D774F54ACB50

                                Control-flow Graph

                                APIs
                                • GetLastError.KERNEL32(6CAF6DD8,0000000C), ref: 6CACEF52
                                • ExitThread.KERNEL32 ref: 6CACEF59
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ErrorExitLastThread
                                • String ID:
                                • API String ID: 1611280651-0
                                • Opcode ID: 9b79bd6149625cc46d5dc0e344e3e4d73f7f69dd0ac8f61f09185ffcd6a38313
                                • Instruction ID: ae3b085959a94c0818f96e824c9e508486f7ff3eb72556777346a73f4bac8d94
                                • Opcode Fuzzy Hash: 9b79bd6149625cc46d5dc0e344e3e4d73f7f69dd0ac8f61f09185ffcd6a38313
                                • Instruction Fuzzy Hash: 7FF0F6B1A00604AFDF049FB0D65AAAE3B74FF41314F154649E015E7B40CF30A98ACBE2
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID:
                                • API String ID: 1974802433-0
                                • Opcode ID: 9bd74fc6af22fa6386866dd35c55656a3f4bf30f42b85a75901fc64a0028d5cc
                                • Instruction ID: 6c26e46bf9985d48449d0fb317ed98f8590743dbf714a314e6f1a87b5b4fc352
                                • Opcode Fuzzy Hash: 9bd74fc6af22fa6386866dd35c55656a3f4bf30f42b85a75901fc64a0028d5cc
                                • Instruction Fuzzy Hash: 7992E3712457018FC728CF28C8D0A95B7E3BFC53187698A6DC0AA4BA95DB75F52ACF40

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4932 6c997f40 4933 6c997f40 call 6c997f50 4932->4933
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                • Instruction ID: 0fabea83188c4c7987055a988a9332b3cd2273707b7cfe36065fadc7d8b42744
                                • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                • Instruction Fuzzy Hash:
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB13097
                                  • Part of subcall function 6CB161D6: __EH_prolog.LIBCMT ref: 6CB161DB
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $ $*$0UJ$@$@
                                • API String ID: 3519838083-862571645
                                • Opcode ID: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                • Instruction ID: a8d97bd5c16ec839c56c093c76d1844a75b6998ce7ef7e7429dd2cd6f425733f
                                • Opcode Fuzzy Hash: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                • Instruction Fuzzy Hash: 52337E30E082989FDF11CFA4C994BDDBBB1EF45308F1480A9E419ABA51DB719E89CF51
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB658A4
                                • __aulldiv.LIBCMT ref: 6CB65C4A
                                • __aulldiv.LIBCMT ref: 6CB65C78
                                • __aulldiv.LIBCMT ref: 6CB65D18
                                  • Part of subcall function 6CB6736D: __EH_prolog.LIBCMT ref: 6CB67372
                                  • Part of subcall function 6CB6740E: __EH_prolog.LIBCMT ref: 6CB67413
                                  • Part of subcall function 6CB66E78: __EH_prolog.LIBCMT ref: 6CB66E7D
                                  • Part of subcall function 6CB6124A: __EH_prolog.LIBCMT ref: 6CB6124F
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog$__aulldiv
                                • String ID: L$b
                                • API String ID: 604474441-3566554212
                                • Opcode ID: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                • Instruction ID: f7538ab69abadb3836a5fd9df26d7b081fccd8bab91bd12b88e3a25273096a5e
                                • Opcode Fuzzy Hash: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                • Instruction Fuzzy Hash: 36E27930D01299DFDF15CFA5C990ADDBBB5AF19308F24409AD449A7B81DB306E89CF62
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: _strlen
                                • String ID: g)''
                                • API String ID: 4218353326-3487984327
                                • Opcode ID: d6571e6cce9a74c1cef6ee8226f4741ee618f2a62d915874713c0d74d869240e
                                • Instruction ID: 5086826e4b97e13618180e63222f81ec384a31b4f25530aa5a7a97a301301558
                                • Opcode Fuzzy Hash: d6571e6cce9a74c1cef6ee8226f4741ee618f2a62d915874713c0d74d869240e
                                • Instruction Fuzzy Hash: 1263D171745B018FC728CF28C4D0AA5B7F3AF9531871D8A6DC0E64BA59EB74B48ACB41
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 6CAC5D6A
                                • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CAC5D76
                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CAC5D84
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CAC5DAB
                                • NtInitiatePowerAction.NTDLL ref: 6CAC5DBF
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 3256374457-3733053543
                                • Opcode ID: 238cd1611c1970d54f6610445409821558a6b5e62c545629f19f07c320119fe8
                                • Instruction ID: ad9ab8b0f633550447e8b4a22689ceddaab38f620e497eebdf1371c60c17958e
                                • Opcode Fuzzy Hash: 238cd1611c1970d54f6610445409821558a6b5e62c545629f19f07c320119fe8
                                • Instruction Fuzzy Hash: 28F0B470644300BBEA106B24DD0EB6A7BB4FF49702F014518F985A71C1D7B06B84CFA2
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: \j`7$\j`7$j
                                • API String ID: 0-3644614255
                                • Opcode ID: 964c88ea622f9da089656dd57a30e1c8865d699805bd13cd17e3fff405f592e9
                                • Instruction ID: b56390881c9c275d7453ceb4ba7a50f2e22894766caa18cbe4b77e46d3c28bdf
                                • Opcode Fuzzy Hash: 964c88ea622f9da089656dd57a30e1c8865d699805bd13cd17e3fff405f592e9
                                • Instruction Fuzzy Hash: 094234746093828FCB24CF68D48066ABBE1BBCA354F248A1EE4D9CB760D334D855CB53
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB584B1
                                  • Part of subcall function 6CB5993B: __EH_prolog.LIBCMT ref: 6CB59940
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 1$`)K$h)K
                                • API String ID: 3519838083-3935664338
                                • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                • Instruction ID: 772b32aaefd94526e74bea3c206ec6824d41885352c8c07aa73076719751f0e0
                                • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                • Instruction Fuzzy Hash: 00F26A70D04298DFDB11CFA8C884BDDBBB5EF49308F684499E449AB781DB719A86CF11
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB4AEF4
                                  • Part of subcall function 6CB4E622: __EH_prolog.LIBCMT ref: 6CB4E627
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $h%K
                                • API String ID: 3519838083-1737110039
                                • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                • Instruction ID: 0c82d4d8594974fd4e3a513922ad1ceacab00a575bb6e381c5bc354569985889
                                • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                • Instruction Fuzzy Hash: 88538730909298DFDF15CFA8C994BEDBBB4AF09308F1480D8D449A7695CB70AE89DF51
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $J
                                • API String ID: 3519838083-1755042146
                                • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                • Instruction ID: 8a7b4c36bb14ebe3ae708c3c6064c7b1af1f4de8c8e57e535c6100f78ac72ac2
                                • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                • Instruction Fuzzy Hash: C9E2DD70A05288DFEF01CFB8D684BDEBBB1EF09308F644189E855AB681C774D955CB62
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB26CE5
