Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Zt43pLXYiu.exe

Overview

General Information

Sample name:Zt43pLXYiu.exe
renamed because original name is a hash value
Original sample name:B88488B8E7066575EB4B3CCA53545388C53420F8C9519A8A1866352A07CB481D.exe
Analysis ID:1579607
MD5:a8d9973fa386ac46b47fed5f05d198d5
SHA1:6a6cb373ff59178a029fcd2da3d5d1b29673cf3a
SHA256:b88488b8e7066575eb4b3cca53545388c53420f8c9519a8a1866352a07cb481d
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • Zt43pLXYiu.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\Zt43pLXYiu.exe" MD5: A8D9973FA386AC46B47FED5F05D198D5)
    • Zt43pLXYiu.tmp (PID: 1540 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp" /SL5="$2040A,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 2344 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7272 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • Zt43pLXYiu.exe (PID: 4692 cmdline: "C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENT MD5: A8D9973FA386AC46B47FED5F05D198D5)
        • Zt43pLXYiu.tmp (PID: 2516 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp" /SL5="$2040E,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 6108 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 1792 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5800 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 2912 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 4236 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 7132 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cmd.exe (PID: 1204 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5680 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 1648 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cmd.exe (PID: 7248 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7264 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7280 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7308 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7444 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7516 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7580 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7596 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7644 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7656 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7712 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7728 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7780 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7796 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7848 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7864 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7900 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cmd.exe (PID: 7948 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7964 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8020 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8036 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8092 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8152 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8164 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1540 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1196 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7252 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7324 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7364 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7388 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7480 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7492 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7584 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7556 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4036 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2936 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7500 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5748 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7616 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7652 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7688 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7724 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7756 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7788 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7824 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7856 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7872 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7948 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8032 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp" /SL5="$2040A,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp, ParentProcessId: 1540, ParentProcessName: Zt43pLXYiu.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2344, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1204, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 5680, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp" /SL5="$2040A,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp, ParentProcessId: 1540, ParentProcessName: Zt43pLXYiu.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2344, ProcessName: powershell.exe
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp" /SL5="$2040A,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp" /SL5="$2040A,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp, ParentCommandLine: "C:\Users\user\Desktop\Zt43pLXYiu.exe", ParentImage: C:\Users\user\Desktop\Zt43pLXYiu.exe, ParentProcessId: 6344, ParentProcessName: Zt43pLXYiu.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp" /SL5="$2040A,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" , ProcessId: 1540, ProcessName: Zt43pLXYiu.tmp
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1204, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 5680, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp" /SL5="$2040A,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp, ParentProcessId: 1540, ParentProcessName: Zt43pLXYiu.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2344, ProcessName: powershell.exe
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5800, ProcessName: svchost.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Zt43pLXYiu.exeVirustotal: Detection: 7%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.1% probability
Source: Zt43pLXYiu.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Zt43pLXYiu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 00000010.00000003.1293727077.00000000033C0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 00000010.00000003.1293573759.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.16.dr
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D27AEC0 FindFirstFileA,FindClose,FindClose,6_2_6D27AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EB6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,13_2_00EB6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EB7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,13_2_00EB7496
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: svchost.exe, 00000007.00000002.1371643939.000001C64AE13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.comsv
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: Zt43pLXYiu.tmp, 00000002.00000003.1243511497.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: svchost.exe, 00000007.00000002.1372093635.000001C64AE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369807387.000001C64AE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000007.00000003.1369005644.000001C64AE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372260771.000001C64AE70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372157590.000001C64AE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1371994818.000001C64AE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369732432.000001C64AE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1368663153.000001C64AE6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369583579.000001C64AE59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000007.00000002.1372260771.000001C64AE70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1368663153.000001C64AE6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000002.1371744305.000001C64AE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369005644.000001C64AE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372157590.000001C64AE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369583579.000001C64AE59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000007.00000002.1371744305.000001C64AE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000007.00000002.1371744305.000001C64AE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369005644.000001C64AE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372157590.000001C64AE62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000007.00000002.1371886174.000001C64AE41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000003.1369005644.000001C64AE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372157590.000001C64AE62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000007.00000003.1369841772.000001C64AE31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369005644.000001C64AE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372157590.000001C64AE62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000002.1371886174.000001C64AE41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000003.1369005644.000001C64AE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372157590.000001C64AE62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000003.1369230340.000001C64AE5D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1371994818.000001C64AE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369732432.000001C64AE43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000007.00000003.1369807387.000001C64AE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000007.00000002.1371744305.000001C64AE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: Zt43pLXYiu.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: svchost.exe, 00000007.00000003.1369732432.000001C64AE43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000007.00000003.1369676816.000001C64AE49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs
Source: svchost.exe, 00000007.00000003.1369676816.000001C64AE49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1371828450.000001C64AE37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1371994818.000001C64AE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369732432.000001C64AE43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000003.1369676816.000001C64AE49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1371994818.000001C64AE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372093635.000001C64AE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369732432.000001C64AE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369807387.000001C64AE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000003.1369321441.000001C64AE5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000002.1371744305.000001C64AE2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000007.00000002.1372093635.000001C64AE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369807387.000001C64AE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: Zt43pLXYiu.exe, 00000000.00000003.1231809116.000000007F5FB000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.exe, 00000000.00000003.1231405029.0000000003020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000002.00000000.1233809476.00000000001C1000.00000020.00000001.01000000.00000004.sdmp, Zt43pLXYiu.tmp, 00000006.00000000.1256628794.0000000000E3D000.00000020.00000001.01000000.00000008.sdmp, Zt43pLXYiu.tmp.5.dr, Zt43pLXYiu.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: Zt43pLXYiu.exe, 00000000.00000003.1231809116.000000007F5FB000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.exe, 00000000.00000003.1231405029.0000000003020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000002.00000000.1233809476.00000000001C1000.00000020.00000001.01000000.00000004.sdmp, Zt43pLXYiu.tmp, 00000006.00000000.1256628794.0000000000E3D000.00000020.00000001.01000000.00000008.sdmp, Zt43pLXYiu.tmp.5.dr, Zt43pLXYiu.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.2.drStatic PE information: section name: .=~
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D285120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6D285120
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D103886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6D103886
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D103D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6D103D18
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D285D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6D285D60
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D103D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6D103D62
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D103C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6D103C62
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D1039CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6D1039CF
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D103A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6D103A6A
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D101950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6D101950
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D104754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6D104754
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D1047546_2_6D104754
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D114A276_2_6D114A27
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2818806_2_6D281880
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D286A436_2_6D286A43
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D336D106_2_6D336D10
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D354DE06_2_6D354DE0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2E6CE06_2_6D2E6CE0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2B8EA16_2_6D2B8EA1
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D33EEF06_2_6D33EEF0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D30AEEF6_2_6D30AEEF
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2D2EC96_2_6D2D2EC9
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D34A9306_2_6D34A930
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3369006_2_6D336900
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2B89726_2_6D2B8972
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3489506_2_6D348950
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3569996_2_6D356999
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3468206_2_6D346820
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D32E8106_2_6D32E810
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3548706_2_6D354870
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3048966_2_6D304896
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D34C8D06_2_6D34C8D0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2D0B666_2_6D2D0B66
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D32AB906_2_6D32AB90
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2C0BCA6_2_6D2C0BCA
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D34EBC06_2_6D34EBC0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D310A526_2_6D310A52
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D344AA06_2_6D344AA0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3225216_2_6D322521
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3485206_2_6D348520
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D33C5806_2_6D33C580
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3325806_2_6D332580
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3345D06_2_6D3345D0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3184AC6_2_6D3184AC
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3444896_2_6D344489
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D33E4D06_2_6D33E4D0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3467A06_2_6D3467A0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D31C7F36_2_6D31C7F3
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2BC7CF6_2_6D2BC7CF
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3567C06_2_6D3567C0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D34E6006_2_6D34E600
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3546C06_2_6D3546C0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3300206_2_6D330020
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D33E0E06_2_6D33E0E0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3482006_2_6D348200
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D34C2A06_2_6D34C2A0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D333D506_2_6D333D50
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D307D436_2_6D307D43
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D355D906_2_6D355D90
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D311F116_2_6D311F11
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D339E806_2_6D339E80
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3399F06_2_6D3399F0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D32589F6_2_6D32589F
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3478C86_2_6D3478C8
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D32FA506_2_6D32FA50
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D331AA06_2_6D331AA0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D32DAD06_2_6D32DAD0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2FF5EC6_2_6D2FF5EC
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D33F5C06_2_6D33F5C0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2D540A6_2_6D2D540A
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3597006_2_6D359700
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3537C06_2_6D3537C0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D32B6506_2_6D32B650
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D34F6406_2_6D34F640
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3396E06_2_6D3396E0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3371F06_2_6D3371F0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D33F0506_2_6D33F050
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2D30926_2_6D2D3092
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D33D3806_2_6D33D380
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D33D2806_2_6D33D280
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D346AF06_2_6D346AF0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D3437506_2_6D343750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EF81EC13_2_00EF81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F381C013_2_00F381C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F2425013_2_00F24250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4824013_2_00F48240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4C3C013_2_00F4C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F404C813_2_00F404C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F2865013_2_00F28650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F2C95013_2_00F2C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F0094313_2_00F00943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F28C2013_2_00F28C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F44EA013_2_00F44EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F40E0013_2_00F40E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F110AC13_2_00F110AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F3D08913_2_00F3D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F2D1D013_2_00F2D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F491C013_2_00F491C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F3518013_2_00F35180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4112013_2_00F41120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4D2C013_2_00F4D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F153F313_2_00F153F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EB53CF13_2_00EB53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F454D013_2_00F454D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EFD49613_2_00EFD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4D47013_2_00F4D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EB157213_2_00EB1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4155013_2_00F41550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F3D6A013_2_00F3D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F0965213_2_00F09652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EB97CA13_2_00EB97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EC976613_2_00EC9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4D9E013_2_00F4D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EB1AA113_2_00EB1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F35E8013_2_00F35E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F35F8013_2_00F35F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00ECE00A13_2_00ECE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F322E013_2_00F322E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F5230013_2_00F52300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F1E49F13_2_00F1E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F325F013_2_00F325F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F266D013_2_00F266D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F2A6A013_2_00F2A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4E99013_2_00F4E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F32A8013_2_00F32A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F0AB1113_2_00F0AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F36CE013_2_00F36CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F370D013_2_00F370D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F2B18013_2_00F2B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F1B12113_2_00F1B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4720013_2_00F47200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EDB3E413_2_00EDB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4F3C013_2_00F4F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F3F3A013_2_00F3F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F3F42013_2_00F3F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F2741013_2_00F27410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4F59913_2_00F4F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4353013_2_00F43530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F5351A13_2_00F5351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F2F50013_2_00F2F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F5360113_2_00F53601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F477C013_2_00F477C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F2379013_2_00F23790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EDF8E013_2_00EDF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F2F91013_2_00F2F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F37AF013_2_00F37AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F03AEF13_2_00F03AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00ECBAC913_2_00ECBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00ECBC9213_2_00ECBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F37C5013_2_00F37C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F2FDF013_2_00F2FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: String function: 6D356F10 appears 728 times
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: String function: 6D2B9240 appears 53 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00F4FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00EB1E40 appears 150 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00EB28E3 appears 34 times
Source: Zt43pLXYiu.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Zt43pLXYiu.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Zt43pLXYiu.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: Zt43pLXYiu.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: Zt43pLXYiu.exeStatic PE information: Number of sections : 11 > 10
Source: Zt43pLXYiu.exe, 00000000.00000000.1229919219.0000000000739000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs Zt43pLXYiu.exe
Source: Zt43pLXYiu.exe, 00000000.00000003.1231809116.000000007F8FA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs Zt43pLXYiu.exe
Source: Zt43pLXYiu.exe, 00000000.00000003.1231405029.000000000313E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs Zt43pLXYiu.exe
Source: Zt43pLXYiu.exeBinary or memory string: OriginalFileNameSSRClient.exe vs Zt43pLXYiu.exe
Source: Zt43pLXYiu.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.16.drBinary string: \Device\TfSysMon
Source: tProtect.dll.16.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal92.evad.winEXE@129/32@1/0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D285D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6D285D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EB9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,13_2_00EB9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EC3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,13_2_00EC3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EB9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,13_2_00EB9252
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D285240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6D285240
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpFile created: C:\Program Files (x86)\Windows NT\is-QCQAS.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6880:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7468:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3804:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1264:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7068:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7804:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7288:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-J49UG.tmpJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: Zt43pLXYiu.exeVirustotal: Detection: 7%
Source: Zt43pLXYiu.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeFile read: C:\Users\user\Desktop\Zt43pLXYiu.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Zt43pLXYiu.exe "C:\Users\user\Desktop\Zt43pLXYiu.exe"
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess created: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp "C:\Users\user~1\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp" /SL5="$2040A,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe"
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess created: C:\Users\user\Desktop\Zt43pLXYiu.exe "C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENT
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess created: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp "C:\Users\user~1\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp" /SL5="$2040E,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess created: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp "C:\Users\user~1\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp" /SL5="$2040A,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess created: C:\Users\user\Desktop\Zt43pLXYiu.exe "C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess created: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp "C:\Users\user~1\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp" /SL5="$2040E,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dll
Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Zt43pLXYiu.exeStatic file information: File size 5707174 > 1048576
Source: Zt43pLXYiu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 00000010.00000003.1293727077.00000000033C0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 00000010.00000003.1293573759.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.16.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F357D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,13_2_00F357D0
Source: Zt43pLXYiu.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: Zt43pLXYiu.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: Zt43pLXYiu.exeStatic PE information: real checksum: 0x0 should be: 0x577ff5
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.16.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: Zt43pLXYiu.exeStatic PE information: section name: .didata
Source: Zt43pLXYiu.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .=~
Source: Zt43pLXYiu.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: is-PURV2.tmp.6.drStatic PE information: section name: .xdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D130F00 push ss; retn 0001h6_2_6D130F0A
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2886EB push ecx; ret 6_2_6D2886FE
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D356F10 push eax; ret 6_2_6D356F2E
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D2BB9F4 push 004AC35Ch; ret 6_2_6D2BBA0E
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D357290 push eax; ret 6_2_6D3572BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EB45F4 push 00F5C35Ch; ret 13_2_00EB460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4FB10 push eax; ret 13_2_00F4FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F4FE90 push eax; ret 13_2_00F4FEBE
Source: update.vac.2.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3VSUM.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OGA79.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpFile created: C:\Program Files (x86)\Windows NT\is-PURV2.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeFile created: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpJump to dropped file
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeFile created: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OGA79.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3VSUM.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3VSUM.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OGA79.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6048Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3405Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpWindow / User API: threadDelayed 595Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpWindow / User API: threadDelayed 616Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpWindow / User API: threadDelayed 590Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3VSUM.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OGA79.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-PURV2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OGA79.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3VSUM.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1412Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D27AEC0 FindFirstFileA,FindClose,FindClose,6_2_6D27AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EB6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,13_2_00EB6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EB7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,13_2_00EB7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EB9C60 GetSystemInfo,13_2_00EB9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: svchost.exe, 0000000A.00000002.1435011933.000001B8FB62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Zt43pLXYiu.tmp, 00000002.00000002.1260605482.000000000126D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Z
Source: Zt43pLXYiu.tmp, 00000002.00000002.1260605482.000000000126D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000A.00000002.1435011933.000001B8FB62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 0000000A.00000002.1435104671.000001B8FB64B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000A.00000002.1435011933.000001B8FB62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000A.00000002.1434837580.000001B8FB600000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 0000000A.00000002.1435261809.000001B8FB68A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000A.00000002.1435186694.000001B8FB664000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
Source: svchost.exe, 0000000A.00000002.1435104671.000001B8FB64B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000002F.00000002.1434605595.000001FDC1A31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D103886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6D103886
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D290181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6D290181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F357D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,13_2_00F357D0
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D299D35 mov eax, dword ptr fs:[00000030h]6_2_6D299D35
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D299D66 mov eax, dword ptr fs:[00000030h]6_2_6D299D66
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D28F17D mov eax, dword ptr fs:[00000030h]6_2_6D28F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D288CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6D288CBD
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D290181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6D290181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.16.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmpProcess created: C:\Users\user\Desktop\Zt43pLXYiu.exe "C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmpCode function: 6_2_6D357720 cpuid 6_2_6D357720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00EBAB2A GetSystemTimeAsFileTime,13_2_00EBAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 13_2_00F50090 GetVersion,13_2_00F50090

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
Source: svchost.exe, 00000012.00000002.1435542629.000002034AD02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
DLL Side-Loading
1
DLL Side-Loading
2
Disable or Modify Tools
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API
1
Windows Service
1
Access Token Manipulation
1
Deobfuscate/Decode Files or Information
LSASS Memory3
File and Directory Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter
Logon Script (Windows)1
Windows Service
3
Obfuscated Files or Information
Security Account Manager36
System Information Discovery
SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution
Login Hook111
Process Injection
1
Software Packing
NTDS361
Security Software Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets251
Virtualization/Sandbox Evasion
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Masquerading
Cached Domain Credentials2
Process Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items251
Virtualization/Sandbox Evasion
DCSync1
Application Window Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation
Proc Filesystem2
System Owner/User Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
Process Injection
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579607 Sample: Zt43pLXYiu.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 92 90 time.windows.com 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Found driver which could be used to inject code into processes 2->94 96 PE file contains section with special chars 2->96 98 2 other signatures 2->98 11 Zt43pLXYiu.exe 2 2->11         started        14 svchost.exe 2->14         started        17 cmd.exe 2->17         started        19 31 other processes 2->19 signatures3 process4 file5 86 C:\Users\user\AppData\...\Zt43pLXYiu.tmp, PE32 11->86 dropped 21 Zt43pLXYiu.tmp 3 5 11->21         started        112 Changes security center settings (notifications, updates, antivirus, firewall) 14->112 25 sc.exe 1 17->25         started        27 sc.exe 1 19->27         started        29 sc.exe 1 19->29         started        31 sc.exe 1 19->31         started        33 22 other processes 19->33 signatures6 process7 file8 74 C:\Users\user\AppData\Local\...\update.vac, PE32 21->74 dropped 76 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->76 dropped 100 Adds a directory exclusion to Windows Defender 21->100 35 Zt43pLXYiu.exe 2 21->35         started        38 powershell.exe 23 21->38         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 33->51         started        53 20 other processes 33->53 signatures9 process10 file11 72 C:\Users\user\AppData\...\Zt43pLXYiu.tmp, PE32 35->72 dropped 55 Zt43pLXYiu.tmp 4 16 35->55         started        102 Loading BitLocker PowerShell Module 38->102 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures12 process13 file14 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->80 dropped 82 C:\Program Files (x86)\...\trash (copy), PE32+ 55->82 dropped 84 3 other files (none is malicious) 55->84 dropped 104 Query firmware table information (likely to detect VMs) 55->104 106 Protects its processes via BreakOnTermination flag 55->106 108 Hides threads from debuggers 55->108 110 Contains functionality to hide a thread from the debugger 55->110 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures15 process16 file17 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process18