                                  • Part of subcall function 6CAFCC2A: __EH_prolog.LIBCMT ref: 6CAFCC2F
                                  • Part of subcall function 6CAFE6A6: __EH_prolog.LIBCMT ref: 6CAFE6AB
                                  • Part of subcall function 6CB26A0E: __EH_prolog.LIBCMT ref: 6CB26A13
                                  • Part of subcall function 6CB26837: __EH_prolog.LIBCMT ref: 6CB2683C
                                  • Part of subcall function 6CB2A143: __EH_prolog.LIBCMT ref: 6CB2A148
                                  • Part of subcall function 6CB2A143: ctype.LIBCPMT ref: 6CB2A16C
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog$ctype
                                • String ID:
                                • API String ID: 1039218491-3916222277
                                • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                • Instruction ID: 4356db4a6a27d643dccea1e9969dcfadfd121daa03c657a25b6dd55f0d2e76e6
                                • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                • Instruction Fuzzy Hash: 4903BD31805288DFDF11CFA4C980BECBBB1AF15318F244099E45977A91DB785A8EDF62
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: 3J$`/J$`1J$p0J
                                • API String ID: 0-2826663437
                                • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                • Instruction ID: eb4c01c4feb95d4ebab95abc0708e92cf5962341db2f59288626167fdfbcb2a2
                                • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                • Instruction Fuzzy Hash: F6411772F10A601AF3488E2A8C855667FC3C7CA347B4AC33DD565C76D9DABDC40782A8
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: W
                                • API String ID: 3519838083-655174618
                                • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                • Instruction ID: f9ec93ddb81c97ed34994cdb09c60e10c4155b7e75e8711c15af8dc9f247f609
                                • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                • Instruction Fuzzy Hash: 92B27A70A05299DFDB01CFA8C584B9EBBB4EF09308F284099E845EB782C775ED51CB61
                                APIs
                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CAD0279
                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CAD0283
                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CAD0290
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: f829e5aaf32ff5923e93f99a4f3cf54163201b8fdeb32830cf58365ea638d014
                                • Instruction ID: 0a09ff3cb86d3765cd0527b150954f27ea78d1ad838e35f0c0e6f5348c364485
                                • Opcode Fuzzy Hash: f829e5aaf32ff5923e93f99a4f3cf54163201b8fdeb32830cf58365ea638d014
                                • Instruction Fuzzy Hash: 2831B27490122D9BCB21DF68D988BCDBBB8BF08314F5042EAE41DA7650EB709B858F45
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-3916222277
                                • Opcode ID: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                • Instruction ID: 8a69167fe07493e1555853c270aad137bfea0265b6e606b921b1977d36c1d58d
                                • Opcode Fuzzy Hash: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                • Instruction Fuzzy Hash: AE92AE309052A9DFDF05CFA8C994BDEBBB1EF19308F248199E819AB791C730AD45CB51
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-3916222277
                                • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                • Instruction ID: 80b0226233e168b0c90c46a8221abd4b335fc9140515f5f9f7994ff2232d87e3
                                • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                • Instruction Fuzzy Hash: 062269B0A012499FDB08CFA8C494BAEBBF0FF08308F148569E8599B781D775E955CF91
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB4489B
                                  • Part of subcall function 6CB45FC9: __EH_prolog.LIBCMT ref: 6CB45FCE
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @ K
                                • API String ID: 3519838083-4216449128
                                • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                • Instruction ID: 0755f7dbbb8388388b7285e4c26cffc6363bcc673539c832442dd5a55f23721e
                                • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                • Instruction Fuzzy Hash: BDD1E171D082848FDB14CFA8C4907DEB7B6FF84318F14C12AE415ABA89CB749855EF56
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: x=J
                                • API String ID: 3519838083-1497497802
                                • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction ID: f40b8b40d928cadd751324be8a91ad1a31515c68e55652dc083b5b2ed9d9f698
                                • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction Fuzzy Hash: 3091E031D011099ADF14DFB9DA809EDB7B2AF06308F24802AF47167A61DB3259CFCB94
                                APIs
                                • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CAC78B0
                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CAC80D3
                                  • Part of subcall function 6CAC9379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CAC80BC,?,?,?,?,6CAC80BC,?,6CAF554C), ref: 6CAC93D9
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                • String ID:
                                • API String ID: 915016180-0
                                • Opcode ID: 80b1fbb3b65925688bef13a1a14b378e59c5b06b69834c2b736174e5ed5b596c
                                • Instruction ID: 14c7612a7d9a86685e4e4e187d105f08e627ee94b7a5f81497563cf1e949d229
                                • Opcode Fuzzy Hash: 80b1fbb3b65925688bef13a1a14b378e59c5b06b69834c2b736174e5ed5b596c
                                • Instruction Fuzzy Hash: CEB16F71B05609DFDB05CF65D8816DDBBB4FB49318F68822AE425E7780D3389A88CF91
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                • Instruction ID: 49874fe7e25e3785c6856664a74af382247aa6c93c86842f0335ac0329d937e8
                                • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                • Instruction Fuzzy Hash: 48B28C30904698CFEB21CF6AC494B9EBBF1FF04308F144599D49AA7E81D770A989CF52
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @4J$DsL
                                • API String ID: 0-2004129199
                                • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction ID: 97ad12f4365f8134ea17627bbaf0fe95db5091a7aa209b418044468bd1c2bc5b
                                • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction Fuzzy Hash: 87218D37AA49560BD74CCA68EC33AB92681E745305B88527EE94BCB3E1DE6C8800C648
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB1540F
                                  • Part of subcall function 6CB16137: __EH_prolog.LIBCMT ref: 6CB1613C
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                • Instruction ID: c96361520e51a71f1a8377268ca104c94583c73b73c4dfcb60d0af7685e56f55
                                • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                • Instruction Fuzzy Hash: 3D627971909299CFDF15CFA4C890BEEBBB1FF05308F14416AE815ABA80D7749A48CF95
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: YA1
                                • API String ID: 0-613462611
                                • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                • Instruction ID: 18c68261aec7d91bb8ade0221584a9a25498d6aa038757eac10c998a2e4c0e4a
                                • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                • Instruction Fuzzy Hash: 7F42B2706093C18FC715CF39D49069EBBE2EFD9308F29496DE4D68BB41D671990ACB82
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                • Instruction ID: f153946ec7f8017feeb35b52876b3a5b12ed69c7f907c409dd0c134f8d9f41ed