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Zt43pLXYiu.exe7%VirustotalBrowse
Zt43pLXYiu.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-PURV2.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-3VSUM.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-OGA79.tmp\_isetup\_setup64.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
time.windows.com
unknown
unknownfalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpfalse
      high
      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUZt43pLXYiu.exefalse
        high
        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000007.00000003.1369321441.000001C64AE5C000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000007.00000003.1369732432.000001C64AE43000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://aria2.github.io/Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drfalse
                  unknown
                  https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000007.00000002.1372260771.000001C64AE70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1368663153.000001C64AE6E000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000007.00000002.1371744305.000001C64AE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000007.00000002.1371744305.000001C64AE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369005644.000001C64AE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372157590.000001C64AE62000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://github.com/aria2/aria2/issuesZt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drfalse
                          high
                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvssvchost.exe, 00000007.00000003.1369676816.000001C64AE49000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000007.00000003.1369676816.000001C64AE49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1371994818.000001C64AE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372093635.000001C64AE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369732432.000001C64AE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369807387.000001C64AE57000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000007.00000003.1369230340.000001C64AE5D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1371994818.000001C64AE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369732432.000001C64AE43000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000007.00000003.1369005644.000001C64AE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372157590.000001C64AE62000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    https://github.com/aria2/aria2/issuesReportZt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drfalse
                                      high
                                      http://www.metalinker.org/Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drfalse
                                        unknown
                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000007.00000003.1369676816.000001C64AE49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1371828450.000001C64AE37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1371994818.000001C64AE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369732432.000001C64AE43000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000007.00000002.1372093635.000001C64AE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369807387.000001C64AE57000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000007.00000003.1369005644.000001C64AE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372260771.000001C64AE70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372157590.000001C64AE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1371994818.000001C64AE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369732432.000001C64AE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1368663153.000001C64AE6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369583579.000001C64AE59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000007.00000002.1371744305.000001C64AE2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000007.00000002.1371886174.000001C64AE41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000007.00000002.1371886174.000001C64AE41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://dynamic.tsvchost.exe, 00000007.00000003.1369807387.000001C64AE57000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            https://www.remobjects.com/psZt43pLXYiu.exe, 00000000.00000003.1231809116.000000007F5FB000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.exe, 00000000.00000003.1231405029.0000000003020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000002.00000000.1233809476.00000000001C1000.00000020.00000001.01000000.00000004.sdmp, Zt43pLXYiu.tmp, 00000006.00000000.1256628794.0000000000E3D000.00000020.00000001.01000000.00000008.sdmp, Zt43pLXYiu.tmp.5.dr, Zt43pLXYiu.tmp.0.drfalse
                                                              high
                                                              https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                https://www.innosetup.com/Zt43pLXYiu.exe, 00000000.00000003.1231809116.000000007F5FB000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.exe, 00000000.00000003.1231405029.0000000003020000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000002.00000000.1233809476.00000000001C1000.00000020.00000001.01000000.00000004.sdmp, Zt43pLXYiu.tmp, 00000006.00000000.1256628794.0000000000E3D000.00000020.00000001.01000000.00000008.sdmp, Zt43pLXYiu.tmp.5.dr, Zt43pLXYiu.tmp.0.drfalse
                                                                  high
                                                                  http://www.metalinker.org/basic_string::_M_constructZt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drfalse
                                                                    high
                                                                    https://aria2.github.io/Usage:Zt43pLXYiu.tmp, 00000006.00000002.1423790740.0000000003F59000.00000004.00001000.00020000.00000000.sdmp, is-PURV2.tmp.6.drfalse
                                                                      unknown
                                                                      https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000007.00000002.1372093635.000001C64AE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369807387.000001C64AE57000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://www.bingmapsportal.comsvsvchost.exe, 00000007.00000002.1371643939.000001C64AE13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          unknown
                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000007.00000003.1369005644.000001C64AE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372157590.000001C64AE62000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000007.00000002.1371744305.000001C64AE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369005644.000001C64AE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372157590.000001C64AE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369583579.000001C64AE59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000007.00000002.1371744305.000001C64AE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1368884842.000001C64AE66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372233103.000001C64AE67000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000007.00000003.1369841772.000001C64AE31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1369005644.000001C64AE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1372157590.000001C64AE62000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    No contacted IP infos
                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1579607
                                                                                    Start date and time:2024-12-23 05:17:10 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 9m 16s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:98
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Critical Process Termination
                                                                                    Sample name:Zt43pLXYiu.exe
                                                                                    renamed because original name is a hash value
                                                                                    Original Sample Name:B88488B8E7066575EB4B3CCA53545388C53420F8C9519A8A1866352A07CB481D.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal92.evad.winEXE@129/32@1/0
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 76%
                                                                                    • Number of executed functions: 28
                                                                                    • Number of non-executed functions: 75
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe
                                                                                    • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 40.81.94.65, 13.107.246.63, 52.149.20.212
                                                                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    TimeTypeDescription
                                                                                    23:18:02API Interceptor1x Sleep call for process: Zt43pLXYiu.tmp modified
                                                                                    23:18:05API Interceptor28x Sleep call for process: powershell.exe modified
                                                                                    No context
                                                                                    No context
                                                                                    No context
                                                                                    No context
                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                                                                      #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                                                                        #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                                                                          #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                                                                                            #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                                                                                              ekTL8jTI4D.msiGet hashmaliciousUnknownBrowse
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):831200
                                                                                                Entropy (8bit):6.671005303304742
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                                                                                MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                                                                                SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                                                                                SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                                                                                SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Joe Sandbox View:
                                                                                                • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                                                                • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                                                                • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                                                                                • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                                                                                                • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                                                                                                • Filename: ekTL8jTI4D.msi, Detection: malicious, Browse
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):249968
                                                                                                Entropy (8bit):7.999181384527325
                                                                                                Encrypted:true
                                                                                                SSDEEP:6144:Ikr8c5j7Y5FW8pkt8sAU7tmfSQOUtqbJv4dcLZWM2nb:95fY5Lpu3AW53Ob
                                                                                                MD5:08A2C168AB327371A9DF04F8B55B1FC8
                                                                                                SHA1:DD84BC526F4829AA236C4EC64F4F8C261D737930
                                                                                                SHA-256:683370ABE085C55C1BC40C4CA53FEBE03723E4CEC9115BBF39D307715B0A2CC4
                                                                                                SHA-512:AABC8A8C158BAA1C3A298B66D034B932F7ECF7F8825F19A1F1EAB683BFA401B588C7D85DE15745E58437648D9AED063EF98D0C3FFA0F17A58F3E3DCBF994F795
                                                                                                Malicious:false
                                                                                                Preview:.@S....2..x.,...............*..~W4U.,.j.N..;r....p..`_M.R..............yQ..........o..G%.....k......F....?._.S..../.e.wM!L;>6..~...:%.%.5..N{.Z.op.4(..x.d.1mAwv..kh.....a.o.e.h....B...........yK.. ..W..4y..n..>..9...r.....Im.^....,A...l..$.........#.t@.....'.(9.<....z..n..J..P./......}.?..<.+n...kZ..^1.."A?....F....`...]..MW....P.h.W.1O$..?;.Tu....t.6p.L.'.O...#RKhq../...`.+.B......:.>..B.-6..8I.....IO..C.}.>...i..... .R..O.O.*)s...j..3.3.N.$\....a......(.4.&.$.J.:2..m..Z...r..M.g.."..3.v.=...e.....n.~.PJ.....]..x7r.nm.....j..h......T.;..E.dG....^.......T.-@R1.+H/.l.b..V.~.6..-..g.%..!J=..._..)m...-l.\3L3'..;i.......F..;q..Ef.%r.|D'....~..#...Jg.e...`.[qn.-.:..N.7i...."..o3...#[.....]jTf.6\.m'.......7.e..{l..t.{.*gl.V.zD.6..y..!.sf...T.y.........XE.....p"_......*t........q....lW.y.z.^.e..Jkhwx..WP...9,.Bm6.. ...j4..Y.M.v...{........;..RI..6.:oz.K`F.|.H.\..f......q....?5.$......-..I..~.I...!p.V...,.5.n9..*....C./..8....&...&..J...P
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):3598848
                                                                                                Entropy (8bit):7.004949099807939
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                                                                                MD5:1D1464C73252978A58AC925ECE57F0FB
                                                                                                SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                                                                                SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                                                                                SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                                                                                Malicious:false
                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):5649408
                                                                                                Entropy (8bit):6.392614480390128
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                                                                                MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                                                                                SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                                                                                SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                                                                                SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):249968
                                                                                                Entropy (8bit):7.999181384527325
                                                                                                Encrypted:true
                                                                                                SSDEEP:6144:Ikr8c5j7Y5FW8pkt8sAU7tmfSQOUtqbJv4dcLZWM2nb:95fY5Lpu3AW53Ob
                                                                                                MD5:08A2C168AB327371A9DF04F8B55B1FC8
                                                                                                SHA1:DD84BC526F4829AA236C4EC64F4F8C261D737930
                                                                                                SHA-256:683370ABE085C55C1BC40C4CA53FEBE03723E4CEC9115BBF39D307715B0A2CC4
                                                                                                SHA-512:AABC8A8C158BAA1C3A298B66D034B932F7ECF7F8825F19A1F1EAB683BFA401B588C7D85DE15745E58437648D9AED063EF98D0C3FFA0F17A58F3E3DCBF994F795
                                                                                                Malicious:false
                                                                                                Preview:.@S....2..x.,...............*..~W4U.,.j.N..;r....p..`_M.R..............yQ..........o..G%.....k......F....?._.S..../.e.wM!L;>6..~...:%.%.5..N{.Z.op.4(..x.d.1mAwv..kh.....a.o.e.h....B...........yK.. ..W..4y..n..>..9...r.....Im.^....,A...l..$.........#.t@.....'.(9.<....z..n..J..P./......}.?..<.+n...kZ..^1.."A?....F....`...]..MW....P.h.W.1O$..?;.Tu....t.6p.L.'.O...#RKhq../...`.+.B......:.>..B.-6..8I.....IO..C.}.>...i..... .R..O.O.*)s...j..3.3.N.$\....a......(.4.&.$.J.:2..m..Z...r..M.g.."..3.v.=...e.....n.~.PJ.....]..x7r.nm.....j..h......T.;..E.dG....^.......T.-@R1.+H/.l.b..V.~.6..-..g.%..!J=..._..)m...-l.\3L3'..;i.......F..;q..Ef.%r.|D'....~..#...Jg.e...`.[qn.-.:..N.7i...."..o3...#[.....]jTf.6\.m'.......7.e..{l..t.{.*gl.V.zD.6..y..!.sf...T.y.........XE.....p"_......*t........q....lW.y.z.^.e..Jkhwx..WP...9,.Bm6.. ...j4..Y.M.v...{........;..RI..6.:oz.K`F.|.H.\..f......q....?5.$......-..I..~.I...!p.V...,.5.n9..*....C./..8....&...&..J...P
                                                                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):56530
                                                                                                Entropy (8bit):7.996641034577904
                                                                                                Encrypted:true
                                                                                                SSDEEP:768:Jg6hUqdESpfJcLGdtTLvw2g1RDFsx9y8Q7bKzEHoIIFdAy7gqEzhhiW1cN6ye59R:JHTUG/zw2g1RDWq8sK4rIT8lHX5H/n
                                                                                                MD5:4E6E3B0A58A2A4EE3D29D1C91F5371C5
                                                                                                SHA1:60A59DB6EB459D4CC45247991923B40E65B2DA35
                                                                                                SHA-256:0AC3E01ACCC59633B4AEA734E23EC1E6E6B9C6ABFFF56DCACCE3DEC66E3B8FC7
                                                                                                SHA-512:8E61DFA6F974A55CB2B37F146FC80B3C12C8FCD4E6B76F2F4292C28D114CDD32D4D5FA462851ADDFD82A83AAD0922450CF835783FFA2FA2AB34EC4F3D598AA64
                                                                                                Malicious:false
                                                                                                Preview:.@S......!| ..............;.H......Z.<.....y...p....).<...(i...P..8../*.8...j..<....r~...W..9....K...ID..g..O4|9....Yw.r'R/.6.M.[..9fn/.......'.Q.8]7L.=.D.2Au...j4;......%.p @B.D.h..|.....`....Y:.w.. .."..q..o...k._0.S..P./..{$.?;.L2.Q.d4}.......J..ht... G........X...a.Y...4.....N........#.HaO3.(...'.(...9..S.{./$t.E..U..s....[./.....R~P.../......en.@.::.I...%...OV..h.f^..i?.qz.@...I.C...7|W.'....c...; ...~Q....&M....h....TR.....X....;d.u+..A.G...w"*..G....&.....!._P..%.E..1.*..jX..P...g....../.......A..n......._.%O;.9A.x...e...a..Cb......%.=.>.5...Y.H5D....#a}..?...C.p.....2B0...1...IV..M.?.@.9..D..V.#.!..9.i...Kls..:...7..M...I..g..z...|.....I..Y....,M.r;e..$....H0...|.[q.&...2..M(u5#....p1.].b...+........HJq^...).T....F.x.3....=c8jt.i9..u.]......o.,O.e.B..i.u....e....2..;.b..,&..#...`l...|;..q.%.o.yf?...nW3......._9tc.v)\...Y .k....g...v..Z.m.h..p_.Y....`..b.`Q..=>$.;.a.?EF...b...U#WE3...o....Brd.I.(p........%...NS..%Q.^.9@.t}.'c.K
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:7-zip archive data, version 0.4
                                                                                                Category:dropped
                                                                                                Size (bytes):56530
                                                                                                Entropy (8bit):7.996641034577909
                                                                                                Encrypted:true
                                                                                                SSDEEP:1536:C2CCPvwJl6YuPW/W9adr918LB0czeclMVQiyllgx:ACnKQYuKu2FcmgQ
                                                                                                MD5:29795B95976A164E56C15872B764FB31
                                                                                                SHA1:4DD6A98469D584542B551D61C74C701920DA032D
                                                                                                SHA-256:B5AE456F7CDBDCC6AA48E19B1D3218F7B94F9F049768F0F1E8AD4B6CD6E45BA4
                                                                                                SHA-512:41E086AFB5D4247CF0D61DD627B485BE4957AC9FFF3F00213096009DF432FAF0ACEDF1FEE2551B4B8E891286D35FC96042ABC1377C23692906256607FAF4AB28
                                                                                                Malicious:false
                                                                                                Preview:7z..'...6BR........2.........[..ge.A:i-..;.{.s......k..c.Z.w...Uj.G. /.E ....s...)-.!N +....J...".3^`Y..^$Tr..vt.kG....WSV..^.......(.:6......^.@..'.Y..'.$....1~.h...-x.^l^......+..\..%x......'...N.....C..H....hM?.:..u.[v.l.o...0....o._..Md..#\E'.g[.......kU8>..6.T.D+WC.a."77.E.d.-T.I.p.0uzl.4........IS:.\.<.`.##e.P....#_....Lb...#L.......e....*...Ew......./.,~[5.aoM..?Oy.'..vV..$z..N.PE9....n-..!G.o.........As ..9>....0.5.P.%...J...Y..e..GF.E...#...V....'w...pX6..h..t..1..r0.....\.h.....j......P.)1.y.....$o<n....BcV\.&=....v..m.wIU..t..i1M...SUYz*.h...L.{.B.<........jr.r/z......n"dd........K...\.._....n.}...y..........W..+..96..@F..b..|....F..&.*......c.X2$0.`..>x..{MH...i.c.z....3...i`....`W.Er;..v.u.y.V.&aZD5..r...j,..+S...}..i...v.L.....F..`.m..~7v<=.....t..*.z.?.jq..-N.T..?xD.X.Vw...U..Mo..>+!...m...i.@....}Q...-aCt.Tn......]dn.. ....K..t..jJ..".&2....W.J...N._..Mk...;.=.(.. ..V.-.....qC.jLD....<..O..B....Mf...{N...J....L.o.
                                                                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):56546
                                                                                                Entropy (8bit):7.996966859255975
                                                                                                Encrypted:true
                                                                                                SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                                                                                MD5:CEA69F993E1CE0FB945A98BF37A66546
                                                                                                SHA1:7114365265F041DA904574D1F5876544506F89BA
                                                                                                SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                                                                                SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                                                                                Malicious:false
                                                                                                Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:7-zip archive data, version 0.4
                                                                                                Category:dropped
                                                                                                Size (bytes):56546
                                                                                                Entropy (8bit):7.996966859255979
                                                                                                Encrypted:true
                                                                                                SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                                                                                MD5:4CB8B7E557C80FC7B014133AB834A042
                                                                                                SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                                                                                SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                                                                                SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                                                                                Malicious:false
                                                                                                Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                                                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):31890
                                                                                                Entropy (8bit):7.99402458740637
                                                                                                Encrypted:true
                                                                                                SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                                                                                MD5:8622FC7228777F64A47BD6C61478ADD9
                                                                                                SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                                                                                SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                                                                                SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                                                                                Malicious:false
                                                                                                Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:7-zip archive data, version 0.4
                                                                                                Category:dropped
                                                                                                Size (bytes):31890
                                                                                                Entropy (8bit):7.99402458740637
                                                                                                Encrypted:true
                                                                                                SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                                                                                MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                                                                                SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                                                                                SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                                                                                SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                                                                                Malicious:false
                                                                                                Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                                                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):74960
                                                                                                Entropy (8bit):7.99759370165655
                                                                                                Encrypted:true
                                                                                                SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                                                                                MD5:950338D50B95A25F494EE74E97B7B7A9
                                                                                                SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                                                                                SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                                                                                SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                                                                                Malicious:false
                                                                                                Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:7-zip archive data, version 0.4
                                                                                                Category:dropped
                                                                                                Size (bytes):74960
                                                                                                Entropy (8bit):7.997593701656546
                                                                                                Encrypted:true
                                                                                                SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                                                                                MD5:059BA7C31F3E227356CA5F29E4AA2508
                                                                                                SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                                                                                SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                                                                                SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                                                                                Malicious:false
                                                                                                Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                                                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):29730
                                                                                                Entropy (8bit):7.994290657653607
                                                                                                Encrypted:true
                                                                                                SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                                                                                MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                                                                                SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                                                                                SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                                                                                SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                                                                                Malicious:false
                                                                                                Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:7-zip archive data, version 0.4
                                                                                                Category:modified
                                                                                                Size (bytes):29730
                                                                                                Entropy (8bit):7.994290657653608
                                                                                                Encrypted:true
                                                                                                SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                                                                                MD5:A9C8A3E00692F79E1BA9693003F85D18
                                                                                                SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                                                                                SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                                                                                SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                                                                                Malicious:false
                                                                                                Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:7-zip archive data, version 0.4
                                                                                                Category:dropped
                                                                                                Size (bytes):249968
                                                                                                Entropy (8bit):7.999181384527332
                                                                                                Encrypted:true
                                                                                                SSDEEP:6144:fZ2o9DuSSNzqMMN+4LjKvyVTM7CivpILH6Pg2sNQkCoMvJXRnj:f79DuSSFqMkHjpVw7CiBI+PJcQOMvJRj
                                                                                                MD5:D424B602F6750E406B4C971C9C2D2C4A
                                                                                                SHA1:90E6DDAA4B83B2C87002587A890BB36197A048F0
                                                                                                SHA-256:955D1D09ADD6984BB12F5B9DF5F5D621C2A4C0EA6919013E0826E7E238D341BB
                                                                                                SHA-512:56455C1C89198E61630E5EB207278FE75637547B8CA98D156D6A7753185371998021F35F0882BE63BD047ADA15F829BD6165F791D81C259B731C8E424441AB56
                                                                                                Malicious:false
                                                                                                Preview:7z..'....e).........@..........%F.....y....7.OZ-Wn.e.....!Y:<.~|`1..{8..Hb.B.=.8hj.L8v...*..........b..V.2.#..A~.....J..........*.....,....x..... 'D.*.$.....3....Su^...M...at{..]l?..L.Z>ht.k@..kf..*.0..x.....7.J....8.....&.....#4.7..{.....Hi..."..Q..K........ ).0.U.YP._...../....m..2..uw..2..*x....'.p".k]@.[.O...D,..B?...x.b.j..r\..|..j.T..h.3......q....q..PF...^.F...|.Z.5[.K....^..|h...7.@z........m.T..W74.+....".Z.{..MNM..NG&...H....~<y.9POeAf....).)..1.............R.|.%*....G.L.L.L..l.6..@.x..n...7..z.....|..^.D.c..a..o1.......u../X......;loyr......D..%.8..m(.e....^.#mg..r..B.....C9....G..............Pq..7..MA....t...8..K.W..0..p....u......B.f..|........]...f2f."..........4....S $..l.5|..T...L..N.q..].(I.......FL.=..A....E.7m/.:@..H{..@W?;+p....vn.%..X....t'.Z.q...b.&.....i......Xs...5...e...[..;J2.L..c..D.......D..w_xl...l-..?2.o......(.n.n.M:...h.B.fC.o.....W..>,..Uj..i}.......b,.y.v...m./..83.(>.b......!XI}..o.z...e.=yA.
                                                                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):63640
                                                                                                Entropy (8bit):6.482810107683822
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                                                                                MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                                                                                SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                                                                                SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                                                                                SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 9%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):4096
                                                                                                Entropy (8bit):3.3535066459795764
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:dXKLzDlnnL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnWwhldOVQOj6dKbKsz7
                                                                                                MD5:799B43ECF550F33D590F92CFC3711467
                                                                                                SHA1:672863B4F94FE693EB63AE74341CBD5B4330ABEA
                                                                                                SHA-256:8F57E4C2E94F9D06AA200B6BE6F4582E1E8FE9A0D3971F15273E6B1B152134F0
                                                                                                SHA-512:AB4608E516D311A4D5EC119A0F50D703EBEF83C55FB7E1E82AAAE1FF5165156069F3B67913F211038D555C5272E2CA3F15AE372C421656C1B9674A335EF14DAA
                                                                                                Malicious:false
                                                                                                Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNet
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):5649408
                                                                                                Entropy (8bit):6.392614480390128
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                                                                                MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                                                                                SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                                                                                SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                                                                                SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:NlllulxmH/lZ:NllUg
                                                                                                MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                                                                                SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                                                                                SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                                                                                SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                                                                                Malicious:false
                                                                                                Preview:@...e................................. ..............@..........
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):6144
                                                                                                Entropy (8bit):4.720366600008286
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                Category:modified
                                                                                                Size (bytes):3598848
                                                                                                Entropy (8bit):7.004949099807939
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                                                                                MD5:1D1464C73252978A58AC925ECE57F0FB
                                                                                                SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                                                                                SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                                                                                SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                                                                                Malicious:false
                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Users\user\Desktop\Zt43pLXYiu.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:modified
                                                                                                Size (bytes):3366912
                                                                                                Entropy (8bit):6.530548291878271
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                                                                MD5:9902FA6D39184B87AED7D94A037912D8
                                                                                                SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                                                                                SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                                                                                SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                                                                                Malicious:true
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):6144
                                                                                                Entropy (8bit):4.720366600008286
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):3598848
                                                                                                Entropy (8bit):7.004949099807939
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                                                                                MD5:1D1464C73252978A58AC925ECE57F0FB
                                                                                                SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                                                                                SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                                                                                SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                                                                                Malicious:false
                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Users\user\Desktop\Zt43pLXYiu.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:modified
                                                                                                Size (bytes):3366912
                                                                                                Entropy (8bit):6.530548291878271
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                                                                MD5:9902FA6D39184B87AED7D94A037912D8
                                                                                                SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                                                                                SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                                                                                SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                                                                                Malicious:true
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                File Type:ASCII text, with CRLF, CR line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):406
                                                                                                Entropy (8bit):5.117520345541057
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                                                                                MD5:9200058492BCA8F9D88B4877F842C148
                                                                                                SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                                                                                SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                                                                                SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                                                                                Malicious:false
                                                                                                Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Entropy (8bit):7.921107921233916
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) a (10002005/4) 98.04%
                                                                                                • Inno Setup installer (109748/4) 1.08%
                                                                                                • InstallShield setup (43055/19) 0.42%
                                                                                                • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                File name:Zt43pLXYiu.exe
                                                                                                File size:5'707'174 bytes
                                                                                                MD5:a8d9973fa386ac46b47fed5f05d198d5
                                                                                                SHA1:6a6cb373ff59178a029fcd2da3d5d1b29673cf3a
                                                                                                SHA256:b88488b8e7066575eb4b3cca53545388c53420f8c9519a8a1866352a07cb481d
                                                                                                SHA512:f5a00e78e0d51d7b597c4a0b0bb18d425bfb08ce5bdcc73822dce3065fb46a7782a13ded9ebcd6c9fd49947c476dd4572c072eae2049da53fea645e2b629a0c9
                                                                                                SSDEEP:98304:XwREfaptn/e8iM2INNcyrxLjEJAqr7wnVbOdMwZgf:lfapZLibGNVrhjSw+s
                                                                                                TLSH:FC461212F2CBE43EE4190B3B16B3A15495FB6A606422AD538BECB4ECCF750501E3E657
                                                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                                                Icon Hash:0c0c2d33ceec80aa
                                                                                                Entrypoint:0x4a83bc
                                                                                                Entrypoint Section:.itext
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:6
                                                                                                OS Version Minor:1
                                                                                                File Version Major:6
                                                                                                File Version Minor:1
                                                                                                Subsystem Version Major:6
                                                                                                Subsystem Version Minor:1
                                                                                                Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                                                                                Instruction
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                add esp, FFFFFFA4h
                                                                                                push ebx
                                                                                                push esi
                                                                                                push edi
                                                                                                xor eax, eax
                                                                                                mov dword ptr [ebp-3Ch], eax
                                                                                                mov dword ptr [ebp-40h], eax
                                                                                                mov dword ptr [ebp-5Ch], eax
                                                                                                mov dword ptr [ebp-30h], eax
                                                                                                mov dword ptr [ebp-38h], eax
                                                                                                mov dword ptr [ebp-34h], eax
                                                                                                mov dword ptr [ebp-2Ch], eax
                                                                                                mov dword ptr [ebp-28h], eax
                                                                                                mov dword ptr [ebp-14h], eax
                                                                                                mov eax, 004A2EBCh
                                                                                                call 00007FBE58AF5655h
                                                                                                xor eax, eax
                                                                                                push ebp
                                                                                                push 004A8AC1h
                                                                                                push dword ptr fs:[eax]
                                                                                                mov dword ptr fs:[eax], esp
                                                                                                xor edx, edx
                                                                                                push ebp
                                                                                                push 004A8A7Bh
                                                                                                push dword ptr fs:[edx]
                                                                                                mov dword ptr fs:[edx], esp
                                                                                                mov eax, dword ptr [004B0634h]
                                                                                                call 00007FBE58B86FDBh
                                                                                                call 00007FBE58B86B2Eh
                                                                                                lea edx, dword ptr [ebp-14h]
                                                                                                xor eax, eax
                                                                                                call 00007FBE58B81808h
                                                                                                mov edx, dword ptr [ebp-14h]
                                                                                                mov eax, 004B41F4h
                                                                                                call 00007FBE58AEF703h
                                                                                                push 00000002h
                                                                                                push 00000000h
                                                                                                push 00000001h
                                                                                                mov ecx, dword ptr [004B41F4h]
                                                                                                mov dl, 01h
                                                                                                mov eax, dword ptr [0049CD14h]
                                                                                                call 00007FBE58B82B33h
                                                                                                mov dword ptr [004B41F8h], eax
                                                                                                xor edx, edx
                                                                                                push ebp
                                                                                                push 004A8A27h
                                                                                                push dword ptr fs:[edx]
                                                                                                mov dword ptr fs:[edx], esp
                                                                                                call 00007FBE58B87063h
                                                                                                mov dword ptr [004B4200h], eax
                                                                                                mov eax, dword ptr [004B4200h]
                                                                                                cmp dword ptr [eax+0Ch], 01h
                                                                                                jne 00007FBE58B8DD4Ah
                                                                                                mov eax, dword ptr [004B4200h]
                                                                                                mov edx, 00000028h
                                                                                                call 00007FBE58B83428h
                                                                                                mov edx, dword ptr [004B4200h]
                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0xcb0000x110000x1100022275ad5d88888daf44251b5e37a8b11False0.18785903033088236data3.7212963188606576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                                                                                RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                                                                                RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                                                                                RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                                                                                RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                                                                                RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                                                                                RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                                                                                RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                                                                                RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                                                                                RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                                                                                RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                                                                                RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                                                                                RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                                                                                RT_STRING0xd8e000x3f8data0.3198818897637795
                                                                                                RT_STRING0xd91f80x2dcdata0.36475409836065575
                                                                                                RT_STRING0xd94d40x430data0.40578358208955223
                                                                                                RT_STRING0xd99040x44cdata0.38636363636363635
                                                                                                RT_STRING0xd9d500x2d4data0.39226519337016574
                                                                                                RT_STRING0xda0240xb8data0.6467391304347826
                                                                                                RT_STRING0xda0dc0x9cdata0.6410256410256411
                                                                                                RT_STRING0xda1780x374data0.4230769230769231
                                                                                                RT_STRING0xda4ec0x398data0.3358695652173913
                                                                                                RT_STRING0xda8840x368data0.3795871559633027
                                                                                                RT_STRING0xdabec0x2a4data0.4275147928994083
                                                                                                RT_RCDATA0xdae900x10data1.5
                                                                                                RT_RCDATA0xdaea00x310data0.6173469387755102
                                                                                                RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                                                                                RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                                                                                RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                                                                                RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                                                                                DLLImport
                                                                                                kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                comctl32.dllInitCommonControls
                                                                                                user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                                                                                NameOrdinalAddress
                                                                                                __dbk_fcall_wrapper20x40fc10
                                                                                                dbkFCallWrapperAddr10x4b063c
                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                EnglishUnited States
                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Dec 23, 2024 05:18:10.832348108 CET5698853192.168.2.71.1.1.1
                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Dec 23, 2024 05:18:10.832348108 CET192.168.2.71.1.1.10xe3beStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Dec 23, 2024 05:18:10.969942093 CET1.1.1.1192.168.2.70xe3beNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

                                                                                                Click to jump to process

                                                                                                Click to jump to process

                                                                                                Click to dive into process behavior distribution

                                                                                                Click to jump to process

                                                                                                Target ID:0
                                                                                                Start time:23:18:01
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Users\user\Desktop\Zt43pLXYiu.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\Zt43pLXYiu.exe"
                                                                                                Imagebase:0x680000
                                                                                                File size:5'707'174 bytes
                                                                                                MD5 hash:A8D9973FA386AC46B47FED5F05D198D5
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:Borland Delphi
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                Target ID:2
                                                                                                Start time:23:18:01
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user~1\AppData\Local\Temp\is-J49UG.tmp\Zt43pLXYiu.tmp" /SL5="$2040A,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe"
                                                                                                Imagebase:0x1c0000
                                                                                                File size:3'366'912 bytes
                                                                                                MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:Borland Delphi
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                Target ID:3
                                                                                                Start time:23:18:02
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                                                Imagebase:0x7ff741d30000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:4
                                                                                                Start time:23:18:02
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:5
                                                                                                Start time:23:18:02
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Users\user\Desktop\Zt43pLXYiu.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENT
                                                                                                Imagebase:0x680000
                                                                                                File size:5'707'174 bytes
                                                                                                MD5 hash:A8D9973FA386AC46B47FED5F05D198D5
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:Borland Delphi
                                                                                                Reputation:low
                                                                                                Has exited:false

                                                                                                Target ID:6
                                                                                                Start time:23:18:03
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user~1\AppData\Local\Temp\is-V6DLU.tmp\Zt43pLXYiu.tmp" /SL5="$2040E,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENT
                                                                                                Imagebase:0xbc0000
                                                                                                File size:3'366'912 bytes
                                                                                                MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:Borland Delphi
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                Target ID:7
                                                                                                Start time:23:18:04
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:8
                                                                                                Start time:23:18:05
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                Target ID:9
                                                                                                Start time:23:18:05
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                Imagebase:0x7ff750610000
                                                                                                File size:329'504 bytes
                                                                                                MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                Target ID:10
                                                                                                Start time:23:18:05
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                Target ID:11
                                                                                                Start time:23:18:06
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:12
                                                                                                Start time:23:18:06
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:13
                                                                                                Start time:23:18:06
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                                                                                Imagebase:0xeb0000
                                                                                                File size:831'200 bytes
                                                                                                MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Antivirus matches:
                                                                                                • Detection: 0%, ReversingLabs
                                                                                                Has exited:true