                                • Opcode Fuzzy Hash: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                • Instruction Fuzzy Hash: 80E16A716083858BD724CF29C880AAEB7F5FFC9314F148A2EF8598B755D730A945CB92
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                • Instruction ID: 64d43968e77d2873e6d0391ca5caad04bbe75aa36634e2e0170c968eaf8ea92c
                                • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                • Instruction Fuzzy Hash: E5F15870908289DFCB14CFA8C590BEDBBB1FF05308F14C16AD409ABA56D771AA49DF91
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                • Instruction ID: 87a57b8c42d91d3cb4e05c93238c2993dc86a3f44dfbfdfffd0be686a5d29530
                                • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                • Instruction Fuzzy Hash: 053249B1A083058FC318CF56C48495AF7E2BFCC314F468A6DE98997355DB74AA09CF86
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                • Instruction ID: 1d9f3a327e5f2db357224b85b6521c923604528c41160825abb39d63370ac0e6
                                • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                • Instruction Fuzzy Hash: 811207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EE898A7311D770E9568BC6
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aullrem
                                • String ID:
                                • API String ID: 3758378126-0
                                • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction ID: 8abaa0e69bd08e66152e956e13ea3d9ef17348efbaca735edbfd7a60dc747d94
                                • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction Fuzzy Hash: 9D51E971A082959BD710CF5AD4C02EDFFE6EF7A214F14C059E8C897242D27A599AC760
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction ID: d61e090eb0308abd3dd08ef9852fc1f6fb4b9953ffa0d97f58e8e4bb97baf11d
                                • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction Fuzzy Hash: 920299316083808BD325CF28C49079EBBE2EBC9748F144A2DE8A597B51C775D949CFA3
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                • Instruction ID: 82eed710cb3253d43938c0ffca71917a338190eaeb1f45906c05774213420a29
                                • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                • Instruction Fuzzy Hash: 12D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: (SL
                                • API String ID: 0-669240678
                                • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction ID: 7adec0aa108bc2e463bbddcf8470e8f6d512f3c24377023931dd1f8b6b50ddf0
                                • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction Fuzzy Hash: B5519473E208214AD78CCE24DC2177572D2E784311F8BC2B99D8BAB6E6DD78989587C4
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                • Instruction ID: 3fdac96a1cd3b7b76b6c1d1758f72248b6d2a0dd3f591afcd18a842bc4c2cf58
                                • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                • Instruction Fuzzy Hash: 03728DB26042668FD748CF19C490258FBE1FF88314B5A46ADD95ADBB42DB30E8C5CBC1
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction ID: 09e623b81a2c365003535eb9a5c0ed4f69d6fbf22539c8ff9669dd336ff43f94
                                • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction Fuzzy Hash: DD525031208B858BD328CF29D49066AB7E2FF95308F144A2ED8EAC7B41DB75F449CB51
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction ID: c624a720f4f0001447e5568575734c203775e6451e63b5da9284e302002d8982
                                • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction Fuzzy Hash: E562E0B1A0A3858FC714CF29C58061ABBE5FFC8744F248A2EE89987755D770E845CF92
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                • Instruction ID: 4a41af638cd67e7151ca6a9304f6aedac22dca5d6bbdfbf9873aee2f9cd8f3fc
                                • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                • Instruction Fuzzy Hash: D0428D71605B468FD328DF69C8807AAB3E2FF84314F044A2EE896C7B94E775E549CB41
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction ID: 3ee5dc2bdd988addaaf3993e389b1bda786d84fda3bcd43a42cb517b61990b90
                                • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction Fuzzy Hash: F91290712097858BC728CF28C49066AFBE2FFC8345F54492DE9A687B41D731E845CF62
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                • Instruction ID: e17e27ad81d84f14ccc115eb6ba9ae5b139714105831863e454494274afb4ad7
                                • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                • Instruction Fuzzy Hash: 8702E873A093914BD714CE1DCC9021DB7E7FBC0390F6A4A2EE89647B94DAB4D946CB81
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction ID: 8cce796e2e0be8352a08ac387d213c56095020f1fdd7cc450b6a2b93a90d8c98
                                • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction Fuzzy Hash: AE022A32A093918BD319CE2CC4A0359BBF6FBC4345F154B2EE496A7A94D774D848CF92
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                • Instruction ID: dd66ab24b3d0ce3db620a3fbebea8fe319ef1aea8eef0ef1dad21492658dbac3
                                • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                • Instruction Fuzzy Hash: 5A12C134604B918FC324CF2EC49062AFBF2BF85305F188A6ED1D687A95D735E548CB91
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                • Instruction ID: d03fbad1c59756200d1efe600068dcd21ce140f83cb9182c181fcd9e3467cced
                                • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                • Instruction Fuzzy Hash: 5B029E716087608FC328DF2ED49022AFBF1AF85301F188A6EE5D687B91D336E559CB51
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                • Instruction ID: 8fcc33a779e5dd7dc4d9d99d0c4363d6325afc91a06a44948b204f406f26ca84
                                • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                • Instruction Fuzzy Hash: 2DF105326042C98BEB24CE29D4507EEB7E2FBC5344F58453DD889CBB41DB35954AC792
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                • Instruction ID: 634d0722d9b9c729afc6d627d11fb07825a9dd0802242b50bc5d8d3673b46e4c
                                • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                • Instruction Fuzzy Hash: 44E1F071604B818BD734CF29D4603AAB7E2EBC4314F54492DC9A6C7B81DB75E50ACBA2
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                • Instruction ID: 701e4fcd9d21af2f5b9819d30a45dc82e315d2fa209c3afd621a068f9f91f967
                                • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                • Instruction Fuzzy Hash: F4F1B1706097918FC328CF2DD49026AFBE2FF89305F184A6ED1D68BA91D339E554CB91
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                • Instruction ID: a37a8cf01ac944a40347edd4a561e269bbc12fe679a1e427feff96c3a2a1eb05
                                • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                • Instruction Fuzzy Hash: 24F1D0B0509BA18BC329DF29D49026AFBF1FF85304F188B2ED5D68BA81D339E155CB51
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                • Instruction ID: 8ea0383f17a39dec5bb6c62e5e485a81c6201b10514fbd114baec5e77f7a3378
                                • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                • Instruction Fuzzy Hash: 6BC1E171A04B468BE338CF29C5906AAB7E2FBC4314F148A2DC9A6C7B45D770F495CB91
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                • Instruction ID: 4ae5b3fea1423f2d9f4ebacbe00c4b9e0d29517a96539a1dd29a5589210da173
                                • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                • Instruction Fuzzy Hash: 17E1E7B18047A64FE398EF5CDCA4A3577A1EBC9300F4B423DDA650B392D734A942DB94
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                • Instruction ID: da9b3850541b4656194885b0667d67aa7d0e75104509a3d628dd582d8e399c88
                                • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                • Instruction Fuzzy Hash: 99D110715046968FD328CF1CC494236BBE2FF86304F054ABDDAA28B39AD734D615CB69
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                • Instruction ID: 28b9149d81eb924af6c83ba669d6eb1541ebd7393e46f004d063a4c16bedc077
                                • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                • Instruction Fuzzy Hash: 95B172716052918FC350CF29C8802497BA2FFC532977587ADC8A49FA9AD336E417CBE1
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction ID: 61d2ecdaf6edf88daac66be22fbddf29d32d1c1a8727e37266a76bbd4ff2107a
                                • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction Fuzzy Hash: 7EC1E9352047818BC728CF39D1A4697BBE2EFD9314F14866DC8DE4BB55DA30A80DCB66
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                • Instruction ID: bd37ef6fd984a5493d4696215c3b5529ffc3028e0acb245d56c1abb9d4b2461f
                                • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                • Instruction Fuzzy Hash: 3EB183716052848FC350DF29C484288BBA2FF8532CB79569EC9648F646E337E847CBE1
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                • Instruction ID: 3f0c379f6c444a1a0606c673c36da82f588c5ebd34a28c7264515905dc80e540
                                • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                • Instruction Fuzzy Hash: D6D1F8B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                                • Instruction ID: 346db5f6865e7e05c10f947482174bb9b79cd774a9f10f2e080eaba79adfeb56
                                • Opcode Fuzzy Hash: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                                • Instruction Fuzzy Hash: 24B1CF31305B854BD324DF7AC8907EEB7E1AF84708F14452DD5AA8BB81EF30A9098B95
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                • Instruction ID: a3c19b9f0081ac6a61d72ef67d0b8ed6529397542e1c10ef707b72a7d83b8683
                                • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                • Instruction Fuzzy Hash: A9B1AD756047428BC314DF29C8906ABF7E2FFC8304F18892DD8A9C7711E771A55ACBA6
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                • Instruction ID: 520c19e9f773d598809dbe09b9121974fa437934c7a004db422a15741355eb84
                                • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                • Instruction Fuzzy Hash: 05A1D771A0C7818FC724CF29C49065ABBF1EFD5318F544A2DE8EA87741D631E946CB52
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                • Instruction ID: 6569c0a38fa703277b3d40a308cd3f7966c0992bab56072eb348a904191f8726
                                • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                • Instruction Fuzzy Hash: F66150B23082558FD308CF99E180A56B3E5EB99321B1685BED515CB361E771DC41CF29
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                • Instruction ID: 01c6dc5442c9a1eb99f6bc4720679883049d7955ae786dd8aa60f717df16528a
                                • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                • Instruction Fuzzy Hash: 1681C335A047418FC320CF29C480286F7E2FF99714F28CA6DC9A99B715E776E946CB91
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                • Instruction ID: 9cd32b563edaf1031bd069a91b08bd100a3d45d356609688c6921fcf188c3699
                                • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                • Instruction Fuzzy Hash: F78102B2D447298BD310CF88ECC4596B3A1FB88308F0A467DDE591B352D2B9B915DBC0
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                • Instruction ID: 13c6e86d20d13e6e5f18adf0f160cc7f3964c84e6923aade8c3730935c6cb4dc
                                • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                • Instruction Fuzzy Hash: 60919176C1971A8BD314CF18D88025AB7E0FB88308F05067DED9997341D736EA55CBC5
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                • Instruction ID: a23a40a7e57dcaca6fe280b95406e87c23b88627516eefaec1abebdf5477d6e2
                                • Opcode Fuzzy Hash: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                • Instruction Fuzzy Hash: ABA1BE71A0928A8FD729CF19C490AAEB7F2FF84308F144A2DF4869B341D375A655CF42
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction ID: 0e1279b73ab866e1fd3dc7686c6a8bf6ce6dbcc0c38e12784a11ecbc94134bb5
                                • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction Fuzzy Hash: 6E51AE72F146599BDB08CE98ED916EDBBF2EB88308F248169D411E7B81D7749B41CB80
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                • Instruction ID: 6a9e7571469bce33237b1767f43ea4b8d35edb9177cac1bb9be4e6fcfac093fd
                                • Opcode Fuzzy Hash: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                • Instruction Fuzzy Hash: 2C516E746083858BD710DF1EC880616F7F5FFA8708F244A6DE99487B12D771E906DB92
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction ID: 432a9e57445641301423cc3b60af8e2e091f07010536586e43b382251c0e1f35
                                • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction Fuzzy Hash: 8C3114277A844103CB0CCD3BCC1679F91539BD522A70ECF396C09DEF55D52CC8124146
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                • Instruction ID: e7cb6ecd21d40af644a8ffa8f0b0ffa738bdace26ec8d1bc84adcbd9f0808a41
                                • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                • Instruction Fuzzy Hash: A2310C735049C50EF6218929898439A7327DFC2368F298769DD768FFECCA71940783A6
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                • Instruction ID: b89f2bf02b62b59aeb195013672cebb624fd4bc4ae7340452018296e4c805d0f
                                • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                • Instruction Fuzzy Hash: 2D4190B29057468BDB04CF19C89056AB3E4FF88319F454A6DED5AE7381E330EA25CB91
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                • Instruction ID: 7cf879b3d66ad6079864ee41a53019e1d3f54995fdedb902f9f1401ed1aa41de
                                • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                • Instruction Fuzzy Hash: 092128B1A047EA07E7209E6DCCC037577D2DBC2305F094279DAB48FA87E17994A2DA61
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                • Instruction ID: 2bc554a1d9acbb3ee0092b63e39a93b0e30f1b76a32f43ac2ab882017e31fc93
                                • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                • Instruction Fuzzy Hash: 7F218E77320A064BE74C8A38D83737532D0A705318F98A22DEA6BCE2C2D73AC457C385
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                • Instruction ID: 9049c957ca96a84eb800e16420e969b729baab3e7136aead79363a5f346a893c
                                • Opcode Fuzzy Hash: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                • Instruction Fuzzy Hash: F701E16529768989D781DA79D490748FF80F757206F9CC3F4D0C8DBF42D589C54AC3A1
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                • Instruction ID: ae604cb9e7273f91ec35b8809396890c7f010b2a2eefed2c82342f2416a1ea68
                                • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                • Instruction Fuzzy Hash: 3B01817291462E57DB189F48CC41136B390FB95312F49823ADD479B385E734F970C6D4
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e23d4fd1e4e72aaa4fc55d2719f5b9f0e620f598995fa7d9d4b92554e448c06e
                                • Instruction ID: 4f666b1ad04bf80b22a4c1120b1a5f75dfc0248b4e982c5eb28a390f3a088be1
                                • Opcode Fuzzy Hash: e23d4fd1e4e72aaa4fc55d2719f5b9f0e620f598995fa7d9d4b92554e448c06e
                                • Instruction Fuzzy Hash: 57F0E532A20320EBCB12DB9CC501B8973BCEB49B65F160096E444DB640CBB0EE84C7C0