                                                                                                Target ID:14
                                                                                                Start time:23:18:06
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:15
                                                                                                Start time:23:18:06
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:16
                                                                                                Start time:23:18:07
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                                                                                Imagebase:0xeb0000
                                                                                                File size:831'200 bytes
                                                                                                MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:17
                                                                                                Start time:23:18:07
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:18
                                                                                                Start time:23:18:07
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Target ID:19
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:20
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:21
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                Imagebase:0x7ff7fb730000
                                                                                                File size:496'640 bytes
                                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Target ID:22
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:23
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:24
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:25
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:26
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:27
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:28
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:29
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:30
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:31
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:32
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:33
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:34
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:35
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:36
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:37
                                                                                                Start time:23:18:08
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:38
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:39
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:40
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:41
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:42
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:43
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:44
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:45
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:46
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:47
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Target ID:48
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:49
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:50
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:51
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:52
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:53
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:54
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:55
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:56
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:57
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:58
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:59
                                                                                                Start time:23:18:09
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:60
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:61
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:62
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:63
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:64
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:65
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:66
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:67
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:68
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:69
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:70
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:71
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:72
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:73
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:74
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:75
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:76
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:77
                                                                                                Start time:23:18:10
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:78
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:79
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:80
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:81
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:82
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:83
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:84
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:85
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:86
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:87
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:88
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:89
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:90
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:91
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:92
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:93
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:94
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:sc start CleverSoar
                                                                                                Imagebase:0x7ff755fc0000
                                                                                                File size:72'192 bytes
                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:95
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:96
                                                                                                Start time:23:18:11
                                                                                                Start date:22/12/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c start sc start CleverSoar
                                                                                                Imagebase:0x7ff7515a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:1.6%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:15.5%
                                                                                                  Total number of Nodes:818
                                                                                                  Total number of Limit Nodes:9
                                                                                                  execution_graph 99916 6d103d62 99918 6d103bc0 99916->99918 99917 6d103e8a GetCurrentThread NtSetInformationThread 99919 6d103eea 99917->99919 99918->99917 99920 6d104b53 100078 6d286a43 99920->100078 99922 6d104b5c _Yarn 100092 6d27aec0 99922->100092 99924 6d12639e 100190 6d290130 18 API calls 2 library calls 99924->100190 99926 6d105164 CreateFileA CloseHandle 99932 6d1051ec 99926->99932 99927 6d104cff 99928 6d104bae std::ios_base::_Ios_base_dtor 99928->99924 99928->99926 99928->99927 99929 6d11245a _Yarn _strlen 99928->99929 99929->99924 99930 6d27aec0 2 API calls 99929->99930 99945 6d112a83 std::ios_base::_Ios_base_dtor 99930->99945 100098 6d285120 OpenSCManagerA 99932->100098 99934 6d10fc00 100183 6d285240 CreateToolhelp32Snapshot 99934->100183 99937 6d286a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 99974 6d105478 std::ios_base::_Ios_base_dtor _Yarn _strlen 99937->99974 99939 6d1137d0 Sleep 99984 6d1137e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 99939->99984 99940 6d27aec0 2 API calls 99940->99974 99941 6d1263b2 100191 6d1015e0 18 API calls std::ios_base::_Ios_base_dtor 99941->100191 99942 6d285240 4 API calls 99961 6d11053a 99942->99961 99943 6d285240 4 API calls 99969 6d1112e2 99943->99969 99945->99924 100102 6d270390 99945->100102 99946 6d1264f8 99947 6d10ffe3 99947->99942 99953 6d110abc 99947->99953 99948 6d126ba0 104 API calls 99948->99974 99949 6d126e60 32 API calls 99949->99974 99952 6d285240 4 API calls 99952->99953 99953->99929 99953->99943 99954 6d106722 100159 6d281880 25 API calls 4 library calls 99954->100159 99955 6d285240 4 API calls 99972 6d111dd9 99955->99972 99956 6d11211c 99956->99929 99958 6d11241a 99956->99958 99960 6d270390 11 API calls 99958->99960 99959 6d27aec0 2 API calls 99959->99984 99962 6d11244d 99960->99962 99961->99952 99961->99953 100189 6d285d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 99962->100189 99964 6d112452 Sleep 99964->99929 99965 6d1116ac 99966 6d106162 99968 6d10740b 100160 6d284ff0 CreateProcessA 99968->100160 99969->99955 99969->99956 99969->99965 99970 6d285240 4 API calls 99970->99956 99972->99956 99972->99970 99974->99924 99974->99934 99974->99937 99974->99940 99974->99948 99974->99949 99974->99954 99974->99966 100140 6d127090 99974->100140 100153 6d14e010 99974->100153 99975 6d127090 77 API calls 99975->99984 99976 6d14e010 67 API calls 99976->99984 99977 6d10775a _strlen 99977->99924 99978 6d107b92 99977->99978 99979 6d107ba9 99977->99979 99982 6d107b43 _Yarn 99977->99982 99980 6d286a43 std::_Facet_Register 4 API calls 99978->99980 99981 6d286a43 std::_Facet_Register 4 API calls 99979->99981 99980->99982 99981->99982 99983 6d27aec0 2 API calls 99982->99983 99993 6d107be7 std::ios_base::_Ios_base_dtor 99983->99993 99984->99924 99984->99959 99984->99975 99984->99976 100111 6d126ba0 99984->100111 100130 6d126e60 99984->100130 99985 6d284ff0 4 API calls 99996 6d108a07 99985->99996 99986 6d10962c _strlen 99986->99924 99987 6d109d68 99986->99987 99988 6d109d7f 99986->99988 99991 6d109d18 _Yarn 99986->99991 99989 6d286a43 std::_Facet_Register 4 API calls 99987->99989 99990 6d286a43 std::_Facet_Register 4 API calls 99988->99990 99989->99991 99990->99991 99992 6d27aec0 2 API calls 99991->99992 100000 6d109dbd std::ios_base::_Ios_base_dtor 99992->100000 99993->99924 99993->99985 99993->99986 99994 6d108387 99993->99994 99995 6d284ff0 4 API calls 100004 6d109120 99995->100004 99996->99995 99997 6d284ff0 4 API calls 100014 6d10a215 _strlen 99997->100014 99998 6d284ff0 4 API calls 99999 6d109624 99998->99999 100164 6d285d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 99999->100164 100000->99924 100000->99997 100005 6d10e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100000->100005 100001 6d286a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100001->100005 100003 6d27aec0 2 API calls 100003->100005 100004->99998 100005->99924 100005->100001 100005->100003 100006 6d10f7b1 100005->100006 100007 6d10ed02 Sleep 100005->100007 100182 6d285d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100006->100182 100026 6d10e8c1 100007->100026 100009 6d10a9a4 100012 6d286a43 std::_Facet_Register 4 API calls 100009->100012 100010 6d10a9bb 100013 6d286a43 std::_Facet_Register 4 API calls 100010->100013 100011 6d10e8dd GetCurrentProcess TerminateProcess 100011->100005 100023 6d10a953 _Yarn _strlen 100012->100023 100013->100023 100014->99924 100014->100009 100014->100010 100014->100023 100015 6d284ff0 4 API calls 100015->100026 100016 6d10fbb8 100018 6d10fbe8 ExitWindowsEx Sleep 100016->100018 100017 6d10f7c0 100017->100016 100018->99934 100019 6d10aff0 100021 6d286a43 std::_Facet_Register 4 API calls 100019->100021 100020 6d10b009 100022 6d286a43 std::_Facet_Register 4 API calls 100020->100022 100024 6d10afa0 _Yarn 100021->100024 100022->100024 100023->99941 100023->100019 100023->100020 100023->100024 100165 6d285960 100024->100165 100026->100005 100026->100011 100026->100015 100027 6d10b059 std::ios_base::_Ios_base_dtor _strlen 100027->99924 100028 6d10b443 100027->100028 100029 6d10b42c 100027->100029 100032 6d10b3da _Yarn _strlen 100027->100032 100031 6d286a43 std::_Facet_Register 4 API calls 100028->100031 100030 6d286a43 std::_Facet_Register 4 API calls 100029->100030 100030->100032 100031->100032 100032->99941 100033 6d10b7b7 100032->100033 100034 6d10b79e 100032->100034 100037 6d10b751 _Yarn 100032->100037 100036 6d286a43 std::_Facet_Register 4 API calls 100033->100036 100035 6d286a43 std::_Facet_Register 4 API calls 100034->100035 100035->100037 100036->100037 100038 6d285960 104 API calls 100037->100038 100039 6d10b804 std::ios_base::_Ios_base_dtor _strlen 100038->100039 100039->99924 100040 6d10bc26 100039->100040 100041 6d10bc0f 100039->100041 100044 6d10bbbd _Yarn _strlen 100039->100044 100043 6d286a43 std::_Facet_Register 4 API calls 100040->100043 100042 6d286a43 std::_Facet_Register 4 API calls 100041->100042 100042->100044 100043->100044 100044->99941 100045 6d10c075 100044->100045 100046 6d10c08e 100044->100046 100049 6d10c028 _Yarn 100044->100049 100047 6d286a43 std::_Facet_Register 4 API calls 100045->100047 100048 6d286a43 std::_Facet_Register 4 API calls 100046->100048 100047->100049 100048->100049 100050 6d285960 104 API calls 100049->100050 100055 6d10c0db std::ios_base::_Ios_base_dtor _strlen 100050->100055 100051 6d10c7a5 100053 6d286a43 std::_Facet_Register 4 API calls 100051->100053 100052 6d10c7bc 100054 6d286a43 std::_Facet_Register 4 API calls 100052->100054 100062 6d10c753 _Yarn _strlen 100053->100062 100054->100062 100055->99924 100055->100051 100055->100052 100055->100062 100056 6d10d406 100059 6d286a43 std::_Facet_Register 4 API calls 100056->100059 100057 6d10d3ed 100058 6d286a43 std::_Facet_Register 4 API calls 100057->100058 100060 6d10d39a _Yarn 100058->100060 100059->100060 100061 6d285960 104 API calls 100060->100061 100063 6d10d458 std::ios_base::_Ios_base_dtor _strlen 100061->100063 100062->99941 100062->100056 100062->100057 100062->100060 100068 6d10cb2f 100062->100068 100063->99924 100064 6d10d8a4 100063->100064 100065 6d10d8bb 100063->100065 100069 6d10d852 _Yarn _strlen 100063->100069 100066 6d286a43 std::_Facet_Register 4 API calls 100064->100066 100067 6d286a43 std::_Facet_Register 4 API calls 100065->100067 100066->100069 100067->100069 100069->99941 100070 6d10dcb6 100069->100070 100071 6d10dccf 100069->100071 100074 6d10dc69 _Yarn 100069->100074 100072 6d286a43 std::_Facet_Register 4 API calls 100070->100072 100073 6d286a43 std::_Facet_Register 4 API calls 100071->100073 100072->100074 100073->100074 100075 6d285960 104 API calls 100074->100075 100077 6d10dd1c std::ios_base::_Ios_base_dtor 100075->100077 100076 6d284ff0 4 API calls 100076->100005 100077->99924 100077->100076 100079 6d286a48 100078->100079 100080 6d286a62 100079->100080 100082 6d286a64 std::_Facet_Register 100079->100082 100192 6d28f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100079->100192 100080->99922 100083 6d2878c3 std::_Facet_Register 100082->100083 100193 6d289379 RaiseException 100082->100193 100196 6d289379 RaiseException 100083->100196 100085 6d2880bc IsProcessorFeaturePresent 100091 6d2880e1 100085->100091 100087 6d287883 100194 6d289379 RaiseException 100087->100194 100089 6d2878a3 std::invalid_argument::invalid_argument 100195 6d289379 RaiseException 100089->100195 100091->99922 100093 6d27aed6 FindFirstFileA 100092->100093 100094 6d27aed4 100092->100094 100095 6d27af10 100093->100095 100094->100093 100096 6d27af14 FindClose 100095->100096 100097 6d27af72 100095->100097 100096->100095 100097->99928 100099 6d285156 100098->100099 100100 6d2851e8 OpenServiceA 100099->100100 100101 6d28522f 100099->100101 100100->100099 100101->99974 100103 6d2703a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 100102->100103 100104 6d27310e CloseHandle 100103->100104 100105 6d273f5f CloseHandle 100103->100105 100106 6d1137cb 100103->100106 100107 6d25c1e0 WriteFile WriteFile WriteFile ReadFile 100103->100107 100108 6d27251b CloseHandle 100103->100108 100197 6d25b730 100103->100197 100104->100103 100105->100103 100110 6d285d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100106->100110 100107->100103 100108->100103 100110->99939 100112 6d126bd5 100111->100112 100208 6d152020 100112->100208 100114 6d126c68 100115 6d286a43 std::_Facet_Register 4 API calls 100114->100115 100116 6d126ca0 100115->100116 100225 6d287327 100116->100225 100118 6d126cb4 100237 6d151d90 100118->100237 100121 6d126d8e 100121->99984 100123 6d126dc8 100245 6d1526e0 24 API calls 4 library calls 100123->100245 100125 6d126dda 100246 6d289379 RaiseException 100125->100246 100127 6d126def 100128 6d14e010 67 API calls 100127->100128 100129 6d126e0f 100128->100129 100129->99984 100131 6d126e9f 100130->100131 100134 6d126eb3 100131->100134 100641 6d153560 32 API calls std::_Xinvalid_argument 100131->100641 100135 6d126f5b 100134->100135 100643 6d152250 30 API calls 100134->100643 100644 6d1526e0 24 API calls 4 library calls 100134->100644 100645 6d289379 RaiseException 100134->100645 100139 6d126f6e 100135->100139 100642 6d1537e0 32 API calls std::_Xinvalid_argument 100135->100642 100139->99984 100141 6d12709e 100140->100141 100142 6d1270d1 100140->100142 100646 6d1501f0 100141->100646 100144 6d127183 100142->100144 100650 6d152250 30 API calls 100142->100650 100144->99974 100146 6d290b18 67 API calls 100146->100142 100148 6d1271ae 100651 6d152340 24 API calls 100148->100651 100150 6d1271be 100652 6d289379 RaiseException 100150->100652 100152 6d1271c9 100155 6d14e04b 100153->100155 100154 6d14e0a3 100154->99974 100155->100154 100156 6d1501f0 64 API calls 100155->100156 100157 6d14e098 100156->100157 100158 6d290b18 67 API calls 100157->100158 100158->100154 100159->99968 100161 6d2850ca 100160->100161 100162 6d285080 WaitForSingleObject CloseHandle CloseHandle 100161->100162 100163 6d2850e3 100161->100163 100162->100161 100163->99977 100164->99986 100166 6d2859b7 100165->100166 100698 6d285ff0 100166->100698 100168 6d2859c8 100169 6d126ba0 104 API calls 100168->100169 100175 6d2859ec 100169->100175 100170 6d285a67 100171 6d14e010 67 API calls 100170->100171 100172 6d285a9f std::ios_base::_Ios_base_dtor 100171->100172 100174 6d14e010 67 API calls 100172->100174 100177 6d285ae2 std::ios_base::_Ios_base_dtor 100174->100177 100175->100170 100176 6d285a54 100175->100176 100717 6d286340 100175->100717 100725 6d162000 100175->100725 100735 6d285b90 100176->100735 100177->100027 100180 6d285a5c 100181 6d127090 77 API calls 100180->100181 100181->100170 100182->100017 100184 6d2852a0 std::locale::_Setgloballocale 100183->100184 100185 6d285277 CloseHandle 100184->100185 100186 6d285320 Process32NextW 100184->100186 100187 6d2853b1 100184->100187 100188 6d285345 Process32FirstW 100184->100188 100185->100184 100186->100184 100187->99947 100188->100184 100189->99964 100191->99946 100192->100079 100193->100087 100194->100089 100195->100083 100196->100085 100198 6d25b743 _Yarn __wsopen_s std::locale::_Setgloballocale 100197->100198 100199 6d25c180 100198->100199 100200 6d25bced CreateFileA 100198->100200 100202 6d25aa30 100198->100202 100199->100103 100200->100198 100203 6d25aa43 __wsopen_s std::locale::_Setgloballocale 100202->100203 100204 6d25b3e9 WriteFile 100203->100204 100205 6d25b43d WriteFile 100203->100205 100206 6d25b718 100203->100206 100207 6d25ab95 ReadFile 100203->100207 100204->100203 100205->100203 100206->100198 100207->100203 100209 6d286a43 std::_Facet_Register 4 API calls 100208->100209 100210 6d15207e 100209->100210 100211 6d287327 43 API calls 100210->100211 100212 6d152092 100211->100212 100247 6d152f60 42 API calls 4 library calls 100212->100247 100214 6d15210d 100217 6d152120 100214->100217 100248 6d286f8e 9 API calls 2 library calls 100214->100248 100215 6d1520c8 100215->100214 100216 6d152136 100215->100216 100249 6d152250 30 API calls 100216->100249 100217->100114 100220 6d15215b 100250 6d152340 24 API calls 100220->100250 100222 6d152171 100251 6d289379 RaiseException 100222->100251 100224 6d15217c 100224->100114 100226 6d287333 __EH_prolog3 100225->100226 100252 6d286eb5 100226->100252 100230 6d287351 100266 6d2873ba 39 API calls std::locale::_Setgloballocale 100230->100266 100232 6d28736f 100258 6d286ee6 100232->100258 100233 6d2873ac 100233->100118 100235 6d287359 100267 6d2871b1 HeapFree GetLastError _Yarn ___std_exception_destroy 100235->100267 100238 6d126d5d 100237->100238 100239 6d151ddc 100237->100239 100238->100121 100244 6d152250 30 API calls 100238->100244 100272 6d287447 100239->100272 100243 6d151e82 100244->100123 100245->100125 100246->100127 100247->100215 100248->100217 100249->100220 100250->100222 100251->100224 100253 6d286ec4 100252->100253 100256 6d286ecb 100252->100256 100268 6d2903cd 6 API calls std::_Lockit::_Lockit 100253->100268 100255 6d286ec9 100255->100232 100265 6d287230 6 API calls 2 library calls 100255->100265 100256->100255 100269 6d28858b EnterCriticalSection 100256->100269 100259 6d2903db 100258->100259 100260 6d286ef0 100258->100260 100271 6d2903b6 LeaveCriticalSection 100259->100271 100261 6d286f03 100260->100261 100270 6d288599 LeaveCriticalSection 100260->100270 100261->100233 100264 6d2903e2 100264->100233 100265->100230 100266->100235 100267->100232 100268->100255 100269->100255 100270->100261 100271->100264 100273 6d287450 100272->100273 100274 6d151dea 100273->100274 100281 6d28fd4a 100273->100281 100274->100238 100280 6d28c563 18 API calls __wsopen_s 100274->100280 100276 6d28749c 100276->100274 100292 6d28fa58 65 API calls 100276->100292 100278 6d2874b7 100278->100274 100293 6d290b18 100278->100293 100280->100243 100283 6d28fd55 __wsopen_s 100281->100283 100282 6d28fd68 100318 6d290120 18 API calls __wsopen_s 100282->100318 100283->100282 100284 6d28fd88 100283->100284 100288 6d28fd78 100284->100288 100304 6d29ae0c 100284->100304 100288->100276 100292->100278 100294 6d290b24 __wsopen_s 100293->100294 100295 6d290b2e 100294->100295 100296 6d290b43 100294->100296 100514 6d290120 18 API calls __wsopen_s 100295->100514 100300 6d290b3e 100296->100300 100499 6d28c5a9 EnterCriticalSection 100296->100499 100299 6d290b60 100500 6d290b9c 100299->100500 100300->100274 100302 6d290b6b 100515 6d290b92 LeaveCriticalSection 100302->100515 100305 6d29ae18 __wsopen_s 100304->100305 100320 6d29039f EnterCriticalSection 100305->100320 100307 6d29ae26 100321 6d29aeb0 100307->100321 100312 6d29af72 100313 6d29b091 100312->100313 100345 6d29b114 100313->100345 100316 6d28fdcc 100319 6d28fdf5 LeaveCriticalSection 100316->100319 100318->100288 100319->100288 100320->100307 100330 6d29aed3 100321->100330 100322 6d29ae33 100335 6d29ae6c 100322->100335 100323 6d29af2b 100340 6d2971e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100323->100340 100325 6d29af34 100341 6d2947bb HeapFree GetLastError _free 100325->100341 100328 6d29af3d 100328->100322 100342 6d296c1f 6 API calls std::_Lockit::_Lockit 100328->100342 100330->100322 100330->100323 100338 6d28c5a9 EnterCriticalSection 100330->100338 100339 6d28c5bd LeaveCriticalSection 100330->100339 100331 6d29af5c 100343 6d28c5a9 EnterCriticalSection 100331->100343 100334 6d29af6f 100334->100322 100344 6d2903b6 LeaveCriticalSection 100335->100344 100337 6d28fda3 100337->100288 100337->100312 100338->100330 100339->100330 100340->100325 100341->100328 100342->100331 100343->100334 100344->100337 100346 6d29b133 100345->100346 100347 6d29b146 100346->100347 100351 6d29b15b 100346->100351 100361 6d290120 18 API calls __wsopen_s 100347->100361 100349 6d29b0a7 100349->100316 100358 6d2a3fde 100349->100358 100356 6d29b27b 100351->100356 100362 6d2a3ea8 37 API calls __wsopen_s 100351->100362 100353 6d29b2cb 100353->100356 100363 6d2a3ea8 37 API calls __wsopen_s 100353->100363 100355 6d29b2e9 100355->100356 100364 6d2a3ea8 37 API calls __wsopen_s 100355->100364 100356->100349 100365 6d290120 18 API calls __wsopen_s 100356->100365 100366 6d2a4396 100358->100366 100361->100349 100362->100353 100363->100355 100364->100356 100365->100349 100368 6d2a43a2 __wsopen_s 100366->100368 100367 6d2a43a9 100384 6d290120 18 API calls __wsopen_s 100367->100384 100368->100367 100369 6d2a43d4 100368->100369 100375 6d2a3ffe 100369->100375 100372 6d2a3ff9 100372->100316 100386 6d2906cb 100375->100386 100380 6d2a4034 100382 6d2a4066 100380->100382 100426 6d2947bb HeapFree GetLastError _free 100380->100426 100385 6d2a442b LeaveCriticalSection __wsopen_s 100382->100385 100384->100372 100385->100372 100427 6d28bceb 100386->100427 100390 6d2906ef 100391 6d28bdf6 100390->100391 100436 6d28be4e 100391->100436 100393 6d28be0e 100393->100380 100394 6d2a406c 100393->100394 100451 6d2a44ec 100394->100451 100400 6d2a409e __dosmaperr 100400->100380 100401 6d2a4192 GetFileType 100402 6d2a419d GetLastError 100401->100402 100403 6d2a41e4 100401->100403 100480 6d28f9f2 __dosmaperr _free 100402->100480 100481 6d2a17b0 SetStdHandle __dosmaperr __wsopen_s 100403->100481 100404 6d2a4167 GetLastError 100404->100400 100406 6d2a4115 100406->100401 100406->100404 100479 6d2a4457 CreateFileW 100406->100479 100407 6d2a41ab CloseHandle 100407->100400 100422 6d2a41d4 100407->100422 100410 6d2a415a 100410->100401 100410->100404 100411 6d2a4205 100412 6d2a4251 100411->100412 100482 6d2a4666 70 API calls 2 library calls 100411->100482 100416 6d2a4258 100412->100416 100496 6d2a4710 70 API calls 2 library calls 100412->100496 100415 6d2a4286 100415->100416 100417 6d2a4294 100415->100417 100483 6d29b925 100416->100483 100417->100400 100419 6d2a4310 CloseHandle 100417->100419 100497 6d2a4457 CreateFileW 100419->100497 100421 6d2a433b 100421->100422 100423 6d2a4345 GetLastError 100421->100423 100422->100400 100424 6d2a4351 __dosmaperr 100423->100424 100498 6d2a171f SetStdHandle __dosmaperr __wsopen_s 100424->100498 100426->100382 100428 6d28bd0b 100427->100428 100429 6d28bd02 100427->100429 100428->100429 100430 6d2949b2 __Getctype 37 API calls 100428->100430 100429->100390 100435 6d2969d5 5 API calls std::_Lockit::_Lockit 100429->100435 100431 6d28bd2b 100430->100431 100432 6d294f28 __Getctype 37 API calls 100431->100432 100433 6d28bd41 100432->100433 100434 6d294f55 __cftoe 37 API calls 100433->100434 100434->100429 100435->100390 100437 6d28be5c 100436->100437 100438 6d28be76 100436->100438 100439 6d28bddc __wsopen_s HeapFree GetLastError 100437->100439 100440 6d28be9c 100438->100440 100441 6d28be7d 100438->100441 100446 6d28be66 __dosmaperr 100439->100446 100442 6d294843 __fassign MultiByteToWideChar 100440->100442 100443 6d28bd9d __wsopen_s HeapFree GetLastError 100441->100443 100441->100446 100444 6d28beab 100442->100444 100443->100446 100445 6d28beb2 GetLastError 100444->100445 100447 6d28bed8 100444->100447 100448 6d28bd9d __wsopen_s HeapFree GetLastError 100444->100448 100445->100446 100446->100393 100447->100446 100449 6d294843 __fassign MultiByteToWideChar 100447->100449 100448->100447 100450 6d28beef 100449->100450 100450->100445 100450->100446 100452 6d2a4527 100451->100452 100454 6d2a450d 100451->100454 100453 6d2a447c __wsopen_s 18 API calls 100452->100453 100456 6d2a455f 100453->100456 100454->100452 100455 6d290120 __wsopen_s 18 API calls 100454->100455 100455->100452 100457 6d2a458e 100456->100457 100461 6d290120 __wsopen_s 18 API calls 100456->100461 100458 6d2a5911 __wsopen_s 18 API calls 100457->100458 100464 6d2a4089 100457->100464 100459 6d2a45dc 100458->100459 100460 6d2a4659 100459->100460 100459->100464 100462 6d29014d __Getctype 11 API calls 100460->100462 100461->100457 100463 6d2a4665 100462->100463 100464->100400 100465 6d2a160c 100464->100465 100466 6d2a1618 __wsopen_s 100465->100466 100467 6d29039f std::_Lockit::_Lockit EnterCriticalSection 100466->100467 100468 6d2a161f 100467->100468 100469 6d2a1644 100468->100469 100474 6d2a16b3 EnterCriticalSection 100468->100474 100476 6d2a1666 100468->100476 100471 6d2a1842 __wsopen_s 11 API calls 100469->100471 100470 6d2a1716 __wsopen_s LeaveCriticalSection 100472 6d2a1686 100470->100472 100473 6d2a1649 100471->100473 100472->100400 100478 6d2a4457 CreateFileW 100472->100478 100473->100476 100477 6d2a1990 __wsopen_s EnterCriticalSection 100473->100477 100475 6d2a16c0 LeaveCriticalSection 100474->100475 100474->100476 100475->100468 100476->100470 100477->100476 100478->100406 100479->100410 100480->100407 100481->100411 100482->100412 100484 6d2a15a2 __wsopen_s 18 API calls 100483->100484 100485 6d29b935 100484->100485 100486 6d29b93b 100485->100486 100488 6d2a15a2 __wsopen_s 18 API calls 100485->100488 100495 6d29b96d 100485->100495 100487 6d2a171f __wsopen_s SetStdHandle 100486->100487 100494 6d29b993 __dosmaperr 100487->100494 100490 6d29b964 100488->100490 100489 6d2a15a2 __wsopen_s 18 API calls 100491 6d29b979 CloseHandle 100489->100491 100492 6d2a15a2 __wsopen_s 18 API calls 100490->100492 100491->100486 100493 6d29b985 GetLastError 100491->100493 100492->100495 100493->100486 100494->100400 100495->100486 100495->100489 100496->100415 100497->100421 100498->100422 100499->100299 100501 6d290ba9 100500->100501 100502 6d290bbe 100500->100502 100538 6d290120 18 API calls __wsopen_s 100501->100538 100507 6d290bb9 100502->100507 100516 6d290cb9 100502->100516 100507->100302 100510 6d290be1 100531 6d29b898 100510->100531 100512 6d290be7 100512->100507 100539 6d2947bb HeapFree GetLastError _free 100512->100539 100514->100300 100515->100300 100517 6d290cd1 100516->100517 100521 6d290bd3 100516->100521 100518 6d299c60 18 API calls 100517->100518 100517->100521 100519 6d290cef 100518->100519 100540 6d29bb6c 100519->100540 100522 6d29873e 100521->100522 100523 6d290bdb 100522->100523 100524 6d298755 100522->100524 100526 6d299c60 100523->100526 100524->100523 100628 6d2947bb HeapFree GetLastError _free 100524->100628 100527 6d299c6c 100526->100527 100528 6d299c81 100526->100528 100629 6d290120 18 API calls __wsopen_s 100527->100629 100528->100510 100530 6d299c7c 100530->100510 100532 6d29b8a9 __dosmaperr 100531->100532 100533 6d29b8be 100531->100533 100532->100512 100534 6d29b907 __dosmaperr 100533->100534 100535 6d29b8e5 100533->100535 100638 6d290120 18 API calls __wsopen_s 100534->100638 100630 6d29b9c1 100535->100630 100538->100507 100539->100507 100541 6d29bb78 __wsopen_s 100540->100541 100542 6d29bbca 100541->100542 100544 6d29bb80 __dosmaperr 100541->100544 100546 6d29bc33 __dosmaperr 100541->100546 100551 6d2a1990 EnterCriticalSection 100542->100551 100544->100521 100545 6d29bbd0 100549 6d29bbec __dosmaperr 100545->100549 100552 6d29bc5e 100545->100552 100581 6d290120 18 API calls __wsopen_s 100546->100581 100580 6d29bc2b LeaveCriticalSection __wsopen_s 100549->100580 100551->100545 100553 6d29bc80 100552->100553 100579 6d29bc9c __dosmaperr 100552->100579 100554 6d29bcd4 100553->100554 100555 6d29bc84 __dosmaperr 100553->100555 100556 6d29bce7 100554->100556 100590 6d29ac69 20 API calls __wsopen_s 100554->100590 100589 6d290120 18 API calls __wsopen_s 100555->100589 100582 6d29be40 100556->100582 100561 6d29bcfd 100563 6d29bd01 100561->100563 100564 6d29bd26 100561->100564 100562 6d29bd3c 100565 6d29bd50 100562->100565 100566 6d29bd95 WriteFile 100562->100566 100563->100579 100591 6d29c25b 6 API calls __wsopen_s 100563->100591 100592 6d29beb1 43 API calls 5 library calls 100564->100592 100569 6d29bd5b 100565->100569 100570 6d29bd85 100565->100570 100568 6d29bdb9 GetLastError 100566->100568 100566->100579 100568->100579 100573 6d29bd60 100569->100573 100574 6d29bd75 100569->100574 100595 6d29c2c3 7 API calls 2 library calls 100570->100595 100577 6d29bd65 100573->100577 100573->100579 100594 6d29c487 8 API calls 3 library calls 100574->100594 100576 6d29bd73 100576->100579 100593 6d29c39e 7 API calls 2 library calls 100577->100593 100579->100549 100580->100544 100581->100544 100596 6d2a19e5 100582->100596 100584 6d29be51 100588 6d29bcf8 100584->100588 100601 6d2949b2 GetLastError 100584->100601 100586 6d29be8e GetConsoleMode 100586->100588 100588->100561 100588->100562 100589->100579 100590->100556 100591->100579 100592->100579 100593->100576 100594->100576 100595->100576 100597 6d2a19f2 100596->100597 100599 6d2a19ff 100596->100599 100597->100584 100598 6d2a1a0b 100598->100584 100599->100598 100600 6d290120 __wsopen_s 18 API calls 100599->100600 100600->100597 100602 6d2949c9 100601->100602 100603 6d2949cf 100601->100603 100605 6d296b23 __Getctype 6 API calls 100602->100605 100604 6d296b62 __Getctype 6 API calls 100603->100604 100607 6d2949d5 SetLastError 100603->100607 100606 6d2949ed 100604->100606 100605->100603 100606->100607 100608 6d2949f1 100606->100608 100614 6d294a69 100607->100614 100615 6d294a63 100607->100615 100609 6d2971e5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 100608->100609 100610 6d2949fd 100609->100610 100612 6d294a1c 100610->100612 100613 6d294a05 100610->100613 100618 6d296b62 __Getctype 6 API calls 100612->100618 100616 6d296b62 __Getctype 6 API calls 100613->100616 100617 6d290ac9 __Getctype 35 API calls 100614->100617 100615->100586 100615->100588 100619 6d294a13 100616->100619 100620 6d294a6e 100617->100620 100621 6d294a28 100618->100621 100624 6d2947bb _free HeapFree GetLastError 100619->100624 100622 6d294a3d 100621->100622 100623 6d294a2c 100621->100623 100627 6d2947bb _free HeapFree GetLastError 100622->100627 100625 6d296b62 __Getctype 6 API calls 100623->100625 100626 6d294a19 100624->100626 100625->100619 100626->100607 100627->100626 100628->100523 100629->100530 100631 6d29b9cd __wsopen_s 100630->100631 100639 6d2a1990 EnterCriticalSection 100631->100639 100633 6d29b9db 100634 6d29b925 __wsopen_s 21 API calls 100633->100634 100635 6d29ba08 100633->100635 100634->100635 100640 6d29ba41 LeaveCriticalSection __wsopen_s 100635->100640 100637 6d29ba2a 100637->100532 100638->100532 100639->100633 100640->100637 100641->100134 100642->100139 100643->100134 100644->100134 100645->100134 100647 6d15022e 100646->100647 100648 6d1270c4 100647->100648 100653 6d2917db 100647->100653 100648->100146 100650->100148 100651->100150 100652->100152 100654 6d2917e9 100653->100654 100655 6d291806 100653->100655 100654->100655 100656 6d29180a 100654->100656 100658 6d2917f6 100654->100658 100655->100647 100661 6d291a02 100656->100661 100669 6d290120 18 API calls __wsopen_s 100658->100669 100662 6d291a0e __wsopen_s 100661->100662 100670 6d28c5a9 EnterCriticalSection 100662->100670 100664 6d291a1c 100671 6d2919bf 100664->100671 100668 6d29183c 100668->100647 100669->100655 100670->100664 100679 6d2985a6 100671->100679 100677 6d2919f9 100678 6d291a51 LeaveCriticalSection 100677->100678 100678->100668 100680 6d299c60 18 API calls 100679->100680 100681 6d2985b7 100680->100681 100682 6d2a19e5 __wsopen_s 18 API calls 100681->100682 100683 6d2985bd __wsopen_s 100682->100683 100684 6d2919d3 100683->100684 100696 6d2947bb HeapFree GetLastError _free 100683->100696 100686 6d29183e 100684->100686 100687 6d291850 100686->100687 100690 6d29186e 100686->100690 100688 6d29185e 100687->100688 100687->100690 100693 6d291886 _Yarn 100687->100693 100697 6d290120 18 API calls __wsopen_s 100688->100697 100695 6d298659 62 API calls 100690->100695 100691 6d290cb9 62 API calls 100691->100693 100692 6d299c60 18 API calls 100692->100693 100693->100690 100693->100691 100693->100692 100694 6d29bb6c __wsopen_s 62 API calls 100693->100694 100694->100693 100695->100677 100696->100684 100697->100690 100699 6d286025 100698->100699 100700 6d152020 52 API calls 100699->100700 100701 6d2860c6 100700->100701 100702 6d286a43 std::_Facet_Register 4 API calls 100701->100702 100703 6d2860fe 100702->100703 100704 6d287327 43 API calls 100703->100704 100705 6d286112 100704->100705 100706 6d151d90 89 API calls 100705->100706 100707 6d2861bb 100706->100707 100708 6d2861ec 100707->100708 100750 6d152250 30 API calls 100707->100750 100708->100168 100710 6d286226 100751 6d1526e0 24 API calls 4 library calls 100710->100751 100712 6d286238 100752 6d289379 RaiseException 100712->100752 100714 6d28624d 100715 6d14e010 67 API calls 100714->100715 100716 6d28625f 100715->100716 100716->100168 100718 6d28638d 100717->100718 100753 6d2865a0 100718->100753 100720 6d2863a5 100722 6d28647c 100720->100722 100771 6d152250 30 API calls 100720->100771 100772 6d1526e0 24 API calls 4 library calls 100720->100772 100773 6d289379 RaiseException 100720->100773 100722->100175 100726 6d16203f 100725->100726 100729 6d162053 100726->100729 100782 6d153560 32 API calls std::_Xinvalid_argument 100726->100782 100732 6d16210e 100729->100732 100784 6d152250 30 API calls 100729->100784 100785 6d1526e0 24 API calls 4 library calls 100729->100785 100786 6d289379 RaiseException 100729->100786 100731 6d162121 100731->100175 100732->100731 100783 6d1537e0 32 API calls std::_Xinvalid_argument 100732->100783 100736 6d285b9e 100735->100736 100739 6d285bd1 100735->100739 100738 6d1501f0 64 API calls 100736->100738 100737 6d285c83 100737->100180 100740 6d285bc4 100738->100740 100739->100737 100787 6d152250 30 API calls 100739->100787 100742 6d290b18 67 API calls 100740->100742 100742->100739 100743 6d285cae 100788 6d152340 24 API calls 100743->100788 100745 6d285cbe 100789 6d289379 RaiseException 100745->100789 100747 6d285cc9 100748 6d14e010 67 API calls 100747->100748 100749 6d285d22 std::ios_base::_Ios_base_dtor 100748->100749 100749->100180 100750->100710 100751->100712 100752->100714 100754 6d286608 100753->100754 100755 6d2865dc 100753->100755 100760 6d286619 100754->100760 100774 6d153560 32 API calls std::_Xinvalid_argument 100754->100774 100769 6d286601 100755->100769 100776 6d152250 30 API calls 100755->100776 100758 6d2867e8 100777 6d152340 24 API calls 100758->100777 100760->100769 100775 6d152f60 42 API calls 4 library calls 100760->100775 100761 6d2867f7 100778 6d289379 RaiseException 100761->100778 100765 6d286827 100780 6d152340 24 API calls 100765->100780 100767 6d28683d 100781 6d289379 RaiseException 100767->100781 100769->100720 100770 6d286653 100770->100769 100779 6d152250 30 API calls 100770->100779 100771->100720 100772->100720 100773->100720 100774->100760 100775->100770 100776->100758 100777->100761 100778->100770 100779->100765 100780->100767 100781->100769 100782->100729 100783->100731 100784->100729 100785->100729 100786->100729 100787->100743 100788->100745 100789->100747 100790 6d114a27 100792 6d114a5d _strlen 100790->100792 100791 6d12639e 100881 6d290130 18 API calls 2 library calls 100791->100881 100792->100791 100794 6d115b58 100792->100794 100795 6d115b6f 100792->100795 100798 6d115b09 _Yarn 100792->100798 100796 6d286a43 std::_Facet_Register 4 API calls 100794->100796 100797 6d286a43 std::_Facet_Register 4 API calls 100795->100797 100796->100798 100797->100798 100799 6d27aec0 2 API calls 100798->100799 100801 6d115bad std::ios_base::_Ios_base_dtor 100799->100801 100800 6d284ff0 4 API calls 100810 6d1161cb _strlen 100800->100810 100801->100791 100801->100800 100805 6d119ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100801->100805 100802 6d286a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100802->100805 100803 6d27aec0 2 API calls 100803->100805 100804 6d11a292 Sleep 100880 6d119bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 100804->100880 100805->100791 100805->100802 100805->100803 100805->100804 100823 6d11e619 100805->100823 100806 6d116624 100809 6d286a43 std::_Facet_Register 4 API calls 100806->100809 100807 6d11660d 100808 6d286a43 std::_Facet_Register 4 API calls 100807->100808 100814 6d1165bc _Yarn _strlen 100808->100814 100809->100814 100810->100791 100810->100806 100810->100807 100810->100814 100811 6d1263b2 100882 6d1015e0 18 API calls std::ios_base::_Ios_base_dtor 100811->100882 100812 6d119bbd GetCurrentProcess TerminateProcess 100812->100805 100814->100811 100816 6d116970 100814->100816 100817 6d116989 100814->100817 100820 6d116920 _Yarn 100814->100820 100815 6d1264f8 100818 6d286a43 std::_Facet_Register 4 API calls 100816->100818 100819 6d286a43 std::_Facet_Register 4 API calls 100817->100819 100818->100820 100819->100820 100821 6d285960 104 API calls 100820->100821 100824 6d1169d6 std::ios_base::_Ios_base_dtor _strlen 100821->100824 100822 6d11f243 CreateFileA 100839 6d11f2a7 100822->100839 100823->100822 100824->100791 100825 6d116dd2 100824->100825 100826 6d116dbb 100824->100826 100838 6d116d69 _Yarn _strlen 100824->100838 100829 6d286a43 std::_Facet_Register 4 API calls 100825->100829 100828 6d286a43 std::_Facet_Register 4 API calls 100826->100828 100827 6d1202ca 100828->100838 100829->100838 100830 6d285960 104 API calls 100830->100880 100831 6d117440 100834 6d286a43 std::_Facet_Register 4 API calls 100831->100834 100832 6d117427 100833 6d286a43 std::_Facet_Register 4 API calls 100832->100833 100835 6d1173da _Yarn 100833->100835 100834->100835 100837 6d285960 104 API calls 100835->100837 100836 6d1202ac GetCurrentProcess TerminateProcess 100836->100827 100840 6d11748d std::ios_base::_Ios_base_dtor _strlen 100837->100840 100838->100811 100838->100831 100838->100832 100838->100835 100839->100827 100839->100836 100840->100791 100841 6d117991 100840->100841 100842 6d1179a8 100840->100842 100849 6d117940 _Yarn _strlen 100840->100849 100843 6d286a43 std::_Facet_Register 4 API calls 100841->100843 100844 6d286a43 std::_Facet_Register 4 API calls 100842->100844 100843->100849 100844->100849 100845 6d117de2 100848 6d286a43 std::_Facet_Register 4 API calls 100845->100848 100846 6d117dc9 100847 6d286a43 std::_Facet_Register 4 API calls 100846->100847 100850 6d117d7c _Yarn 100847->100850 100848->100850 100849->100811 100849->100845 100849->100846 100849->100850 100851 6d285960 104 API calls 100850->100851 100852 6d117e2f std::ios_base::_Ios_base_dtor _strlen 100851->100852 100852->100791 100853 6d1185a8 100852->100853 100854 6d1185bf 100852->100854 100857 6d118556 _Yarn _strlen 100852->100857 100855 6d286a43 std::_Facet_Register 4 API calls 100853->100855 100856 6d286a43 std::_Facet_Register 4 API calls 100854->100856 100855->100857 100856->100857 100857->100811 100858 6d118983 100857->100858 100859 6d11896a 100857->100859 100862 6d11891d _Yarn 100857->100862 100860 6d286a43 std::_Facet_Register 4 API calls 100858->100860 100861 6d286a43 std::_Facet_Register 4 API calls 100859->100861 100860->100862 100861->100862 100863 6d285960 104 API calls 100862->100863 100866 6d1189d0 std::ios_base::_Ios_base_dtor _strlen 100863->100866 100864 6d118f36 100868 6d286a43 std::_Facet_Register 4 API calls 100864->100868 100865 6d118f1f 100867 6d286a43 std::_Facet_Register 4 API calls 100865->100867 100866->100791 100866->100864 100866->100865 100869 6d118ecd _Yarn _strlen 100866->100869 100867->100869 100868->100869 100869->100811 100870 6d119354 100869->100870 100871 6d11936d 100869->100871 100874 6d119307 _Yarn 100869->100874 100872 6d286a43 std::_Facet_Register 4 API calls 100870->100872 100873 6d286a43 std::_Facet_Register 4 API calls 100871->100873 100872->100874 100873->100874 100875 6d285960 104 API calls 100874->100875 100878 6d1193ba std::ios_base::_Ios_base_dtor 100875->100878 100876 6d286a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100876->100880 100877 6d284ff0 4 API calls 100877->100805 100878->100791 100878->100877 100879 6d284ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 100879->100880 100880->100791 100880->100805 100880->100811 100880->100812 100880->100830 100880->100876 100880->100879 100882->100815 100883 6d28ef3f 100884 6d28ef4b __wsopen_s 100883->100884 100885 6d28ef5f 100884->100885 100886 6d28ef52 GetLastError ExitThread 100884->100886 100887 6d2949b2 __Getctype 37 API calls 100885->100887 100888 6d28ef64 100887->100888 100895 6d299d66 100888->100895 100891 6d28ef7b 100901 6d28eeaa 16 API calls 2 library calls 100891->100901 100894 6d28ef9d 100896 6d299d78 GetPEB 100895->100896 100897 6d28ef6f 100895->100897 100896->100897 100898 6d299d8b 100896->100898 100897->100891 100900 6d296d6f 5 API calls std::_Lockit::_Lockit 100897->100900 100902 6d296e18 5 API calls std::_Lockit::_Lockit 100898->100902 100900->100891 100901->100894 100902->100897 100903 6d29cad3 100904 6d29cafd 100903->100904 100905 6d29cae5 __dosmaperr 100903->100905 100904->100905 100907 6d29cb77 100904->100907 100908 6d29cb48 __dosmaperr 100904->100908 100909 6d29cb90 100907->100909 100910 6d29cbab __dosmaperr 100907->100910 100912 6d29cbe7 __wsopen_s 100907->100912 100945 6d290120 18 API calls __wsopen_s 100908->100945 100909->100910 100931 6d29cb95 100909->100931 100938 6d290120 18 API calls __wsopen_s 100910->100938 100911 6d2a19e5 __wsopen_s 18 API calls 100913 6d29cd3e 100911->100913 100939 6d2947bb HeapFree GetLastError _free 100912->100939 100916 6d29cdb4 100913->100916 100919 6d29cd57 GetConsoleMode 100913->100919 100918 6d29cdb8 ReadFile 100916->100918 100917 6d29cc07 100940 6d2947bb HeapFree GetLastError _free 100917->100940 100921 6d29ce2c GetLastError 100918->100921 100922 6d29cdd2 100918->100922 100919->100916 100923 6d29cd68 100919->100923 100926 6d29cbc2 __dosmaperr __wsopen_s 100921->100926 100922->100921 100928 6d29cda9 100922->100928 100923->100918 100925 6d29cd6e ReadConsoleW 100923->100925 100924 6d29cc0e 100924->100926 100941 6d29ac69 20 API calls __wsopen_s 100924->100941 100925->100928 100929 6d29cd8a GetLastError 100925->100929 100942 6d2947bb HeapFree GetLastError _free 100926->100942 100928->100926 100932 6d29ce0e 100928->100932 100933 6d29cdf7 100928->100933 100929->100926 100931->100911 100932->100926 100935 6d29ce25 100932->100935 100943 6d29cefe 23 API calls 3 library calls 100933->100943 100944 6d29d1b6 21 API calls __wsopen_s 100935->100944 100937 6d29ce2a 100937->100926 100938->100926 100939->100917 100940->100924 100941->100931 100942->100905 100943->100926 100944->100937 100945->100905
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _strlen
                                                                                                  • String ID: HR^
                                                                                                  • API String ID: 4218353326-1341859651
                                                                                                  • Opcode ID: 4aef5a484f22bb256ab531e6914c0d73da866c611303a23a332063f60d267a95
                                                                                                  • Instruction ID: f2e58fd50577a8a2289241f1a2273110b1f102887a7461fe702e14974a39779a
                                                                                                  • Opcode Fuzzy Hash: 4aef5a484f22bb256ab531e6914c0d73da866c611303a23a332063f60d267a95
                                                                                                  • Instruction Fuzzy Hash: 4A740771644B028FC728CF28C8D06A5B7F3FF95314B19CA6DC0968B659EBB4B54ACB50
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: }jk$;T55$L@^
                                                                                                  • API String ID: 0-4218709813
                                                                                                  • Opcode ID: 00201b61d1b229733041bd2b86a1e1f575775a20a988490a2c0250dc72a0f143
                                                                                                  • Instruction ID: 3d5143ce9230b2e7ec0e4242839893edb4847c0acb2d80f5e3d62f1df4742eff
                                                                                                  • Opcode Fuzzy Hash: 00201b61d1b229733041bd2b86a1e1f575775a20a988490a2c0250dc72a0f143
                                                                                                  • Instruction Fuzzy Hash: A234F6716487028FC729CF28CCD0AA5B7E3BF95314B19CA7DC0A64B659E7B4B54ACB40