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                • Instruction ID: 2fe75955b2cfd6b2bbe30ac626812085e514379d8f597271a6550b10f100c049
                                • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                • Instruction Fuzzy Hash: EFC080A311810017C302E92594C079AF6A37361330F218C3D9051F7E43C318C0644111
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                • API String ID: 3519838083-609671
                                • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction ID: 03e018ef7176d978f7f662e3d0eb363e96564b5a7f9fa72b0f6818a693ecb3a7
                                • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction Fuzzy Hash: EED1C031A042C99FDF10CFB5D980AFEB7B5FF09309F144529E059A3A50DB78A949CBA1
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: L$L'K$T'K$\'K$d'K$p'K$)K
                                • API String ID: 3519838083-3887797823
                                • Opcode ID: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                • Instruction ID: 9d2f434a5ef5725932f66995f793374ab1f42cd36ff1fd7c7871dbc0ae4fcbf3
                                • Opcode Fuzzy Hash: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                • Instruction Fuzzy Hash: 0102F270A11289DFDB21CF64C990ADDBBB5FF05308F9481AED049B7A40C771AA99CF61
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB45B74
                                  • Part of subcall function 6CB45AC2: __EH_prolog.LIBCMT ref: 6CB45AC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: DJ$H K$L K$P K$T K$X K$\ K
                                • API String ID: 3519838083-3148776506
                                • Opcode ID: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                • Instruction ID: 4044342dbd98f51bc26a12aea1f8e1bdb8c6d351d8381f685fc9e3dd345e7792
                                • Opcode Fuzzy Hash: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                • Instruction Fuzzy Hash: 0C51F630908A959BCF00DFA4C580AEEB372EF4130CF10C51AD8715BB99DB75A94ED75A
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $ $$ K$, K$.$o
                                • API String ID: 3519838083-1786814033
                                • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                • Instruction ID: e1b44300c99222cc81d4db7dacf6814407671d405f4b81ca06bd4cc0791655df
                                • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                • Instruction Fuzzy Hash: 28D1E4319092E98BCF11CFA8D4907EEBBB1FF05308F28C16AC451ABA49C7715959DB62
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv$H_prolog
                                • String ID: >WJ$x$x
                                • API String ID: 2300968129-3162267903
                                • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction ID: b607cdae29afbea802def7a4233d27e748e8adf4ebc8f0a6fd395975468a1bc1
                                • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction Fuzzy Hash: 0F128A71904299EFDF10DFA4C980AEEBBB5FF09318F208169E815EBA50D7319A49CF51
                                APIs
                                • _ValidateLocalCookies.LIBCMT ref: 6CAC9B07
                                • ___except_validate_context_record.LIBVCRUNTIME ref: 6CAC9B0F
                                • _ValidateLocalCookies.LIBCMT ref: 6CAC9B98
                                • __IsNonwritableInCurrentImage.LIBCMT ref: 6CAC9BC3
                                • _ValidateLocalCookies.LIBCMT ref: 6CAC9C18
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                • String ID: csm
                                • API String ID: 1170836740-1018135373
                                • Opcode ID: 92e0efd8241791a3d294502607df4be6020c68496e28bafd007eaf6d6e5b08db
                                • Instruction ID: ca6dea282f010fb5315e9c3f27dc2011f473616c4f9abb7c2cfae796382e24d2
                                • Opcode Fuzzy Hash: 92e0efd8241791a3d294502607df4be6020c68496e28bafd007eaf6d6e5b08db
                                • Instruction Fuzzy Hash: 8441C334B10219AFCF00DF78C980ADE7BB5AF4531CF158155E825ABB51DB31EA89CB92
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: api-ms-$ext-ms-
                                • API String ID: 0-537541572
                                • Opcode ID: 6192a6e3d998b9b613de0eadf4866751b62e0a86687d630e308f36db4080fd1e
                                • Instruction ID: 8c3d1936431e4cfe5852e942c00d29a7ded43d7c7eae55f997546dbfb5c0c830
                                • Opcode Fuzzy Hash: 6192a6e3d998b9b613de0eadf4866751b62e0a86687d630e308f36db4080fd1e
                                • Instruction Fuzzy Hash: 9A212E32A56B11ABDB114B29CD40B0A37B8AF0F764F1B4A50F815E7B80D730FD8185E2
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv$__aullrem
                                • String ID:
                                • API String ID: 2022606265-0
                                • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction ID: 62fa48f654a715e4d6fd22a34405655ba8c1b9eb0620b1938447ce60169b7021
                                • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction Fuzzy Hash: F5219570A01299BFDF208E948C40DDF7EADEF427A8F20C225B52471990E2718D64C6AA
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB0A6F1
                                  • Part of subcall function 6CB19173: __EH_prolog.LIBCMT ref: 6CB19178
                                • __EH_prolog.LIBCMT ref: 6CB0A8F9
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: IJ$WIJ$J
                                • API String ID: 3519838083-740443243
                                • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction ID: a13524c509c3484be8e8ff62246361360acfbefcb74d8670161d35b3c3a38bfb
                                • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction Fuzzy Hash: 9E718C31A00295DFDB14CF64C484BDDBBB1BF14308F1084A9E855ABB91DB74AA4ACB91
                                APIs
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 6C992FD0
                                • __Getctype.LIBCPMT ref: 6C993084
                                • std::_Facet_Register.LIBCPMT ref: 6C99309C
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 6C9930B7
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: std::_$LockitLockit::~_$Facet_GetctypeRegister
                                • String ID: ios_base::badbit set
                                • API String ID: 1438654134-3882152299
                                • Opcode ID: 018bf5fa1cf3ca2d152c55e6de6b49f3bbcd0ab6beffeca2bcabc77e05d2f3a4
                                • Instruction ID: 2940557152195256073b7fbfa0e52376a26872aaa56969eb496561d6d1bd3a35
                                • Opcode Fuzzy Hash: 018bf5fa1cf3ca2d152c55e6de6b49f3bbcd0ab6beffeca2bcabc77e05d2f3a4
                                • Instruction Fuzzy Hash: 2A4155B1A00614CFCB00CF95C854BAEBBB4FB59714F084129D829ABB40D774AA48CF91
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB53853
                                  • Part of subcall function 6CB535DF: __EH_prolog.LIBCMT ref: 6CB535E4
                                  • Part of subcall function 6CB53943: __EH_prolog.LIBCMT ref: 6CB53948
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: ((K$<(K$L(K$\(K
                                • API String ID: 3519838083-3238140439
                                • Opcode ID: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                • Instruction ID: 800741040aa766840d54a6a387d4dfb8eb860b2cfd62d970e57d7a0fc1042682
                                • Opcode Fuzzy Hash: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                • Instruction Fuzzy Hash: 6D2139B0901B909EC724DF6AC54469BFBF4EF51308F508A1F80A697B50DBB46A08CB65
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB1E41D
                                  • Part of subcall function 6CB1EE40: __EH_prolog.LIBCMT ref: 6CB1EE45
                                  • Part of subcall function 6CB1E8EB: __EH_prolog.LIBCMT ref: 6CB1E8F0
                                  • Part of subcall function 6CB1E593: __EH_prolog.LIBCMT ref: 6CB1E598
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: &qB$0aJ$A0$XqB
                                • API String ID: 3519838083-1326096578
                                • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction ID: ac00a04cf5272f97e29136345ed746c2e2a0aace3232dc6aeed7b779249d5c80
                                • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction Fuzzy Hash: 4B218E71D05298AECB04DBE4DA849DDBBB5AF15318F104069E41677B81DB780E4CCB61
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J$DJ$`J
                                • API String ID: 3519838083-2453737217
                                • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction ID: 7c851e9a32413629f733a08db445afe802c77a7a1c7064d387417caf840ee720
                                • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction Fuzzy Hash: 1411F2B0904BA4CEC720DF5AC55419AFBE4BFA5708B00C91FC0A687B10C7F8A549CB89
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $!$@
                                • API String ID: 3519838083-2517134481
                                • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction ID: 94345cb2a17136bad3f19fd3ffa16c75e11ac637407009be59f38db3e45029ff
                                • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction Fuzzy Hash: DC129F70D0A289DFCF04CFA4C480ADEBBB5FF05308F14806AE845ABB59DB70A985DB51
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog__aulldiv
                                • String ID: $SJ
                                • API String ID: 4125985754-3948962906
                                • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction ID: 60ba2534cf550eeb40e873bcee24333fea99cdbe1f11fc055b2393dd3dbb0898
                                • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction Fuzzy Hash: 80B13CB1E04289DFCB14CFA9C8849AEBBF5FF49314B20852EE515A7B50D730AA45CB52
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 0-1866435925
                                • Opcode ID: d3042523897130dd3d2d521ecb5e410fb4fc20c1450381ddaa6e65b02c485e69
                                • Instruction ID: f9665c82714bc35136c7f7e6c15e975041020f20de0b3923d06c3fc7625c14d5
                                • Opcode Fuzzy Hash: d3042523897130dd3d2d521ecb5e410fb4fc20c1450381ddaa6e65b02c485e69
                                • Instruction Fuzzy Hash: 375125B1A007099FDB00CF64C845BAEBBB5FF84318F188668E9199F781D771D986CB91
                                APIs
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6C991311
                                  • Part of subcall function 6CAC714C: _Yarn.LIBCPMT ref: 6CAC716B
                                  • Part of subcall function 6CAC714C: _Yarn.LIBCPMT ref: 6CAC718F
                                • std::_Xinvalid_argument.LIBCPMT ref: 6C99133B
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 6C9913F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: std::_$Yarn$Locinfo::_Locinfo_ctorLockitLockit::~_Xinvalid_argument
                                • String ID: bad locale name
                                • API String ID: 2931703998-1405518554
                                • Opcode ID: 1c8eb612eed130455858ca502f5f707083a40e0be978a3761de382159af0ebfe
                                • Instruction ID: 84652f45733786f66943bd48972eaa418cf014be7f052fe1bf7b5187becf7fc6
                                • Opcode Fuzzy Hash: 1c8eb612eed130455858ca502f5f707083a40e0be978a3761de382159af0ebfe
                                • Instruction Fuzzy Hash: 09419AB1A007059BEB10CF29D945B6BBBF8BF04718F044629D4199BF80E379E558CBE2
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $CK$CK
                                • API String ID: 3519838083-2957773085
                                • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction ID: d7f5c3ec1d608b621ede0251b94eec4d22d0030d30d7c64b0cf5f98cbc0535dd
                                • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction Fuzzy Hash: 2A21AF70E49285CBCB04DFE8C4805EEF7B6FF95304F64462AC422E3F91CB744A068AA1
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0$LrJ$x
                                • API String ID: 3519838083-658305261
                                • Opcode ID: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                • Instruction ID: fa2669e0f1911699df7c227f004215a563393a691ddec10a195c746d9b994e7b
                                • Opcode Fuzzy Hash: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                • Instruction Fuzzy Hash: 03219D32D011199ACF04DFE8DA90AEDB7B5EF98708F20006AE42173740DB795E4ECBA1
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB24ECC
                                  • Part of subcall function 6CB0F58A: __EH_prolog.LIBCMT ref: 6CB0F58F
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :hJ$dJ$xJ
                                • API String ID: 3519838083-2437443688
                                • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction ID: 4085edf9ca4b1e5aa91532c8927f91f369b3c1f08116390e17609041fa0027dc
                                • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction Fuzzy Hash: 6D21DAB0901B40CFC760CF6AC14428ABBF4BF29708B00C95EC0AA97B11E7B8A54DCF55
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: <J$DJ$HJ$TJ$]
                                • API String ID: 0-686860805
                                • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction ID: 734744ae5f34daccc1ba49093958a2d93348c7f79f18a5971490f3bade80dd5d
                                • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction Fuzzy Hash: 254181B1D092D9AECF18DFA1D4908EEB771EF11308B20856DD12267F50EB35AA4DCB12
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction ID: 52003866c06a8bf4a763b6e4394d9ad455e87d03283a130404016e872eed5287
                                • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction Fuzzy Hash: DA11A276204284BFEB214AA4DC44EAFBBBDEFC6744F10842DB14156A90C6B1AC14D760
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CAFE077
                                  • Part of subcall function 6CAFDFF5: __EH_prolog.LIBCMT ref: 6CAFDFFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :$\
                                • API String ID: 3519838083-1166558509
                                • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction ID: 967cd567f42f04711906a2504cacb3661366f30d2e85d4390fde6b976760ba94
                                • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction Fuzzy Hash: D2E1C0309002099ACF21DFA8CA90BDDB7B1AF15318F14421DF47567A91EB75A9CFCB91
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: x'K$|'K
                                • API String ID: 3519838083-1041342148
                                • Opcode ID: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                • Instruction ID: 86bf67265c1428d787c0d8d77e0a08cb31804da5c8695fc106435554d10869d0
                                • Opcode Fuzzy Hash: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                • Instruction Fuzzy Hash: 72D1F8309447C59EDB21DF60C590AEFBBB4EF01308FA44A1AE06653E90D775A57ECB12
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog3_
                                • String ID: 8Q
                                • API String ID: 2427045233-4022487301
                                • Opcode ID: 21c2d146bbe042371627703abc2322293bf1f835999b5f03f2dcfdee5cd5b409
                                • Instruction ID: bb1011f4503bdf348cd1a43ab0fd9b52facebdc7c26a6c9676cc06cd98ab80e6
                                • Opcode Fuzzy Hash: 21c2d146bbe042371627703abc2322293bf1f835999b5f03f2dcfdee5cd5b409
                                • Instruction Fuzzy Hash: 4771C771D022169FDB108F95CA84BFE7B75BF05358F1A4219E8A067A40DF75E8C5C760