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 7677 6d285240-6d285275 CreateToolhelp32Snapshot 7678 6d2852a0-6d2852a9 7677->7678 7679 6d2852ab-6d2852b0 7678->7679 7680 6d2852e0-6d2852e5 7678->7680 7681 6d2852b2-6d2852b7 7679->7681 7682 6d285315-6d28531a 7679->7682 7683 6d2852eb-6d2852f0 7680->7683 7684 6d285377-6d2853a1 call 6d292c05 7680->7684 7686 6d2852b9-6d2852be 7681->7686 7687 6d285334-6d28535d call 6d28b920 Process32FirstW 7681->7687 7690 6d285320-6d285332 Process32NextW 7682->7690 7691 6d2853a6-6d2853ab 7682->7691 7688 6d2852f2-6d2852f7 7683->7688 7689 6d285277-6d285292 CloseHandle 7683->7689 7684->7678 7686->7678 7693 6d2852c0-6d2852d1 7686->7693 7697 6d285362-6d285372 7687->7697 7688->7678 7695 6d2852f9-6d285313 7688->7695 7689->7678 7690->7697 7691->7678 7694 6d2853b1-6d2853bf 7691->7694 7693->7678 7695->7678 7697->7678
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6D28524E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateSnapshotToolhelp32
                                                                                                  • String ID:
                                                                                                  • API String ID: 3332741929-0
                                                                                                  • Opcode ID: 1c73e84b129a73d72edde71dda66e1047b0a348a96b954dddf85cc4db44cf6d6
                                                                                                  • Instruction ID: 0e174b03c74deefdd1797a89df83dd00b55d18a786279a2ec077407be8be6a8e
                                                                                                  • Opcode Fuzzy Hash: 1c73e84b129a73d72edde71dda66e1047b0a348a96b954dddf85cc4db44cf6d6
                                                                                                  • Instruction Fuzzy Hash: 0031AE74558306AFD7119F28C888B2EBBF4BF8A351F90492DF489C72A1D770D85C8B52

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 7821 6d103886-6d10388e 7822 6d103970-6d10397d 7821->7822 7823 6d103894-6d103896 7821->7823 7825 6d1039f1-6d1039f8 7822->7825 7826 6d10397f-6d103989 7822->7826 7823->7822 7824 6d10389c-6d1038b9 7823->7824 7829 6d1038c0-6d1038c1 7824->7829 7827 6d103ab5-6d103aba 7825->7827 7828 6d1039fe-6d103a03 7825->7828 7826->7824 7830 6d10398f-6d103994 7826->7830 7827->7824 7834 6d103ac0-6d103ac7 7827->7834 7831 6d1038d2-6d1038d4 7828->7831 7832 6d103a09-6d103a2f 7828->7832 7833 6d10395e 7829->7833 7835 6d103b16-6d103b18 7830->7835 7836 6d10399a-6d10399f 7830->7836 7841 6d103957-6d10395c 7831->7841 7839 6d103a35-6d103a3a 7832->7839 7840 6d1038f8-6d103955 7832->7840 7842 6d103960-6d103964 7833->7842 7834->7829 7843 6d103acd-6d103ad6 7834->7843 7835->7829 7837 6d1039a5-6d1039bf 7836->7837 7838 6d10383b-6d103855 call 6d251470 call 6d251480 7836->7838 7844 6d103a5a-6d103a5d 7837->7844 7847 6d103860-6d103885 7838->7847 7845 6d103a40-6d103a57 7839->7845 7846 6d103b1d-6d103b22 7839->7846 7840->7841 7841->7833 7842->7847 7848 6d10396a 7842->7848 7843->7835 7850 6d103ad8-6d103aeb 7843->7850 7854 6d103aa9-6d103ab0 7844->7854 7845->7844 7852 6d103b24-6d103b44 7846->7852 7853 6d103b49-6d103b50 7846->7853 7847->7821 7855 6d103ba1-6d103bb6 7848->7855 7850->7840 7857 6d103af1-6d103af8 7850->7857 7852->7854 7853->7829 7860 6d103b56-6d103b5d 7853->7860 7854->7842 7861 6d103bc0-6d103bda call 6d251470 call 6d251480 7855->7861 7863 6d103b62-6d103b85 7857->7863 7864 6d103afa-6d103aff 7857->7864 7860->7842 7872 6d103be0-6d103bfe 7861->7872 7863->7840 7866 6d103b8b 7863->7866 7864->7841 7866->7855 7875 6d103c04-6d103c11 7872->7875 7876 6d103e7b 7872->7876 7877 6d103ce0-6d103cea 7875->7877 7878 6d103c17-6d103c20 7875->7878 7879 6d103e81-6d103ee0 call 6d103750 GetCurrentThread NtSetInformationThread 7876->7879 7882 6d103d3a-6d103d3c 7877->7882 7883 6d103cec-6d103d0c 7877->7883 7880 6d103dc5 7878->7880 7881 6d103c26-6d103c2d 7878->7881 7892 6d103eea-6d103f04 call 6d251470 call 6d251480 7879->7892 7885 6d103dc6 7880->7885 7886 6d103dc3 7881->7886 7887 6d103c33-6d103c3a 7881->7887 7889 6d103d70-6d103d8d 7882->7889 7890 6d103d3e-6d103d45 7882->7890 7888 6d103d90-6d103d95 7883->7888 7893 6d103dc8-6d103dcc 7885->7893 7886->7880 7894 6d103c40-6d103c5b 7887->7894 7895 6d103e26-6d103e2b 7887->7895 7897 6d103d97-6d103db8 7888->7897 7898 6d103dba-6d103dc1 7888->7898 7889->7888 7896 6d103d50-6d103d57 7890->7896 7915 6d103f75-6d103fa1 7892->7915 7893->7872 7903 6d103dd2 7893->7903 7894->7893 7902 6d103e1b-6d103e24 7894->7902 7900 6d103e31 7895->7900 7901 6d103c7b-6d103cd0 7895->7901 7896->7885 7897->7880 7898->7886 7904 6d103dd7-6d103ddc 7898->7904 7900->7861 7901->7896 7902->7893 7908 6d103e76-6d103e79 7903->7908 7905 6d103e36-6d103e3d 7904->7905 7906 6d103dde-6d103e17 7904->7906 7911 6d103e5c-6d103e5f 7905->7911 7912 6d103e3f-6d103e5a 7905->7912 7906->7902 7908->7879 7911->7901 7914 6d103e65-6d103e69 7911->7914 7912->7902 7914->7893 7914->7908 7919 6d104020-6d104026 7915->7919 7920 6d103fa3-6d103fa8 7915->7920 7923 6d103f06-6d103f35 7919->7923 7924 6d10402c-6d10403c 7919->7924 7921 6d10407c-6d104081 7920->7921 7922 6d103fae-6d103fcf 7920->7922 7925 6d104083-6d10408a 7921->7925 7926 6d1040aa-6d1040ae 7921->7926 7922->7926 7927 6d103f38-6d103f61 7923->7927 7928 6d1040b3-6d1040b8 7924->7928 7929 6d10403e-6d104058 7924->7929 7925->7927 7931 6d104090 7925->7931 7934 6d103f6b-6d103f6f 7926->7934 7933 6d103f64-6d103f67 7927->7933 7928->7922 7932 6d1040be-6d1040c9 7928->7932 7930 6d10405a-6d104063 7929->7930 7935 6d1040f5-6d10413f 7930->7935 7936 6d104069-6d10406c 7930->7936 7931->7892 7937 6d1040a7 7931->7937 7932->7926 7938 6d1040cb-6d1040d4 7932->7938 7939 6d103f69 7933->7939 7934->7915 7935->7939 7940 6d104072-6d104077 7936->7940 7941 6d104144-6d10414b 7936->7941 7937->7926 7938->7937 7942 6d1040d6-6d1040f0 7938->7942 7939->7934 7940->7933 7941->7934 7942->7930
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c5ccbddf5d029f292a3e0452f9fff1e1b7047573ee35f9177ad13a6017c9fe6b
                                                                                                  • Instruction ID: e073263f9c60a09d31945c2b8dddab869eac82acdffc9dc5cde3e930c9ec996c
                                                                                                  • Opcode Fuzzy Hash: c5ccbddf5d029f292a3e0452f9fff1e1b7047573ee35f9177ad13a6017c9fe6b
                                                                                                  • Instruction Fuzzy Hash: 7C32D432244B018FC325CF28C8D0AA5B7E3FF9531476A8A6DC0AA5B659DBB5B447CB50