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$hfJ
                                • API String ID: 3519838083-1391159562
                                • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction ID: b13d871e5a9b78be54af9f5a1bfd3d73253ee49c68c60b92c4a60297a55a7fed
                                • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction Fuzzy Hash: A8912970910298EFCB10DF99D8849EEFBF8FF18308F54451EE559A7A50D774AA48CB21
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB18C5D
                                  • Part of subcall function 6CB1761A: __EH_prolog.LIBCMT ref: 6CB1761F
                                  • Part of subcall function 6CB17A2E: __EH_prolog.LIBCMT ref: 6CB17A33
                                  • Part of subcall function 6CB18EA5: __EH_prolog.LIBCMT ref: 6CB18EAA
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: WZJ
                                • API String ID: 3519838083-1089469559
                                • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction ID: cc644295cb71e81821645e07e83abe2454e2c72ee9baeefc0230d0251145d4c3
                                • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction Fuzzy Hash: 01816D31D04298DFCF15DFA8D990ADDB7B4AF19318F1040AAE416B7B90DB316E49CB61
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog__aullrem
                                • String ID: d%K
                                • API String ID: 3415659256-3110269457
                                • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                • Instruction ID: 1bb83f2113a45f84c5938912b8325811ff983e2337a03bd9ba67d8325714b4c1
                                • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                • Instruction Fuzzy Hash: A461CD71A092899BDF01CF54C644BEEB7B1EF45309F24C069D854AB689C731DE09DFA2
                                APIs
                                • ___std_exception_destroy.LIBVCRUNTIME ref: 6C992A76
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2429410601.000000006C941000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C940000, based on PE: true
                                • Associated: 00000007.00000002.2429382603.000000006C940000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430758938.000000006CAE8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2432225409.000000006CCB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ___std_exception_destroy
                                • String ID: Jbx$Jbx
                                • API String ID: 4194217158-1161259238
                                • Opcode ID: eb601d1f19d927245d388673c98f857600be4b76175cc6ae441f091335c021ca
                                • Instruction ID: 43fa54d227bb6ac04332f2674b7255c0270581e4353e2e274c6eefd231d87021
                                • Opcode Fuzzy Hash: eb601d1f19d927245d388673c98f857600be4b76175cc6ae441f091335c021ca
                                • Instruction Fuzzy Hash: CC5128B2901204DFCB14CF68D9846EEBBB5FF89314F18856DE8499B741D331D989CB92
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: CK$CK
                                • API String ID: 3519838083-2096518401
                                • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                • Instruction ID: 7264a95f8f0b7919e310f087e2bc2803f3fd279349871e5750071d2e52883d10
                                • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                • Instruction Fuzzy Hash: 1351AC76A04345DFDB04CFA4C8C0BEEB3B5FB98358F148529D901EBB49DB74A9058BA1
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: <dJ$Q
                                • API String ID: 3519838083-2252229148
                                • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                • Instruction ID: e0c0fea07cf1432817b3b1fade58473c3605b05b4799e4543067822acbb3f297
                                • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                • Instruction Fuzzy Hash: 40519071900289EFCF10DFA9D8908EEB7B5FF49318F10852EF525ABA50D735998ACB11
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $D^J
                                • API String ID: 3519838083-3977321784
                                • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                • Instruction ID: dce877a11e51e7ce61b429a817e98d7fcfcaaa04270eeed35d24c5cd9c11cc6b
                                • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                • Instruction Fuzzy Hash: 744127E1A0C5D06EDB228F69C450BEEBBE1DF16248F14815CC4A287F85DF645A8BC392
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 8)L$8)L
                                • API String ID: 3519838083-2235878380
                                • Opcode ID: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                • Instruction ID: cd5f24c0c52d621efb852c7becc74f483cb126bd3dd1e21823175b3da5f4bea1
                                • Opcode Fuzzy Hash: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                • Instruction Fuzzy Hash: 3051B031201A80CFD7248F74EA94AEAB7F2FF85304F54452ED1AA87A60CB756889CF55
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: qJ$#
                                • API String ID: 3519838083-4209149730
                                • Opcode ID: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                • Instruction ID: ec79f3e9f7fb752a806aeea0443d382d9ba02970c613650acb9a576e78785fe0
                                • Opcode Fuzzy Hash: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                • Instruction Fuzzy Hash: 3A517135A04289DFCF00CFA8C5809EDB7B5FF19318F148158E856A7761DB39E949CB51
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: PdJ$Q
                                • API String ID: 3519838083-3674001488
                                • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                • Instruction ID: e2628b68d0600695ec66a07445f54424c1d5b278a20f52ce865a77ff02c9c9f6
                                • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                • Instruction Fuzzy Hash: 9F41BE31D00285DBDB15DFA9D4A09EDB7B0FF4D319B10C12AE929A7A50C3349A45CB96
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0|J$`)L
                                • API String ID: 3519838083-117937767
                                • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction ID: 3aeebf1b5ae31e939a01cdb4eac0855eed2dee5c1abdde0c3bb14cf5fb61e654
                                • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction Fuzzy Hash: 7B419F35601795EFDB128F60C5907EEBBA2FF45208F00452EE06A57750CB726949CB92
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID: 3333
                                • API String ID: 3732870572-2924271548
                                • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction ID: 895b19f751484d05706b0309d6c6a8f6718dd968e90e19db3b6649c9bf101b52
                                • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction Fuzzy Hash: 48219AF0940794AFD730CFA98880B5FBAFDEB45754F10892EA185E7B40D7B099048765
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: #$4qJ
                                • API String ID: 3519838083-3965466581
                                • Opcode ID: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                • Instruction ID: eef542c339c92c27465dfaf0948d5e5e46b790c9cb35fa0356e8f971675cc12e
                                • Opcode Fuzzy Hash: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                • Instruction Fuzzy Hash: 4231CC35A05289DFDF10CF55C980ABE73B5EF45328F048158E81AABB60DB78AD49CB91
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$LuJ
                                • API String ID: 3519838083-205571748
                                • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction ID: df51d7a02c5635708d662b58aa9548e210963917fa4450b1da4841ea3024f1a8
                                • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction Fuzzy Hash: B401C0B2E01389EADB10DFA994805AEFBB4FF59314F40D52EE069E3A40C3345904CB9A
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$xMJ
                                • API String ID: 3519838083-951924499
                                • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction ID: 225ca2494612815a18c9e6d18336cf56314a8658352ef38d3ed37d69027ec992
                                • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction Fuzzy Hash: 23117C71A40289DBCB00DF99C49059EBBB4FF18348B50C82ED469E7A11D3389A05CBA6
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: p/K$J
                                • API String ID: 3519838083-2069324279
                                • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                • Instruction ID: da98cd61a386679d46c2614d6a0ac8e2e24365f5700655cb448a8123e56a305f
                                • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                • Instruction Fuzzy Hash: 2A01B1B1A117519FD724CF59C5043AEB7F4EF45719F10C81EA052A3B80C7F8A5088BA5
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB3AFCC
                                  • Part of subcall function 6CB3A4D1: __EH_prolog.LIBCMT ref: 6CB3A4D6
                                  • Part of subcall function 6CB3914B: __EH_prolog.LIBCMT ref: 6CB39150
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J
                                • API String ID: 3519838083-2882003284
                                • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                • Instruction ID: 54c1fbf3a827091c6607db0095531a1acf47bdc1ff0ca2a06591e81d3c897eb8
                                • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                • Instruction Fuzzy Hash: 100105B1804B51CFC725CF55C4A468AFBE0BB15304F90C95EC0AA57B50D7B8A508CB68
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB5B439
                                  • Part of subcall function 6CB5B4BA: __EH_prolog.LIBCMT ref: 6CB5B4BF
                                  • Part of subcall function 6CB3D22B: __EH_prolog.LIBCMT ref: 6CB3D230
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: D.K$T.K
                                • API String ID: 3519838083-2437000251
                                • Opcode ID: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                • Instruction ID: 5b3d19341ef8e859813e8b4adf336fd30d8bd88ba179e03ba9c40c071540d17e
                                • Opcode Fuzzy Hash: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                • Instruction Fuzzy Hash: A3012C71911B51CFC764CF69C5542CEBBF4BF19704F00C91E90AA97B40EBB8A608CB95
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 8)L$8rJ
                                • API String ID: 3519838083-896068166
                                • Opcode ID: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                • Instruction ID: 28698d865852b09412125549cc49833de3016907a5684465f0d88b12efae0249
                                • Opcode Fuzzy Hash: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                • Instruction Fuzzy Hash: EDF03A76A14114EFD700CF98D949BDEBBF8FF46354F14806AF405A7211C7B89A04CBA5
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CB343F9
                                  • Part of subcall function 6CB34320: __EH_prolog.LIBCMT ref: 6CB34325
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: `)L$|{J
                                • API String ID: 3519838083-2198066115
                                • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                • Instruction ID: 96d9d092fef5ba1e9a801c5d2753cc50b2472e1d7fab32a9d429ba68b235d5d5
                                • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                • Instruction Fuzzy Hash: 77F05872610114BFCB059F94DC04BDEBBA9FF49314F00802AF505A6650CBB66A148B98
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: <oJ
                                • API String ID: 3037903784-2791053824
                                • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction ID: 3c1f20a97f17d956fc5cff55c8f2b6007bd27833e01157a555a73f604e1157d1
                                • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction Fuzzy Hash: 7CE02232A551509FDB049F08D820BEEF7A4EF42724F11001FE029A3B42CBB9A800CBC1
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: \~J
                                • API String ID: 3037903784-3176329776
                                • Opcode ID: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                • Instruction ID: 985fd1b7e79d973dae08e42dde1637d3c9d051b8e103c757607f1d59c2eca4aa
                                • Opcode Fuzzy Hash: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                • Instruction Fuzzy Hash: 82E06532A09561DBDB248F4DD910B9DF7A4EF44768F11415E9015B7A51CBF1A904CA81
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: |zJ
                                • API String ID: 3037903784-3782439380
                                • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                • Instruction ID: fd7184f2988fff499c35130c749ee32b942fe899169c9a7023e0e3c58b994acc
                                • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                • Instruction Fuzzy Hash: FDE09B32645570ABEB15DF48D8117DFF3A4FF54B14F11402FD016A7A41CBB1A805C791
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @ K$DJ$T)K$X/K
                                • API String ID: 0-3815299647
                                • Opcode ID: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                • Instruction ID: 3409d4e3fc6a6cae4451a85d25416df28947aaf6c471c316e41a93d722ec16a2
                                • Opcode Fuzzy Hash: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                • Instruction Fuzzy Hash: 0E91ED306043859FCB00DEB4C6507EEB3A2EF5530CF90881AD8665BB85DB75A96ECB52
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: D)K$H)K$P)K$T)K
                                • API String ID: 0-2262112463
                                • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                • Instruction ID: d856a17b82c7abe10de6412ced282bb98d734a0ebe2216f9bc7a5dfdd6bf3654
                                • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                • Instruction Fuzzy Hash: B951F0309043899BCF11CFA8DA40ADEB7B1EF0531CF50402AF82567A91DB7299ADCF95
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: (?K$8?K$H?K$CK
                                • API String ID: 0-3450752836
                                • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                • Instruction ID: ed8e9ca880592c8773bc9a563e97077271cc7774d6f63d954c4daecd3b74a636
                                • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                • Instruction Fuzzy Hash: 87F030B15017009FC760CF05D54879BF7F4EB4174AF50C91EE49A9BA40D3B8A5088FB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.2430837013.000000006CAF8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAF8000, based on PE: true
                                • Associated: 00000007.00000002.2431460526.000000006CBC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000007.00000002.2431499947.000000006CBC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_6c940000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: 00K$@0K$P0K$`0K
                                • API String ID: 0-1070766156
                                • Opcode ID: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                • Instruction ID: cc08c49e7cab151d94aeeb036fe5aa8110f11b29cf5188a6292b857041db77c5
                                • Opcode Fuzzy Hash: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                • Instruction Fuzzy Hash: 2DF03FB14152408FD348DF1A9598A82BFE0AF95319B56C1DED0184F276C3B9CA48CFA8