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 7969 6d103a6a-6d103a85 7970 6d103a87-6d103aa7 7969->7970 7971 6d103aa9-6d103ab0 7970->7971 7972 6d103960-6d103964 7971->7972 7973 6d103860-6d10388e 7972->7973 7974 6d10396a 7972->7974 7983 6d103970-6d10397d 7973->7983 7984 6d103894-6d103896 7973->7984 7976 6d103ba1-6d103bb6 7974->7976 7978 6d103bc0-6d103bda call 6d251470 call 6d251480 7976->7978 7990 6d103be0-6d103bfe 7978->7990 7987 6d1039f1-6d1039f8 7983->7987 7988 6d10397f-6d103989 7983->7988 7984->7983 7986 6d10389c-6d1038b9 7984->7986 7993 6d1038c0-6d1038c1 7986->7993 7991 6d103ab5-6d103aba 7987->7991 7992 6d1039fe-6d103a03 7987->7992 7988->7986 7994 6d10398f-6d103994 7988->7994 8010 6d103c04-6d103c11 7990->8010 8011 6d103e7b 7990->8011 7991->7986 7999 6d103ac0-6d103ac7 7991->7999 7996 6d1038d2-6d1038d4 7992->7996 7997 6d103a09-6d103a2f 7992->7997 7998 6d10395e 7993->7998 8000 6d103b16-6d103b18 7994->8000 8001 6d10399a-6d10399f 7994->8001 8007 6d103957-6d10395c 7996->8007 8005 6d103a35-6d103a3a 7997->8005 8006 6d1038f8-6d103955 7997->8006 7998->7972 7999->7993 8008 6d103acd-6d103ad6 7999->8008 8000->7993 8002 6d1039a5-6d1039bf 8001->8002 8003 6d10383b-6d103855 call 6d251470 call 6d251480 8001->8003 8009 6d103a5a-6d103a5d 8002->8009 8003->7973 8012 6d103a40-6d103a57 8005->8012 8013 6d103b1d-6d103b22 8005->8013 8006->8007 8007->7998 8008->8000 8015 6d103ad8-6d103aeb 8008->8015 8009->7971 8018 6d103ce0-6d103cea 8010->8018 8019 6d103c17-6d103c20 8010->8019 8020 6d103e81-6d103ee0 call 6d103750 GetCurrentThread NtSetInformationThread 8011->8020 8012->8009 8016 6d103b24-6d103b44 8013->8016 8017 6d103b49-6d103b50 8013->8017 8015->8006 8022 6d103af1-6d103af8 8015->8022 8016->7970 8017->7993 8023 6d103b56-6d103b5d 8017->8023 8026 6d103d3a-6d103d3c 8018->8026 8027 6d103cec-6d103d0c 8018->8027 8024 6d103dc5 8019->8024 8025 6d103c26-6d103c2d 8019->8025 8041 6d103eea-6d103f04 call 6d251470 call 6d251480 8020->8041 8030 6d103b62-6d103b85 8022->8030 8031 6d103afa-6d103aff 8022->8031 8023->7972 8032 6d103dc6 8024->8032 8034 6d103dc3 8025->8034 8035 6d103c33-6d103c3a 8025->8035 8037 6d103d70-6d103d8d 8026->8037 8038 6d103d3e-6d103d45 8026->8038 8036 6d103d90-6d103d95 8027->8036 8030->8006 8033 6d103b8b 8030->8033 8031->8007 8042 6d103dc8-6d103dcc 8032->8042 8033->7976 8034->8024 8043 6d103c40-6d103c5b 8035->8043 8044 6d103e26-6d103e2b 8035->8044 8046 6d103d97-6d103db8 8036->8046 8047 6d103dba-6d103dc1 8036->8047 8037->8036 8045 6d103d50-6d103d57 8038->8045 8064 6d103f75-6d103fa1 8041->8064 8042->7990 8052 6d103dd2 8042->8052 8043->8042 8051 6d103e1b-6d103e24 8043->8051 8049 6d103e31 8044->8049 8050 6d103c7b-6d103cd0 8044->8050 8045->8032 8046->8024 8047->8034 8053 6d103dd7-6d103ddc 8047->8053 8049->7978 8050->8045 8051->8042 8057 6d103e76-6d103e79 8052->8057 8054 6d103e36-6d103e3d 8053->8054 8055 6d103dde-6d103e17 8053->8055 8060 6d103e5c-6d103e5f 8054->8060 8061 6d103e3f-6d103e5a 8054->8061 8055->8051 8057->8020 8060->8050 8063 6d103e65-6d103e69 8060->8063 8061->8051 8063->8042 8063->8057 8068 6d104020-6d104026 8064->8068 8069 6d103fa3-6d103fa8 8064->8069 8072 6d103f06-6d103f35 8068->8072 8073 6d10402c-6d10403c 8068->8073 8070 6d10407c-6d104081 8069->8070 8071 6d103fae-6d103fcf 8069->8071 8074 6d104083-6d10408a 8070->8074 8075 6d1040aa-6d1040ae 8070->8075 8071->8075 8076 6d103f38-6d103f61 8072->8076 8077 6d1040b3-6d1040b8 8073->8077 8078 6d10403e-6d104058 8073->8078 8074->8076 8080 6d104090 8074->8080 8083 6d103f6b-6d103f6f 8075->8083 8082 6d103f64-6d103f67 8076->8082 8077->8071 8081 6d1040be-6d1040c9 8077->8081 8079 6d10405a-6d104063 8078->8079 8084 6d1040f5-6d10413f 8079->8084 8085 6d104069-6d10406c 8079->8085 8080->8041 8086 6d1040a7 8080->8086 8081->8075 8087 6d1040cb-6d1040d4 8081->8087 8088 6d103f69 8082->8088 8083->8064 8084->8088 8089 6d104072-6d104077 8085->8089 8090 6d104144-6d10414b 8085->8090 8086->8075 8087->8086 8091 6d1040d6-6d1040f0 8087->8091 8088->8083 8089->8082 8090->8083 8091->8079
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2882836952-0
                                                                                                  • Opcode ID: c9e86cf804df842191b46fd8e11580eacea39eb33fff89b226563a726a1ec824
                                                                                                  • Instruction ID: 4cf4cb0aacad7cc35edce1b44451d80ce1eb1b1efb71736ba5a8c76778f027d6
                                                                                                  • Opcode Fuzzy Hash: c9e86cf804df842191b46fd8e11580eacea39eb33fff89b226563a726a1ec824
                                                                                                  • Instruction Fuzzy Hash: 7C51F1311587018FC321DF28C480B95B7A3BFA9314F6A8A5DC0E65B299DFF574468B91
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2882836952-0
                                                                                                  • Opcode ID: 0de0e01ed00f2cfb34f80a9276e6fb5974b27ae40a7b2a59d8402d23fd4a7a8c
                                                                                                  • Instruction ID: a2c6014268ec7a30fb70a270db41aabe1e5c5d8abf97513a04bcca4899a15a2b
                                                                                                  • Opcode Fuzzy Hash: 0de0e01ed00f2cfb34f80a9276e6fb5974b27ae40a7b2a59d8402d23fd4a7a8c
                                                                                                  • Instruction Fuzzy Hash: F051D131158B018BC321DF28C480B96B7A3BF9A314F668B1DC0E65B299DFF1B4478B91
                                                                                                  APIs
                                                                                                  • GetCurrentThread.KERNEL32 ref: 6D103E9D
                                                                                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6D103EAA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Thread$CurrentInformation
                                                                                                  • String ID:
                                                                                                  • API String ID: 1650627709-0
                                                                                                  • Opcode ID: 20e8dad43b5cd7b0b407fe5593a08d02273b44440d15821934c922a8e4d04ab3
                                                                                                  • Instruction ID: f81203ecc6c1650bb1a2c709c9be3864b1dcc662384d7905f770df64336eab1b
                                                                                                  • Opcode Fuzzy Hash: 20e8dad43b5cd7b0b407fe5593a08d02273b44440d15821934c922a8e4d04ab3
                                                                                                  • Instruction Fuzzy Hash: DA312431559B01CFC321DF24C894BC6B7A3BFAA314F1A8A1CC0A65B298DFF570068B51
                                                                                                  APIs
                                                                                                  • GetCurrentThread.KERNEL32 ref: 6D103E9D
                                                                                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6D103EAA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Thread$CurrentInformation
                                                                                                  • String ID:
                                                                                                  • API String ID: 1650627709-0
                                                                                                  • Opcode ID: 375b9687a801767dad513542854e8146d32779bacb0d5459412280e97a12066e
                                                                                                  • Instruction ID: 7777cba599eb3fd5523ad7250b33114111d71a42145e7dd93c13d5004a3fe07b
                                                                                                  • Opcode Fuzzy Hash: 375b9687a801767dad513542854e8146d32779bacb0d5459412280e97a12066e
                                                                                                  • Instruction Fuzzy Hash: 0731E131118701CBC725DF28C490B96B7A7BF6A304F668A1DC0A65B289DFF17446CB92
                                                                                                  APIs
                                                                                                  • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6D285130
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ManagerOpen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1889721586-0
                                                                                                  • Opcode ID: 66d3c6c5d8a15ac17f8580dc7e7c0c7d26db6efdb80ab80d6aa0f99db64bf144
                                                                                                  • Instruction ID: 79a2a336bcb7bf9afdd3682cbc68de9fd1f2fd4bee4ff4f8fd146747275d3621
                                                                                                  • Opcode Fuzzy Hash: 66d3c6c5d8a15ac17f8580dc7e7c0c7d26db6efdb80ab80d6aa0f99db64bf144
                                                                                                  • Instruction Fuzzy Hash: DD314B74648306EFC7108F28C544B1ABBF4FBC9756F50885AF889C63A1C375C8489B52
                                                                                                  APIs
                                                                                                  • GetCurrentThread.KERNEL32 ref: 6D103E9D
                                                                                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6D103EAA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Thread$CurrentInformation
                                                                                                  • String ID:
                                                                                                  • API String ID: 1650627709-0
                                                                                                  • Opcode ID: 386a1b223d81fdc99b62503dc8883015896e11611ea81f0d539e50c8b7cd52b4
                                                                                                  • Instruction ID: 9f4457dc14e4f5145ad9492c8d518d532f981943e1140452b45396823470a776
                                                                                                  • Opcode Fuzzy Hash: 386a1b223d81fdc99b62503dc8883015896e11611ea81f0d539e50c8b7cd52b4
                                                                                                  • Instruction Fuzzy Hash: C0213870158701CBD325DF74C890B9A77B7BF5A304F158A1DC0A697288DFF174058B52
                                                                                                  APIs
                                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 6D27AEDC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileFindFirst
                                                                                                  • String ID:
                                                                                                  • API String ID: 1974802433-0
                                                                                                  • Opcode ID: 75a378de1dbd8ab185f2667d6e14cc28ef0e27738b52d03aee8f918852ce3cbf
                                                                                                  • Instruction ID: aadf3a83c0a821566105f77865f4f6331e1dff929985aaab696df2feabf81b09
                                                                                                  • Opcode Fuzzy Hash: 75a378de1dbd8ab185f2667d6e14cc28ef0e27738b52d03aee8f918852ce3cbf
                                                                                                  • Instruction Fuzzy Hash: 10113AB4458356AFD7208B28D94491E7BE8BF86321F148D59F4A9CB291D331CC448B53
                                                                                                  APIs
                                                                                                  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6D25ABA7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileRead
                                                                                                  • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                                                                                  • API String ID: 2738559852-1563143607
                                                                                                  • Opcode ID: 4cba56b1ffb9b5b5bbe8e747d5a96ac1142653fd9111b985f3b496a67923cedf
                                                                                                  • Instruction ID: 7f23450b15bb462462eb37fa3d5e4e1e413edb670850780fbcd3a8757ed31775
                                                                                                  • Opcode Fuzzy Hash: 4cba56b1ffb9b5b5bbe8e747d5a96ac1142653fd9111b985f3b496a67923cedf
                                                                                                  • Instruction Fuzzy Hash: 6A62697065838A8FCB25CF18C491F6ABBF2AFD9305F14891EE499CB350D734E8558B92

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 6824 6d29cad3-6d29cae3 6825 6d29cafd-6d29caff 6824->6825 6826 6d29cae5-6d29caf8 call 6d28f9df call 6d28f9cc 6824->6826 6828 6d29cb05-6d29cb0b 6825->6828 6829 6d29ce64-6d29ce71 call 6d28f9df call 6d28f9cc 6825->6829 6844 6d29ce7c 6826->6844 6828->6829 6830 6d29cb11-6d29cb37 6828->6830 6845 6d29ce77 call 6d290120 6829->6845 6830->6829 6833 6d29cb3d-6d29cb46 6830->6833 6836 6d29cb48-6d29cb5b call 6d28f9df call 6d28f9cc 6833->6836 6837 6d29cb60-6d29cb62 6833->6837 6836->6845 6842 6d29cb68-6d29cb6b 6837->6842 6843 6d29ce60-6d29ce62 6837->6843 6842->6843 6848 6d29cb71-6d29cb75 6842->6848 6847 6d29ce7f-6d29ce82 6843->6847 6844->6847 6845->6844 6848->6836 6851 6d29cb77-6d29cb8e 6848->6851 6853 6d29cbdf-6d29cbe5 6851->6853 6854 6d29cb90-6d29cb93 6851->6854 6855 6d29cbab-6d29cbc2 call 6d28f9df call 6d28f9cc call 6d290120 6853->6855 6856 6d29cbe7-6d29cbf1 6853->6856 6857 6d29cba3-6d29cba9 6854->6857 6858 6d29cb95-6d29cb9e 6854->6858 6888 6d29cd97 6855->6888 6859 6d29cbf8-6d29cc16 call 6d2947f5 call 6d2947bb * 2 6856->6859 6860 6d29cbf3-6d29cbf5 6856->6860 6857->6855 6862 6d29cbc7-6d29cbda 6857->6862 6861 6d29cc63-6d29cc73 6858->6861 6892 6d29cc18-6d29cc2e call 6d28f9cc call 6d28f9df 6859->6892 6893 6d29cc33-6d29cc5c call 6d29ac69 6859->6893 6860->6859 6865 6d29cc79-6d29cc85 6861->6865 6866 6d29cd38-6d29cd41 call 6d2a19e5 6861->6866 6862->6861 6865->6866 6870 6d29cc8b-6d29cc8d 6865->6870 6877 6d29cd43-6d29cd55 6866->6877 6878 6d29cdb4 6866->6878 6870->6866 6874 6d29cc93-6d29ccb7 6870->6874 6874->6866 6879 6d29ccb9-6d29cccf 6874->6879 6877->6878 6883 6d29cd57-6d29cd66 GetConsoleMode 6877->6883 6881 6d29cdb8-6d29cdd0 ReadFile 6878->6881 6879->6866 6884 6d29ccd1-6d29ccd3 6879->6884 6886 6d29ce2c-6d29ce37 GetLastError 6881->6886 6887 6d29cdd2-6d29cdd8 6881->6887 6883->6878 6889 6d29cd68-6d29cd6c 6883->6889 6884->6866 6890 6d29ccd5-6d29ccfb 6884->6890 6894 6d29ce39-6d29ce4b call 6d28f9cc call 6d28f9df 6886->6894 6895 6d29ce50-6d29ce53 6886->6895 6887->6886 6896 6d29cdda 6887->6896 6898 6d29cd9a-6d29cda4 call 6d2947bb 6888->6898 6889->6881 6897 6d29cd6e-6d29cd88 ReadConsoleW 6889->6897 6890->6866 6899 6d29ccfd-6d29cd13 6890->6899 6892->6888 6893->6861 6894->6888 6907 6d29ce59-6d29ce5b 6895->6907 6908 6d29cd90-6d29cd96 call 6d28f9f2 6895->6908 6904 6d29cddd-6d29cdef 6896->6904 6905 6d29cda9-6d29cdb2 6897->6905 6906 6d29cd8a GetLastError 6897->6906 6898->6847 6899->6866 6900 6d29cd15-6d29cd17 6899->6900 6900->6866 6911 6d29cd19-6d29cd33 6900->6911 6904->6898 6915 6d29cdf1-6d29cdf5 6904->6915 6905->6904 6906->6908 6907->6898 6908->6888 6911->6866 6919 6d29ce0e-6d29ce19 6915->6919 6920 6d29cdf7-6d29ce07 call 6d29cefe 6915->6920 6925 6d29ce1b call 6d29ce83 6919->6925 6926 6d29ce25-6d29ce2a call 6d29d1b6 6919->6926 6931 6d29ce0a-6d29ce0c 6920->6931 6932 6d29ce20-6d29ce23 6925->6932 6926->6932 6931->6898 6932->6931
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 8Q
                                                                                                  • API String ID: 0-4022487301
                                                                                                  • Opcode ID: 1cb29d0b1af8a1dd6069fafe5100d7b09923c40659d04650f53b3c9fb2e65478
                                                                                                  • Instruction ID: e04ecfa98c7be38d1d2a0783b004fb46e200e5cb0162179a23b1c4543efa80fb
                                                                                                  • Opcode Fuzzy Hash: 1cb29d0b1af8a1dd6069fafe5100d7b09923c40659d04650f53b3c9fb2e65478
                                                                                                  • Instruction Fuzzy Hash: 7CC1E570A9824EAFDF01CFAAC880BBDBBB4BF4A715F404469E551AF281C7719941DB70

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 6933 6d2a406c-6d2a409c call 6d2a44ec 6936 6d2a409e-6d2a40a9 call 6d28f9df 6933->6936 6937 6d2a40b7-6d2a40c3 call 6d2a160c 6933->6937 6944 6d2a40ab-6d2a40b2 call 6d28f9cc 6936->6944 6942 6d2a40dc-6d2a4125 call 6d2a4457 6937->6942 6943 6d2a40c5-6d2a40da call 6d28f9df call 6d28f9cc 6937->6943 6953 6d2a4192-6d2a419b GetFileType 6942->6953 6954 6d2a4127-6d2a4130 6942->6954 6943->6944 6951 6d2a4391-6d2a4395 6944->6951 6955 6d2a419d-6d2a41ce GetLastError call 6d28f9f2 CloseHandle 6953->6955 6956 6d2a41e4-6d2a41e7 6953->6956 6958 6d2a4132-6d2a4136 6954->6958 6959 6d2a4167-6d2a418d GetLastError call 6d28f9f2 6954->6959 6955->6944 6970 6d2a41d4-6d2a41df call 6d28f9cc 6955->6970 6962 6d2a41e9-6d2a41ee 6956->6962 6963 6d2a41f0-6d2a41f6 6956->6963 6958->6959 6964 6d2a4138-6d2a4165 call 6d2a4457 6958->6964 6959->6944 6967 6d2a41fa-6d2a4248 call 6d2a17b0 6962->6967 6963->6967 6968 6d2a41f8 6963->6968 6964->6953 6964->6959 6975 6d2a424a-6d2a4256 call 6d2a4666 6967->6975 6976 6d2a4267-6d2a428f call 6d2a4710 6967->6976 6968->6967 6970->6944 6975->6976 6982 6d2a4258 6975->6982 6983 6d2a4291-6d2a4292 6976->6983 6984 6d2a4294-6d2a42d5 6976->6984 6985 6d2a425a-6d2a4262 call 6d29b925 6982->6985 6983->6985 6986 6d2a42f6-6d2a4304 6984->6986 6987 6d2a42d7-6d2a42db 6984->6987 6985->6951 6988 6d2a430a-6d2a430e 6986->6988 6989 6d2a438f 6986->6989 6987->6986 6991 6d2a42dd-6d2a42f1 6987->6991 6988->6989 6992 6d2a4310-6d2a4343 CloseHandle call 6d2a4457 6988->6992 6989->6951 6991->6986 6996 6d2a4377-6d2a438b 6992->6996 6997 6d2a4345-6d2a4371 GetLastError call 6d28f9f2 call 6d2a171f 6992->6997 6996->6989 6997->6996
                                                                                                  APIs
                                                                                                    • Part of subcall function 6D2A4457: CreateFileW.KERNEL32(00000000,00000000,?,6D2A4115,?,?,00000000,?,6D2A4115,00000000,0000000C), ref: 6D2A4474
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6D2A4180
                                                                                                  • __dosmaperr.LIBCMT ref: 6D2A4187
                                                                                                  • GetFileType.KERNEL32(00000000), ref: 6D2A4193
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6D2A419D
                                                                                                  • __dosmaperr.LIBCMT ref: 6D2A41A6
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6D2A41C6
                                                                                                  • CloseHandle.KERNEL32(6D29B0D0), ref: 6D2A4313
                                                                                                  • GetLastError.KERNEL32 ref: 6D2A4345
                                                                                                  • __dosmaperr.LIBCMT ref: 6D2A434C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                  • String ID: 8Q
                                                                                                  • API String ID: 4237864984-4022487301
                                                                                                  • Opcode ID: db1320e06f96f8f9915c44b10a896c7688f5b16fe196a408b0906740decf7716
                                                                                                  • Instruction ID: 244466b1653e4d4bfd614b7c2aff119e31ee438cb015e6b900b81149778a8c60
                                                                                                  • Opcode Fuzzy Hash: db1320e06f96f8f9915c44b10a896c7688f5b16fe196a408b0906740decf7716
                                                                                                  • Instruction Fuzzy Hash: 45A14632A5814A9FCF098F78C851BBE7BB1EB4B329F184159E915AF281CB75C807CB51

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 7002 6d25c1e0-6d25c239 call 6d286b70 7005 6d25c260-6d25c269 7002->7005 7006 6d25c2b0-6d25c2b5 7005->7006 7007 6d25c26b-6d25c270 7005->7007 7008 6d25c2b7-6d25c2bc 7006->7008 7009 6d25c330-6d25c335 7006->7009 7010 6d25c2f0-6d25c2f5 7007->7010 7011 6d25c272-6d25c277 7007->7011 7012 6d25c407-6d25c41b 7008->7012 7013 6d25c2c2-6d25c2c7 7008->7013 7016 6d25c489-6d25c4b9 call 6d28b3a0 7009->7016 7017 6d25c33b-6d25c340 7009->7017 7014 6d25c431-6d25c448 WriteFile 7010->7014 7015 6d25c2fb-6d25c300 7010->7015 7018 6d25c372-6d25c3df WriteFile 7011->7018 7019 6d25c27d-6d25c282 7011->7019 7020 6d25c41f-6d25c42c 7012->7020 7021 6d25c2cd-6d25c2d2 7013->7021 7022 6d25c23b-6d25c250 7013->7022 7024 6d25c452-6d25c47f call 6d28b920 ReadFile 7014->7024 7023 6d25c306-6d25c30b 7015->7023 7015->7024 7016->7005 7026 6d25c346-6d25c36d 7017->7026 7027 6d25c4be-6d25c4c3 7017->7027 7028 6d25c3e9-6d25c3fd WriteFile 7018->7028 7019->7028 7029 6d25c288-6d25c28d 7019->7029 7020->7005 7021->7005 7030 6d25c2d4-6d25c2e7 7021->7030 7033 6d25c253-6d25c258 7022->7033 7023->7005 7032 6d25c311-6d25c32b 7023->7032 7024->7016 7026->7033 7027->7005 7035 6d25c4c9-6d25c4d7 7027->7035 7028->7012 7029->7005 7036 6d25c28f-6d25c2aa 7029->7036 7030->7033 7032->7020 7033->7005 7036->7033
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :uW$;uW$;uW$> 4!$> 4!
                                                                                                  • API String ID: 0-4100612575
                                                                                                  • Opcode ID: b6f1c28316f3e8e1df650376d3542dbbcc5aa99a4f2dd95beccafd0c1e4c0d83
                                                                                                  • Instruction ID: 2c2c0de5c56bce0f04f56c279227019552b022aa82fd67efa67e5d90454a0b78
                                                                                                  • Opcode Fuzzy Hash: b6f1c28316f3e8e1df650376d3542dbbcc5aa99a4f2dd95beccafd0c1e4c0d83
                                                                                                  • Instruction Fuzzy Hash: 89714DB015834AAFD710CF54C480B6ABBF5BF8AB05F10492EF498D6251E771D894EB92
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: K?Jo$K?Jo$`Rlx$7eO
                                                                                                  • API String ID: 0-174837320
                                                                                                  • Opcode ID: 78e2a90a1858eac7927c8b4a659d63895cc63d522679515ee0b012fde639dfb0
                                                                                                  • Instruction ID: 0dc8b911e5d66cb28c9b6c273808b005ff8a35c0e24ab9051c6585707b96bb9e
                                                                                                  • Opcode Fuzzy Hash: 78e2a90a1858eac7927c8b4a659d63895cc63d522679515ee0b012fde639dfb0
                                                                                                  • Instruction Fuzzy Hash: CB4266B969834A8FC755CF18C490B2ABBE1BFCA311F108D1EE5A987320D635D865CB53
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ;T55
                                                                                                  • API String ID: 0-2572755013
                                                                                                  • Opcode ID: 790dc6e5abdc3e401b04826c941a7a33d371b785675862d7bc8aec0ea63d932c
                                                                                                  • Instruction ID: ff6db59bb3db0fc8b8f4a2b7005224d015480b090e320fa23db7f6a71850402f
                                                                                                  • Opcode Fuzzy Hash: 790dc6e5abdc3e401b04826c941a7a33d371b785675862d7bc8aec0ea63d932c
                                                                                                  • Instruction Fuzzy Hash: B803F8326547028FC729CF28C8D06A5B7E3BFD5324719CA7DC0A64B699DBB4B44ACB50

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 7579 6d284ff0-6d285077 CreateProcessA 7580 6d2850ca-6d2850d3 7579->7580 7581 6d2850f0-6d28510b 7580->7581 7582 6d2850d5-6d2850da 7580->7582 7581->7580 7583 6d2850dc-6d2850e1 7582->7583 7584 6d285080-6d2850c2 WaitForSingleObject CloseHandle * 2 7582->7584 7583->7580 7585 6d2850e3-6d285118 7583->7585 7584->7580
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateProcess
                                                                                                  • String ID: D
                                                                                                  • API String ID: 963392458-2746444292
                                                                                                  • Opcode ID: 83b79b773948a467863e1a790df514567811702176261eed0503f6fa0e6e5eef
                                                                                                  • Instruction ID: bf6baa486c3f0da092811c7bae60189f438133f010938ede7be703874619fb24
                                                                                                  • Opcode Fuzzy Hash: 83b79b773948a467863e1a790df514567811702176261eed0503f6fa0e6e5eef
                                                                                                  • Instruction Fuzzy Hash: BF3101708193819FE340DF28C198B2EBBF0EB8A315F409A1DF89996291E77495888F43

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 7587 6d29bc5e-6d29bc7a 7588 6d29be39 7587->7588 7589 6d29bc80-6d29bc82 7587->7589 7590 6d29be3b-6d29be3f 7588->7590 7591 6d29bca4-6d29bcc5 7589->7591 7592 6d29bc84-6d29bc97 call 6d28f9df call 6d28f9cc call 6d290120 7589->7592 7593 6d29bccc-6d29bcd2 7591->7593 7594 6d29bcc7-6d29bcca 7591->7594 7607 6d29bc9c-6d29bc9f 7592->7607 7593->7592 7597 6d29bcd4-6d29bcd9 7593->7597 7594->7593 7594->7597 7599 6d29bcdb-6d29bce7 call 6d29ac69 7597->7599 7600 6d29bcea-6d29bcfb call 6d29be40 7597->7600 7599->7600 7608 6d29bcfd-6d29bcff 7600->7608 7609 6d29bd3c-6d29bd4e 7600->7609 7607->7590 7610 6d29bd01-6d29bd09 7608->7610 7611 6d29bd26-6d29bd32 call 6d29beb1 7608->7611 7612 6d29bd50-6d29bd59 7609->7612 7613 6d29bd95-6d29bdb7 WriteFile 7609->7613 7614 6d29bdcb-6d29bdce 7610->7614 7615 6d29bd0f-6d29bd1c call 6d29c25b 7610->7615 7623 6d29bd37-6d29bd3a 7611->7623 7619 6d29bd5b-6d29bd5e 7612->7619 7620 6d29bd85-6d29bd93 call 6d29c2c3 7612->7620 7617 6d29bdb9-6d29bdbf GetLastError 7613->7617 7618 6d29bdc2 7613->7618 7625 6d29bdd1-6d29bdd6 7614->7625 7631 6d29bd1f-6d29bd21 7615->7631 7617->7618 7624 6d29bdc5-6d29bdca 7618->7624 7626 6d29bd60-6d29bd63 7619->7626 7627 6d29bd75-6d29bd83 call 6d29c487 7619->7627 7620->7623 7623->7631 7624->7614 7632 6d29bdd8-6d29bddd 7625->7632 7633 6d29be34-6d29be37 7625->7633 7626->7625 7634 6d29bd65-6d29bd73 call 6d29c39e 7626->7634 7627->7623 7631->7624 7636 6d29be09-6d29be15 7632->7636 7637 6d29bddf-6d29bde4 7632->7637 7633->7590 7634->7623 7639 6d29be1c-6d29be2f call 6d28f9cc call 6d28f9df 7636->7639 7640 6d29be17-6d29be1a 7636->7640 7641 6d29bdfd-6d29be04 call 6d28f9f2 7637->7641 7642 6d29bde6-6d29bdf8 call 6d28f9cc call 6d28f9df 7637->7642 7639->7607 7640->7588 7640->7639 7641->7607 7642->7607
                                                                                                  APIs
                                                                                                    • Part of subcall function 6D29BEB1: GetConsoleCP.KERNEL32(?,6D29B0D0,?), ref: 6D29BEF9
                                                                                                  • WriteFile.KERNEL32(?,?,6D2A46EC,00000000,00000000,?,00000000,00000000,6D2A5AB6,00000000,00000000,?,00000000,6D29B0D0,6D2A46EC,00000000), ref: 6D29BDAF
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,6D2A46EC,6D29B0D0,00000000,?,?,?,?,00000000,?), ref: 6D29BDB9
                                                                                                  • __dosmaperr.LIBCMT ref: 6D29BDFE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                                                                                  • String ID: 8Q
                                                                                                  • API String ID: 251514795-4022487301
                                                                                                  • Opcode ID: 71c5e6c1fde40d172d0131031a65c403caea7f00defd4d6e69f0d835c69dbc24
                                                                                                  • Instruction ID: 9404fa01be089716314fceba91babab55916bc81b9d4362da7871d1a79d39b64
                                                                                                  • Opcode Fuzzy Hash: 71c5e6c1fde40d172d0131031a65c403caea7f00defd4d6e69f0d835c69dbc24
                                                                                                  • Instruction Fuzzy Hash: C551917199820FAEDB019AAAC8C0FEEBB79EF0A359F010465D610AF191D7719941C771

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 7654 6d285b90-6d285b9c 7655 6d285bdd 7654->7655 7656 6d285b9e-6d285ba9 7654->7656 7657 6d285bdf-6d285c57 7655->7657 7658 6d285bab-6d285bbd 7656->7658 7659 6d285bbf-6d285bcc call 6d1501f0 call 6d290b18 7656->7659 7660 6d285c59-6d285c81 7657->7660 7661 6d285c83-6d285c89 7657->7661 7658->7659 7668 6d285bd1-6d285bdb 7659->7668 7660->7661 7663 6d285c8a-6d285d49 call 6d152250 call 6d152340 call 6d289379 call 6d14e010 call 6d287088 7660->7663 7668->7657
                                                                                                  APIs
                                                                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6D285D31
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Ios_base_dtorstd::ios_base::_
                                                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                  • API String ID: 323602529-1866435925
                                                                                                  • Opcode ID: 9d67fbfe134448235873846bd4631a5491e64dfae791a048587c0961fd2ff48c
                                                                                                  • Instruction ID: 1c99267229574f9897765681bebb03d5b1120e9152deb2ef02f7b72d00adf798
                                                                                                  • Opcode Fuzzy Hash: 9d67fbfe134448235873846bd4631a5491e64dfae791a048587c0961fd2ff48c
                                                                                                  • Instruction Fuzzy Hash: DA5142B5900B048FD725CF29C584BA6BBF1FB48318F008A2DD9964BB91D7B5B909CF90

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 7699 6d29b925-6d29b939 call 6d2a15a2 7702 6d29b93b-6d29b93d 7699->7702 7703 6d29b93f-6d29b947 7699->7703 7704 6d29b98d-6d29b9ad call 6d2a171f 7702->7704 7705 6d29b949-6d29b950 7703->7705 7706 6d29b952-6d29b955 7703->7706 7714 6d29b9bb 7704->7714 7715 6d29b9af-6d29b9b9 call 6d28f9f2 7704->7715 7705->7706 7707 6d29b95d-6d29b971 call 6d2a15a2 * 2 7705->7707 7708 6d29b973-6d29b983 call 6d2a15a2 CloseHandle 7706->7708 7709 6d29b957-6d29b95b 7706->7709 7707->7702 7707->7708 7708->7702 7721 6d29b985-6d29b98b GetLastError 7708->7721 7709->7707 7709->7708 7719 6d29b9bd-6d29b9c0 7714->7719 7715->7719 7721->7704
                                                                                                  APIs
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,6D2A425F), ref: 6D29B97B
                                                                                                  • GetLastError.KERNEL32(?,00000000,?,6D2A425F), ref: 6D29B985
                                                                                                  • __dosmaperr.LIBCMT ref: 6D29B9B0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                  • String ID:
                                                                                                  • API String ID: 2583163307-0
                                                                                                  • Opcode ID: 22981923e4bb647346246fb16e8bd0c086cc11a5c8ec9b42569bcfaad668fa3f
                                                                                                  • Instruction ID: 011837e929ffc8dd32c5d6fcad1ff1b84fca9839a8b23163ee0aac5c429c0487
                                                                                                  • Opcode Fuzzy Hash: 22981923e4bb647346246fb16e8bd0c086cc11a5c8ec9b42569bcfaad668fa3f
                                                                                                  • Instruction Fuzzy Hash: 710142339FC12E1AE601063BD8C9B7E376D8F8373DF164669E9168F1C1DFA084858650

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 7944 6d290b9c-6d290ba7 7945 6d290ba9-6d290bbc call 6d28f9cc call 6d290120 7944->7945 7946 6d290bbe-6d290bcb 7944->7946 7958 6d290c10-6d290c12 7945->7958 7948 6d290bcd-6d290be2 call 6d290cb9 call 6d29873e call 6d299c60 call 6d29b898 7946->7948 7949 6d290c06-6d290c0f call 6d29ae75 7946->7949 7963 6d290be7-6d290bec 7948->7963 7949->7958 7964 6d290bee-6d290bf1 7963->7964 7965 6d290bf3-6d290bf7 7963->7965 7964->7949 7965->7949 7966 6d290bf9-6d290c05 call 6d2947bb 7965->7966 7966->7949
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 8Q
                                                                                                  • API String ID: 0-4022487301
                                                                                                  • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                                                                  • Instruction ID: 8eb1a8d0fe2ec430d9fe5fbfd88d69c1baec3ad9b496ad87115deeebdb8f674f
                                                                                                  • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                                                                  • Instruction Fuzzy Hash: 7CF0D1725C861D6ADA211A2B8E00F9B33A89F86378F120735EA709F0D0CB70D403C6B1
                                                                                                  APIs
                                                                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6D285AB4
                                                                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6D285AF4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Ios_base_dtorstd::ios_base::_
                                                                                                  • String ID:
                                                                                                  • API String ID: 323602529-0
                                                                                                  • Opcode ID: 2bb375139c7c0fdc8e54aabb14fb305cf74e56cb9d3453c0aa5a37c7e37196a0
                                                                                                  • Instruction ID: e753925c4a9e0db6de17acbb6e13c97b8b9bbfea36f8909497da5789ba37182c
                                                                                                  • Opcode Fuzzy Hash: 2bb375139c7c0fdc8e54aabb14fb305cf74e56cb9d3453c0aa5a37c7e37196a0
                                                                                                  • Instruction Fuzzy Hash: 9A514570244B09DBE725CF24C884BA6BBF4FB04714F448A5CE5AB4B6D2DB31B548CB81
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(6D2B6DD8,0000000C), ref: 6D28EF52
                                                                                                  • ExitThread.KERNEL32 ref: 6D28EF59
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorExitLastThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 1611280651-0
                                                                                                  • Opcode ID: 19dad1203bcea38bdd9d08ef78b66d61e21874ad0bdbe97d5436ea21cece1fd6
                                                                                                  • Instruction ID: 819a27cb2fbd690528ad7dfedac1c7e4951b32291e9cb651fec78ec841c817ed
                                                                                                  • Opcode Fuzzy Hash: 19dad1203bcea38bdd9d08ef78b66d61e21874ad0bdbe97d5436ea21cece1fd6
                                                                                                  • Instruction Fuzzy Hash: 3AF0F67198860DAFDB00AFB1C448B3E3B74FF46719F214159E1159B282CF76A902CBE1
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __wsopen_s
                                                                                                  • String ID:
                                                                                                  • API String ID: 3347428461-0
                                                                                                  • Opcode ID: 6d8fea9683e54e43f703fe888cb1e7add5d66e781f03dc4a0246384fe87bbd36
                                                                                                  • Instruction ID: 143a82f215e59cbf3c41c5981b1b8b2d6cc77ffc083107dce522120d92159eb0
                                                                                                  • Opcode Fuzzy Hash: 6d8fea9683e54e43f703fe888cb1e7add5d66e781f03dc4a0246384fe87bbd36
                                                                                                  • Instruction Fuzzy Hash: 3F113A71A0420EAFCB05CF59E945A9B7BF9EF89314F054069F805AB211D671E911CBA4
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free
                                                                                                  • String ID:
                                                                                                  • API String ID: 269201875-0
                                                                                                  • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                                                                  • Instruction ID: f9b1ed602a924752eb8ba3cb2eca8a63b9726b9bac3a9c3ddf43ec5aa7e7e03b
                                                                                                  • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                                                                  • Instruction Fuzzy Hash: 7E012172C4416EBFCF019FA8CD019EE7FB5EB48314F154165EE28A2190E7318625DB91
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(00000000,00000000,?,6D2A4115,?,?,00000000,?,6D2A4115,00000000,0000000C), ref: 6D2A4474
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 823142352-0
                                                                                                  • Opcode ID: 6ac555068df6de59e32dd0fbc50d8736dc9a2f97783d6f767fab3cbf25fb814a
                                                                                                  • Instruction ID: 86dbd74fdc1c190d7fe0a1c278c8662b9da3d50e654b7eb778a5065299dcb50d
                                                                                                  • Opcode Fuzzy Hash: 6ac555068df6de59e32dd0fbc50d8736dc9a2f97783d6f767fab3cbf25fb814a
                                                                                                  • Instruction Fuzzy Hash: 11D06C3204010DBBDF028E84DC46EDA3BAAFB8C718F014000BA1856020C772E862EB90
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1428450025.000000006D101000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D100000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1428427924.000000006D100000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429644063.000000006D2A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1431306732.000000006D472000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                                                                  • Instruction ID: 03908f2a11d02c07f0d1667d43d2e69c5e873dc8d4fb323c178b218b87bd94ed
                                                                                                  • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                                                                  • Instruction Fuzzy Hash:
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 6D3184B1
                                                                                                    • Part of subcall function 6D31993B: __EH_prolog.LIBCMT ref: 6D319940
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: 1$`)K$h)K
                                                                                                  • API String ID: 3519838083-3935664338
                                                                                                  • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                                                                                  • Instruction ID: e0c299e5defc4301ac2897fab8e5842200fa26f4771edaaa097b115c051e7f02
                                                                                                  • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                                                                                  • Instruction Fuzzy Hash: 35F28C30D0825ADFDB15CFA8CC84BEDBBB5AF49304F148499E459AB281DB719E85CF21
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 6D30AEF4
                                                                                                    • Part of subcall function 6D30E622: __EH_prolog.LIBCMT ref: 6D30E627
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: $h%K
                                                                                                  • API String ID: 3519838083-1737110039
                                                                                                  • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                                                                                  • Instruction ID: 358a50dd8ea26303621a8668c43e9e6403e9b4211d70c5c3477bbc5398bbb19f
                                                                                                  • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                                                                                  • Instruction Fuzzy Hash: 21538730D04259DFDB15CFA8C894BEDBBB4AF09308F1480E8D549AB291CB71AE85CF61
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: $J
                                                                                                  • API String ID: 3519838083-1755042146
                                                                                                  • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                                                                                  • Instruction ID: 088f521b2dbf591fd0e078533a336ed535bc2408db02baa16449da17c7447e5b
                                                                                                  • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                                                                                  • Instruction Fuzzy Hash: 8AE2E27090824BDFEF09CFA8D854BEDBBB4BF46308F148099E855AB281CB75D945CB61
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 6D2E6CE5
                                                                                                    • Part of subcall function 6D2BCC2A: __EH_prolog.LIBCMT ref: 6D2BCC2F
                                                                                                    • Part of subcall function 6D2BE6A6: __EH_prolog.LIBCMT ref: 6D2BE6AB
                                                                                                    • Part of subcall function 6D2E6A0E: __EH_prolog.LIBCMT ref: 6D2E6A13
                                                                                                    • Part of subcall function 6D2E6837: __EH_prolog.LIBCMT ref: 6D2E683C
                                                                                                    • Part of subcall function 6D2EA143: __EH_prolog.LIBCMT ref: 6D2EA148
                                                                                                    • Part of subcall function 6D2EA143: ctype.LIBCPMT ref: 6D2EA16C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog$ctype
                                                                                                  • String ID:
                                                                                                  • API String ID: 1039218491-3916222277
                                                                                                  • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                                                                                  • Instruction ID: be6492a1e83881cf689b062f4f85eadea2acb6bbbaf5163ec2f9e88d93a21f5f
                                                                                                  • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                                                                                  • Instruction Fuzzy Hash: E703FE30C8828EDEDF15CFA4C880BECBBB0AF15348F5580A9D64567291DB745B89DF61
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 3J$`/J$`1J$p0J
                                                                                                  • API String ID: 0-2826663437
                                                                                                  • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                                                                                  • Instruction ID: bf411737ba5b836828b40d9ec4e79d2dd0c7243ef3bae5f621dd53c40fd1a661
                                                                                                  • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                                                                                  • Instruction Fuzzy Hash: 79412872F10A200AF3488E3A8C856667FC3C7C9342B4AC63DD565C76D9DABDC41782A4
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: W
                                                                                                  • API String ID: 3519838083-655174618
                                                                                                  • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                                                                                  • Instruction ID: 2066c1478d1f11822226b813288e19b2dcf94b76ad923e74bd73664c22fc80c7
                                                                                                  • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                                                                                  • Instruction Fuzzy Hash: D1B25A74E0825ADFDB09CFA8C884BAEBBB4BF59304F148099E945EB351C776D941CB60
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID:
                                                                                                  • API String ID: 3519838083-3916222277
                                                                                                  • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                                                                                  • Instruction ID: 7c85e2bdfab546622f4fb7c7581b41ff4bf9235c4d6d972bf64c13e82262dc50
                                                                                                  • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                                                                                  • Instruction Fuzzy Hash: 5F227A74A0821A9FCB18CFA8C981BADBBF0FF09304F108569E959DB281D775E945CF90
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 6D30489B
                                                                                                    • Part of subcall function 6D305FC9: __EH_prolog.LIBCMT ref: 6D305FCE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: @ K
                                                                                                  • API String ID: 3519838083-4216449128
                                                                                                  • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                                                                                  • Instruction ID: 953c649c53b1f39b61d6dd55a1c34e95e98bd18094b727424a8714cafbee4438
                                                                                                  • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                                                                                  • Instruction Fuzzy Hash: 18D14570D042099FDB14CFA8C491BEEB7B6FFAC314F21806AD555AB284CBB59A41CB25
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: x=J
                                                                                                  • API String ID: 3519838083-1497497802
                                                                                                  • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                                                                  • Instruction ID: feca0770704c29d6f7fca6bce02df1650a912020b4a71bcaf6a068a6193498cf
                                                                                                  • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                                                                  • Instruction Fuzzy Hash: 18911031D9820F9ACF05DFA4C880AEDFB76BF663CCF10806AD5A567250DBB15985CB50
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID:
                                                                                                  • API String ID: 3519838083-0
                                                                                                  • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                                                                                  • Instruction ID: 653cbd240bc9affcc669cb304b8b7cc57679565c3e33dbff76aabb3433ecca2b
                                                                                                  • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                                                                                  • Instruction Fuzzy Hash: E0B2A730D1874ACFCB21CF68C991BAEBBB1BF04304F10859DD59AA7291D732AA85CF51
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: @4J$DsL
                                                                                                  • API String ID: 0-2004129199
                                                                                                  • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                                                                  • Instruction ID: eb9ee5800b0b59f9f6e1a41905016539dd6343d85fa4f5caf5771b10a43095ae
                                                                                                  • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                                                                  • Instruction Fuzzy Hash: AD2191376A4D564BD74CCA28DC33EB92681E744305B88527DE94BCB3D1DF6D9800C648
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID:
                                                                                                  • API String ID: 3519838083-0
                                                                                                  • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                                                                                  • Instruction ID: 85dfa8a264b51ccf9c637d8c58aa093343cb519f6d16bff7d2f4e243a4481009
                                                                                                  • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                                                                                  • Instruction Fuzzy Hash: 16F17870D0424ADFCB44CFA8C590BEDBBB5BF09308F1480ADD549AB252D771AA95CFA1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: @
                                                                                                  • API String ID: 0-2766056989
                                                                                                  • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                                                                                  • Instruction ID: 28919c15cc33c1196e8f9547bbb9fdfc20e9be959caa018c4a585cdbe0cc1f09
                                                                                                  • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                                                                                  • Instruction Fuzzy Hash: D03249B1A083058FC318CF59C48495AF7E2BFCC314F468A6DE98997355DB74AA09CF86
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: @
                                                                                                  • API String ID: 0-2766056989
                                                                                                  • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                                                                                  • Instruction ID: 5f96f2d272b4e4a77a5b24b8b2b52a847b46d7eab4c0b16a9e6c6965951c411d
                                                                                                  • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                                                                                  • Instruction Fuzzy Hash: D11207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EE898A7311D770E9568BC6
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __aullrem
                                                                                                  • String ID:
                                                                                                  • API String ID: 3758378126-0
                                                                                                  • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                                                                  • Instruction ID: 8cfa24254fa0395b8689556a0e131e0e2b17f20d015ea530ee4d73abba9aca28
                                                                                                  • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                                                                  • Instruction Fuzzy Hash: 835128B1A482459BD710CF5AC4C06EEFBE6EF79214F14C01EF8C883242E27A5D8AC761
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: @
                                                                                                  • API String ID: 0-2766056989
                                                                                                  • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                                                                                  • Instruction ID: 41610c037c8dacb64670806a54fa81657b2ff4a430e1c48a4c46d42436af9ea1
                                                                                                  • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                                                                                  • Instruction Fuzzy Hash: 35D13E729083148FC758DF4AD84045BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: (SL
                                                                                                  • API String ID: 0-669240678
                                                                                                  • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                                                                                  • Instruction ID: 4ad210362628b25c7f48ab4dcf1f543d4307c99e75c7e97ec8878d78345267fb
                                                                                                  • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                                                                                  • Instruction Fuzzy Hash: 5A518573E208214AD78CCE24DC21B7572D2E784310F8BC1B99D4BAB2E6DD78685587D4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                                                                                  • Instruction ID: 4d57cd01e48fce635caa1e0e06d940d9885d75957a708938d9c7c31074232226
                                                                                                  • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                                                                                  • Instruction Fuzzy Hash: 7E726CB2A042178FD748CF18C490668FBE1FB89310B5A46ADD95ADF742DB31E895CBC0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                                                                                  • Instruction ID: 10cc0319691c978c41a418146062d94de9877dc0544d864bfb012dd411a8bf65
                                                                                                  • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                                                                                  • Instruction Fuzzy Hash: E0527F31608B958BD328CF2AC5906AAB7E2FF89308F158A2DD4DAC7751DB71F845CB41
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                                                                  • Instruction ID: 60187617a90c9e34d03af8d9c3cfd9e49b4a82bfa116ccfc1a5435bbd2bc284f
                                                                                                  • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                                                                  • Instruction Fuzzy Hash: D762F2B5A083468FC714CF29C58092EBBF5BFC8744F108A2EE9998B315D775E845CB92
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                                                                                  • Instruction ID: e5db92c590ac67f413b96077c7c2b2264e3a02958797330092aa9bd39bb8320b
                                                                                                  • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                                                                                  • Instruction Fuzzy Hash: A3428D31614B068FD368CF69C8807AAB3E6FB84344F048A2DE9D687794E778E545CB91
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                                                                  • Instruction ID: 309becf5f07531c90dbe1d002994dc07a5a9327e276af3f6076bef69451fe6ca
                                                                                                  • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                                                                  • Instruction Fuzzy Hash: FC12CE712087968FC718CF68C69066AFBE2BFC8340F56892DE9D687741D732E845CB42
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                                                                                  • Instruction ID: 063f81e548d29d9f8ffe48da1b4f3b6e8fd353e56b8a4676ab9b30a8d7a91a0e
                                                                                                  • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                                                                                  • Instruction Fuzzy Hash: 14024873A5835147D758CE1DCC80229B7E7FBC4390F2A8A3EF89547384DAB8994AC791
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                                                                  • Instruction ID: d0b58be973804a0fd840fb676b9ddcd94085d44fefdf1940a7d753e0fbc5ed41
                                                                                                  • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                                                                  • Instruction Fuzzy Hash: CF022D72A183118FD319CE28C480369BBF6FBC8355F158A3EE49697654D7B8D884CB92
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                                                                                  • Instruction ID: 06a965b441b92651c29899d8c6b99c52814233f56250fe6edf9de756aeac754b
                                                                                                  • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                                                                                  • Instruction Fuzzy Hash: 8F12BD70618B618FC328CF2EC494626FBF2BF85305F14896ED1D6C7AA1D73AA548CB51
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                                                                                  • Instruction ID: aaebe62084433275bc52592cc338cf4d45473341a0af5ce4115d39f8a31a7ae5
                                                                                                  • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                                                                                  • Instruction Fuzzy Hash: F802A0716187218FC328CF2ED49022AFBF1AF89301F14896EE5DA87791D33AE559CB51
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                                                                                  • Instruction ID: 328fc3d5d82c8b53fd45127e67bfa8c8bf2c07da1cc59545a9a4080d800bc429
                                                                                                  • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                                                                                  • Instruction Fuzzy Hash: 5AE10F72604B958FD724CF28D5603ABB7E2EBC4310F56892DC69687781DB36E40ACB81
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                                                                                  • Instruction ID: 39d568fafd71bceb817487c8e438f98575a2659eb73a5aa53be69a11a9d87b65
                                                                                                  • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                                                                                  • Instruction Fuzzy Hash: AAF1EF71608B518FC328CF2DD490266FBE2BF89304F188A6EE5D6CB691D339E594CB51
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                                                                                  • Instruction ID: 639a090c6beaeed362cd229706e4d61c7f011890b9806622105b027b3af17bdb
                                                                                                  • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                                                                                  • Instruction Fuzzy Hash: D9F1E2705087628FC329CF29C49026AFBF1BF85304F14CA2ED5DA8B691D37AE559CB51
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                                                                                  • Instruction ID: b65568560592fb655e1a5d5be3675c97326388befaa015898f3e59b801a13a45
                                                                                                  • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                                                                                  • Instruction Fuzzy Hash: 22C1CF71604B568FE329CF2DC5906AAB7E2FBC4310F268A2DC1A687B45D674F495CBC0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                                                                                  • Instruction ID: c499f7b445dfd03d95efdb01904590b4668f280cbe548bb4c64e539f378a2946
                                                                                                  • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                                                                                  • Instruction Fuzzy Hash: 56E1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B423DDA650B392D734A952DB94
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                                                                                  • Instruction ID: d546ba36bf42dd8366724b3fd24454b8d69a5aca55365fa4792549af28926b61
                                                                                                  • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                                                                                  • Instruction Fuzzy Hash: 53B19E71A152618FC350CF2DC9802557BA2FFC522977687ADC4A4EF69AD336E807CB90
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                                                                  • Instruction ID: 78edd1b4b1c0e6d0208448aa72d20c72d602db6d250d53ac161624b907feb029
                                                                                                  • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                                                                  • Instruction Fuzzy Hash: D3C1F6352087818BC729CE39D2A02A7BBE2EFD9304F158A6DC5CA4B755DA31A40DCB95
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                                                                                  • Instruction ID: 9bf3e9dbdcfc587c77c8cfc78ecad1ef3639e87e6c21e05b1863e9f5212224f3
                                                                                                  • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                                                                                  • Instruction Fuzzy Hash: 48B193726043918FD341CF28C985354BBA2FF85228B76879ED4949F246E337E857CB91
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                                                                                  • Instruction ID: 5ebe2fe16e7158bf47a61deb02e422cf8d55983abcaeffcb3f3576dbded0e1ad
                                                                                                  • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                                                                                  • Instruction Fuzzy Hash: 90D1E7B1848B9B5FD394EF4DEC82A357762AB88301F4A8239DB6007753D634BB12D794
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                                                                  • Instruction ID: ab9789ea6f4a5f13191290be685340d6591bf63c46a08bedf780c7cf156fb89b
                                                                                                  • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                                                                  • Instruction Fuzzy Hash: C5B1D131B08B054BD364DF79D892BEAB7E1AF84304F04852DCAEAC7241EF75A909C795
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                                                                                  • Instruction ID: 648c53bb1a4757ad868d3db59ca40e57260c1aec009d834a1cfe34ca43bd6794
                                                                                                  • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                                                                                  • Instruction Fuzzy Hash: F46132B27082658FD308CF99E680AA6B3E5EB99321B1285BFD115CF361E772DC45C718
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                                                                                  • Instruction ID: f7aab236a0c489755842c2caaebb9a494253caf29c674c34a49e85dbe1292cac
                                                                                                  • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                                                                                  • Instruction Fuzzy Hash: CB81F2B2D447298BD710CF88ECC4596B3A1FB88308F0A467DDE591B352D2B9B915DBD0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                                                                                  • Instruction ID: 7940895fa13c62d1385b154040437dc9421eada1e916acab86f5673722f29366
                                                                                                  • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                                                                                  • Instruction Fuzzy Hash: 87918F72C1871A8BD314DF18C88026AB7E0FB88318F45467DED99A7341D739EA55CBC5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                                                                  • Instruction ID: d52b79d4d5497f3abd3a224e2df4255ca62be747322c3e1f8e6fd8a3175d166c
                                                                                                  • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                                                                  • Instruction Fuzzy Hash: 1A519D72F4060E9BDB48CE99DA916EDBBF2EB88304F24806AD111E7391D7759A41CB50
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                                                                  • Instruction ID: c012adb0ced14db43030cb42d0ab4561d7a6efcee773ab6d198a33a04a21b5a2
                                                                                                  • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                                                                  • Instruction Fuzzy Hash: 8A3114677A440647C75CC92BCC127AF91539BD422671ECF39A809DAF55D52CD8124144
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                                                                                  • Instruction ID: 321cc8e1f60fac5e2393cdaac00f73714771ab898611a3e1699a154b15cc67cb
                                                                                                  • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                                                                                  • Instruction Fuzzy Hash: 18312873514BA70BF301862D8B853667323EBC2364F67C765D966E72ECCAB29C478140
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                                                                                  • Instruction ID: fef419e6fbd3867dc40e5b25e9a376099ac06248cd4b64a19907028a7ffa6c46
                                                                                                  • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                                                                                  • Instruction Fuzzy Hash: CA41B3B19047068BD704CF18C8915BAB3E4FF88318F458A2DED5A97341E335EA15CBD1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                                                                                  • Instruction ID: d6b2157a42e5031ad6c2e78333e2875be6d6d89e42c1db94215953c673b2289c
                                                                                                  • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                                                                                  • Instruction Fuzzy Hash: D12106B1A047E707E7209E6DCC8077577D2ABC6301F098179DAB48E687E17A94B2D3A0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                                                                                  • Instruction ID: 65d556054e7b96e52d7135e03663ff9d20cd5d7d963799f4edf1fb191990c0a8
                                                                                                  • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                                                                                  • Instruction Fuzzy Hash: 4401D17291462E57DB189F08CC41132B390FB84312F49823ADD479B385E734F870C6C0
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                                                                                  • API String ID: 3519838083-609671
                                                                                                  • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                                                                  • Instruction ID: 3e78db10d7dc84e8b8e511a2909003c69e723b41e13014e1c04dd050108cc23b
                                                                                                  • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                                                                  • Instruction Fuzzy Hash: 2CD1AC71A8420EAFCB11CFA4D990EEEB7B5FF09394F508429E556E3250EB71A904CB60
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: $ $$ K$, K$.$o
                                                                                                  • API String ID: 3519838083-1786814033
                                                                                                  • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                                                                                  • Instruction ID: 99c8bdaf6d82d8e98a38898b5e5842cff635113249d4d47206308afcb1580368
                                                                                                  • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                                                                                  • Instruction Fuzzy Hash: 3AD10732D0825E8FCF11CFA8D891BEEBBB1BF19304F14866AC595BB241C7725945CB61
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __aulldiv$H_prolog
                                                                                                  • String ID: >WJ$x$x
                                                                                                  • API String ID: 2300968129-3162267903
                                                                                                  • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                                                                                  • Instruction ID: 3ae3e560c780770dc4c2418572c33e77a207e3df0f8bf33f48edd682551b4285
                                                                                                  • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                                                                                  • Instruction Fuzzy Hash: 0B12887194420EEFDF50DFA4C880AEDBBB5FF4831AF218169E955AB290C7359944CF90
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __aulldiv$__aullrem
                                                                                                  • String ID:
                                                                                                  • API String ID: 2022606265-0
                                                                                                  • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                                                                  • Instruction ID: 1958ef9ab65a3caf1ee40f327e13e7f9be5a04504c2b7972c270061d71d67032
                                                                                                  • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                                                                  • Instruction Fuzzy Hash: 8021937094421EBBDF618F948C80DEF7AA9FF457E5F20C325BA24A2194D271CD60D6A2
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 6D2CA6F1
                                                                                                    • Part of subcall function 6D2D9173: __EH_prolog.LIBCMT ref: 6D2D9178
                                                                                                  • __EH_prolog.LIBCMT ref: 6D2CA8F9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: IJ$WIJ$J
                                                                                                  • API String ID: 3519838083-740443243
                                                                                                  • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                                                                  • Instruction ID: d6fdf9cc1f976fb7f02cdf35620a30013350eec702a51426bd3f42682dc8539d
                                                                                                  • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                                                                  • Instruction Fuzzy Hash: 7171C030A8824ADFDF14CFA4C484FEDB7B0BF14308F1181A9D9556B291CBB4AE09CB91
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 6D2DE41D
                                                                                                    • Part of subcall function 6D2DEE40: __EH_prolog.LIBCMT ref: 6D2DEE45
                                                                                                    • Part of subcall function 6D2DE8EB: __EH_prolog.LIBCMT ref: 6D2DE8F0
                                                                                                    • Part of subcall function 6D2DE593: __EH_prolog.LIBCMT ref: 6D2DE598
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: &qB$0aJ$A0$XqB
                                                                                                  • API String ID: 3519838083-1326096578
                                                                                                  • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                                                                  • Instruction ID: 1ef99eda2266d52e57c3438d4b40acb1e28c56c3db0c16985cb52cdc5bcdbe0d
                                                                                                  • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                                                                  • Instruction Fuzzy Hash: 89218B71D8924CAECB09DBE4D9859EDFBB4AF25358F214139E61267280DBB81E08CB51
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: J$0J$DJ$`J
                                                                                                  • API String ID: 3519838083-2453737217
                                                                                                  • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                                                                                  • Instruction ID: 8b450dff4ed2bf0f8e2653c359c2cbf58bad07579e1041c69c74fcc950298db4
                                                                                                  • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                                                                                  • Instruction Fuzzy Hash: 5411D3B1904B68CEC720CF5AC45459AFBE4FFA5708B11C91FC5A687B50C7F8A504CB99
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: $!$@
                                                                                                  • API String ID: 3519838083-2517134481
                                                                                                  • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                                                                  • Instruction ID: f53e0ffe77847c6f2310fd69524d6089c09f2054d91ec6664790cf40e1d97f57
                                                                                                  • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                                                                  • Instruction Fuzzy Hash: BB129EB4E0524AEFCF04CFA4C4D0AEDBBB5BF48304F148469E945AB755DB31A991CBA0
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog__aulldiv
                                                                                                  • String ID: $SJ
                                                                                                  • API String ID: 4125985754-3948962906
                                                                                                  • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                                                                  • Instruction ID: 2cca146699ccd6d38fbdcb42c63bcafee198471a30899707ad6cf24970132e2d
                                                                                                  • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                                                                  • Instruction Fuzzy Hash: 6AB15CB1D4420ADFCB64CFA9C9809AEBBF1FF48315F21852EE555A7250D731AA41CBA0
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: $CK$CK
                                                                                                  • API String ID: 3519838083-2957773085
                                                                                                  • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                                                                                  • Instruction ID: 093ed7d34518fc7df24f7442d38223eb813585e3c3ff7b5d06f9b3e6e243ab94
                                                                                                  • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                                                                                  • Instruction Fuzzy Hash: 2221B370E8520ECBCB54DFE8C8D45EEF7B6FF94306F64852AC512A7295C7745A028AE0
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 6D2E4ECC
                                                                                                    • Part of subcall function 6D2CF58A: __EH_prolog.LIBCMT ref: 6D2CF58F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: :hJ$dJ$xJ
                                                                                                  • API String ID: 3519838083-2437443688
                                                                                                  • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                                                                  • Instruction ID: bed64e278424534cc055d51e97fc74e8f5b47f413c1b9913ac070c5d909f539a
                                                                                                  • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                                                                  • Instruction Fuzzy Hash: 1221E9B0805B44CFC760CF6AC14464ABBF4FF29718B00C96EC1AA97B11D7B8A608CF55
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: <J$DJ$HJ$TJ$]
                                                                                                  • API String ID: 0-686860805
                                                                                                  • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                                                                  • Instruction ID: 46f8c8ed2c03a56843090548c34333810f00a7d1152cffb64718d24437bb0295
                                                                                                  • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                                                                  • Instruction Fuzzy Hash: 4E41BF70C8828EAFCF54CBA1D4A0CEEB770AF15308B51C579D27267061EB75AA49CB02
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __aulldiv
                                                                                                  • String ID:
                                                                                                  • API String ID: 3732870572-0
                                                                                                  • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                                                                                  • Instruction ID: c75a4af3eb65137faf2706773cb5121e772a780bb284a0dafae2dddb970cf13e
                                                                                                  • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                                                                                  • Instruction Fuzzy Hash: D61190B6654209BFEB654BA4CC80EBF7BBDEF85B44F10C52DF68156190C671AC10D760
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 6D2BE077
                                                                                                    • Part of subcall function 6D2BDFF5: __EH_prolog.LIBCMT ref: 6D2BDFFA
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: :$\
                                                                                                  • API String ID: 3519838083-1166558509
                                                                                                  • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                                                                                  • Instruction ID: 9cb1be20fdef95b9c3836bcbf7feaf1d085179190be1e6320f6da20ffb33793b
                                                                                                  • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                                                                                  • Instruction Fuzzy Hash: 0BE1353098820E9ACF15DFA4C490BFEB7B1BF4539CF108169D952A7290EBF5A945CB11
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: @$hfJ
                                                                                                  • API String ID: 3519838083-1391159562
                                                                                                  • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                                                                  • Instruction ID: 9b3490d6149b34f280a984cbd1a1d6ae178f8286a65742990404c29a8943c5ae
                                                                                                  • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                                                                  • Instruction Fuzzy Hash: 32916B7095020EEFCB10DF99C8849EEFBF4BF1834AF94456EE155A32A0D771AA44CB21
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 6D2D8C5D
                                                                                                    • Part of subcall function 6D2D761A: __EH_prolog.LIBCMT ref: 6D2D761F
                                                                                                    • Part of subcall function 6D2D7A2E: __EH_prolog.LIBCMT ref: 6D2D7A33
                                                                                                    • Part of subcall function 6D2D8EA5: __EH_prolog.LIBCMT ref: 6D2D8EAA
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: WZJ
                                                                                                  • API String ID: 3519838083-1089469559
                                                                                                  • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                                                                  • Instruction ID: 6cd87aadce3ba54091cb9c0aa51ab4b5f2565a4053307dd6138895a9abe9638e
                                                                                                  • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                                                                  • Instruction Fuzzy Hash: 8C817A31D4414DDFCF15DFA8D890ADEBBB4AF19308F2140AAE61677290DB70AE05CBA1
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog__aullrem
                                                                                                  • String ID: d%K
                                                                                                  • API String ID: 3415659256-3110269457
                                                                                                  • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                                                                                  • Instruction ID: cb49274852ffb20c6d875ccb0d256063ea44f60e6e3e51dbd4994f9465cfc3f3
                                                                                                  • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                                                                                  • Instruction Fuzzy Hash: 1A61BD72A0420A9FDF01CF64D585FAEB7F1BF89349F118068D994AB281D772DA05CBA1
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: CK$CK
                                                                                                  • API String ID: 3519838083-2096518401
                                                                                                  • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                                                                                  • Instruction ID: c9040ca01cbfecbe5cca4d393ca711c87abcb79c9edf836ced398ac6f874b086
                                                                                                  • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                                                                                  • Instruction Fuzzy Hash: 5851B475A0030A9FDB04CFA4C8C1BFEB3B9FF88754F158529DA01AB245DB75E9458BA0
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: <dJ$Q
                                                                                                  • API String ID: 3519838083-2252229148
                                                                                                  • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                                                                  • Instruction ID: 7c73c6ada66d5ffc4e69988ea2b969bb83d8f0345c0496d02e45b7e838c06896
                                                                                                  • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                                                                  • Instruction Fuzzy Hash: 43519C7199420EEFCF01CFA9C980CEDB7B1BF49388F50842EE615AB250DB719A46CB10
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: PdJ$Q
                                                                                                  • API String ID: 3519838083-3674001488
                                                                                                  • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                                                                                  • Instruction ID: 61c112676b71acedc14455c6a350f0332bb5325c18c88696a7b506c188c04620
                                                                                                  • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                                                                                  • Instruction Fuzzy Hash: 6341B071D8420EDBCF11DFA9C5909EDB3B0FF89395B50C12AD564AB240CB719D42CBA1
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: 0|J$`)L
                                                                                                  • API String ID: 3519838083-117937767
                                                                                                  • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                                                                  • Instruction ID: 870350877c99c7c72214e520f7a8f7023554a1ddf65177bb8a6282a6abb15cba
                                                                                                  • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                                                                  • Instruction Fuzzy Hash: 7741E83168474ADFDB118F60C590BBEFBE2FF49249F01483EE15657250CBB16912CB51
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __aulldiv
                                                                                                  • String ID: 3333
                                                                                                  • API String ID: 3732870572-2924271548
                                                                                                  • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                                                                  • Instruction ID: 69948cc32d5d1d87df6c05c455ad342b950ff7d53840a0d9c59a84bea1767401
                                                                                                  • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                                                                  • Instruction Fuzzy Hash: 2A2194B0D847486FE7308FA98880F6BFAF9EB44754F50CD2EA186D3240D771A9458B65
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: @$LuJ
                                                                                                  • API String ID: 3519838083-205571748
                                                                                                  • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                                                                  • Instruction ID: cf30ec0f3708bd6cc642c74454a0080e3a4048fa9e850b37d8da1621dec8fedb
                                                                                                  • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                                                                  • Instruction Fuzzy Hash: 7A0161B2E8824ADADB10DFDA8580AAEF7B4FF55704F80C82EE569E3240D3745905CB55
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: @$xMJ
                                                                                                  • API String ID: 3519838083-951924499
                                                                                                  • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                                                                                  • Instruction ID: 4fe3fc6b14a14fbc002828c87602f0f4676583e51c3847dc3f5adb1c17098996
                                                                                                  • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                                                                                  • Instruction Fuzzy Hash: EE117C71E4024ADBCB00CF9AC4909AEB7B4FF58748B40C56ED569E7200D3789A01DB96
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: p/K$J
                                                                                                  • API String ID: 3519838083-2069324279
                                                                                                  • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                                                                                  • Instruction ID: b3ff3a297d2ae0ddce4e0661f7f5c742e1101edfd23b5adb13a74c05f5154253
                                                                                                  • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                                                                                  • Instruction Fuzzy Hash: 9801DFB2A147119FD724CF58C9047AAF7F8EF54719F10C82FD196A3640C7F8A5088BA4
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 6D2FAFCC
                                                                                                    • Part of subcall function 6D2FA4D1: __EH_prolog.LIBCMT ref: 6D2FA4D6
                                                                                                    • Part of subcall function 6D2F914B: __EH_prolog.LIBCMT ref: 6D2F9150
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: J$0J
                                                                                                  • API String ID: 3519838083-2882003284
                                                                                                  • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                                                                                  • Instruction ID: 611cca9d32ebf686fff745ac51a02d7c9812904070f04358eaa5976a392b0475
                                                                                                  • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                                                                                  • Instruction Fuzzy Hash: 020105B1844B55CFC325CF59C5A468AFBE0FB15304F90CD6EC1A657B50D7B8A508CB68
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 6D2F43F9
                                                                                                    • Part of subcall function 6D2F4320: __EH_prolog.LIBCMT ref: 6D2F4325
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: `)L$|{J
                                                                                                  • API String ID: 3519838083-2198066115
                                                                                                  • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                                                                                  • Instruction ID: 56a9000b1e268aad9cb7c015a1f7124d4a8f3ded575311cecf3e99d8268e3986
                                                                                                  • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                                                                                  • Instruction Fuzzy Hash: BCF05876A54018BFCB059F94DD04BDEBBA9FF49314F00802AFA05A6160CBB56A128B98
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prologctype
                                                                                                  • String ID: <oJ
                                                                                                  • API String ID: 3037903784-2791053824
                                                                                                  • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                                                                                  • Instruction ID: f34c1d2be8957ff62643e878fefd24c80d95798ae061c10dbd1e10bcc89c0610
                                                                                                  • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                                                                                  • Instruction Fuzzy Hash: B6E06532A595169BD7089F48D810FAEF7B4EF95754F02411EE111A7691CBB1A8108684
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: D)K$H)K$P)K$T)K
                                                                                                  • API String ID: 0-2262112463
                                                                                                  • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                                                                                  • Instruction ID: e9ec67fae973c18a7ff09f7bcf62607f52b34e3b1ba1315a26d535b23e0fc4da
                                                                                                  • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                                                                                  • Instruction Fuzzy Hash: 4751C47298C20B9BCF08CF90DC40AEEB7B5FF1A35CF154429EA1167290DBB69954C761
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.1429752988.000000006D2B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D2B8000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.1430461838.000000006D383000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.1430492845.000000006D389000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_6d100000_Zt43pLXYiu.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: (?K$8?K$H?K$CK
                                                                                                  • API String ID: 0-3450752836
                                                                                                  • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                                                                                  • Instruction ID: 167cab612c9a65a4d7f578c6a31fc3d56bdd0803cfdce2fc9f4c8be54d59dbbf
                                                                                                  • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                                                                                  • Instruction Fuzzy Hash: C6F03AB16057009FC320CF05D54869BFBF4EB4570AF51C81EE59A9BA40D3BDA5088FB8